Newsgroups: php.internals Path: news.php.net Xref: news.php.net php.internals:122817 X-Original-To: internals@lists.php.net Delivered-To: internals@lists.php.net Received: from php-smtp4.php.net (php-smtp4.php.net [45.112.84.5]) by qa.php.net (Postfix) with ESMTPS id 4A2FC1A009C for ; Sat, 30 Mar 2024 04:17:44 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=php.net; s=mail; t=1711772290; bh=CAgvLFsou2zPd6qZIbpXOaubdWrsJSBF+wyzpj4QIK4=; h=From:Subject:Date:References:Cc:In-Reply-To:To:From; b=UDogkOc7KqukszVKxIQl0s9F7IZkTw7VgUx27rUshJSkVu3u/QkStoB2GcC9wZlix XGIV7YQkZhX2qFWilKtgjtIqFvPe/YrYJ1zuwSJJSxw1VlcXE84Nh/uxtQNouQuwJV JwdvHAIyr4FtlAKs2xFOzB5kpN2vSwS6nNbv+Ck6Uz3rOxv3cgDSC/s+tWhkewFXWt HXXWIBWoZR7J5BnC/6pe5SQsfl9oT4kz1SEaBy3Ln/12gI4iiowzb5DnVvHxISd5cZ owWmIgVQ7MAM16aAvWzHtRqR00PSOEeBrLkKqxCuML87wvlvzcEVreRJKBIBOjaiqs VGku/iUEg74MA== Received: from php-smtp4.php.net (localhost [127.0.0.1]) by php-smtp4.php.net (Postfix) with ESMTP id 6C90B181040 for ; Sat, 30 Mar 2024 04:18:08 +0000 (UTC) X-Spam-Checker-Version: SpamAssassin 4.0.0 (2022-12-13) on php-smtp4.php.net X-Spam-Level: * X-Spam-Status: No, score=1.5 required=5.0 tests=BAYES_50,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,DMARC_PASS,HTML_MESSAGE, MIME_HTML_ONLY,MIME_HTML_ONLY_MULTI,MIME_QP_LONG_LINE,MPART_ALT_DIFF, RCVD_IN_DNSWL_NONE,RCVD_IN_MSPIKE_H2,SPF_HELO_NONE,SPF_PASS, T_SCC_BODY_TEXT_LINE autolearn=no autolearn_force=no version=4.0.0 X-Spam-Virus: No X-Envelope-From: Received: from mail-yb1-f193.google.com (mail-yb1-f193.google.com [209.85.219.193]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by php-smtp4.php.net (Postfix) with ESMTPS for ; Sat, 30 Mar 2024 04:18:07 +0000 (UTC) Received: by mail-yb1-f193.google.com with SMTP id 3f1490d57ef6-d9b9adaf291so2454260276.1 for ; Fri, 29 Mar 2024 21:17:41 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=benramsey.com; s=google; t=1711772260; x=1712377060; darn=lists.php.net; h=to:in-reply-to:cc:references:message-id:date:subject:mime-version :from:content-transfer-encoding:from:to:cc:subject:date:message-id :reply-to; bh=3gy9ET4iyAzspGV9KXB0U9toy5PkP+ycXf4QnVN3WIU=; b=bVuJo9dfEEXLU+pQYwq13xRIji98IOQhuT/X+eliMQzIwFEU6eHLhBHQLoh04qNNQK mgczGb59bRGt72zS0ph2mGZqbvsrulVVg05msmE5ulISjsgxfqqKOdhWB7RWuilhEbas 2e8BLoAZPV7WlR0D13LzrNUC+k0HrDJDrp4Q+PeyrYOIlpEaVlGxjMl4Z4mTFdYjcjzQ joiRt94uBlgQQgt6gg4O7h9DQEHI0XfQvZ8DuCU6X485yeDxki0Pipclaz0n3x5GeCpC xS805mst0Wwyqs01L0Qm9+oUzUHWjSP7s39jZRLEUB2wHLkTnK9oVKm3gN+f/Jac1sgD 1Rxw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1711772260; x=1712377060; h=to:in-reply-to:cc:references:message-id:date:subject:mime-version :from:content-transfer-encoding:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=3gy9ET4iyAzspGV9KXB0U9toy5PkP+ycXf4QnVN3WIU=; b=CMBqHqR1xO5Ce1y8KCJEKTTd/9WAMvE/2jOihY/GPyZ+mht9+8haT2vZvQXw2D68Fw uR4fOkWlI5dxqNgP98lXamIFrkmWTKxYO6WgMPvvtnaBshGM2ia0hVZ7WiGGWfG8b1z6 gaOEmx4DPTL7qUZ5R+Rc5Dg03J7rLVOkkUXI63RCQ76XbLeLByIA5ZIy2lqQCoIshUnQ DEqROLUP7NAZgLBEPLONovV9zrZAdpdAGchnZFvivx3KCYiagsefhqzrWbH9VZM4rR4P d1wP6stY+wiOqqzP4QSg+syigE8sfuK3rwFS97hRQFVGEbmYygI2bbrhSciS0g8fuoy3 zaGA== X-Forwarded-Encrypted: i=1; AJvYcCX5bpzI/NO2Fi/Sc++6N2kALrtjjpy3hjx9vScQuNPTx6Y68qFt7fLdXhOH7N2q56Ladf9nUpmxwiS7jT9J4knHADJ4lUdlmQ== X-Gm-Message-State: AOJu0YwR1vOgrW6lCVjENvJ4bDsjeTAlOjjSkzCYHFuke7BxvCqCQ8TW 8H7TBxdpMTAiiokldHBP2oP2Wa3OCXQHwtru8HlE8WbUBeQVkxccKxrRvlh47ZOzW4MwhRJgfoK VNAxT X-Google-Smtp-Source: AGHT+IFH6BPtCDKWOZikU25LZe/pvbUad4wUmekX0F5xZjvGTneLrhoJViRu+BHR36Pp4PQcqiAdAg== X-Received: by 2002:a25:b946:0:b0:dd1:2dee:ea21 with SMTP id s6-20020a25b946000000b00dd12deeea21mr3856547ybm.8.1711772259674; Fri, 29 Mar 2024 21:17:39 -0700 (PDT) Received: from smtpclient.apple (h96-61-170-179.lvrgtn.broadband.dynamic.tds.net. [96.61.170.179]) by smtp.gmail.com with ESMTPSA id v128-20020a25c586000000b00dce0f2db9acsm1060241ybe.34.2024.03.29.21.17.38 (version=TLS1_3 cipher=TLS_AES_128_GCM_SHA256 bits=128/128); Fri, 29 Mar 2024 21:17:38 -0700 (PDT) Content-Type: multipart/alternative; boundary=Apple-Mail-13FFCF99-7797-413D-AFF2-C96183F95ED7 Content-Transfer-Encoding: 7bit Precedence: bulk list-help: list-post: List-Id: internals.lists.php.net Mime-Version: 1.0 (1.0) Subject: Re: [PHP-DEV] Consider removing autogenerated files from tarballs Date: Fri, 29 Mar 2024 23:17:27 -0500 Message-ID: <9008050F-4EE1-4E19-B513-654602E118A7@benramsey.com> References: Cc: Daniil Gentili , internals@lists.php.net In-Reply-To: To: Bob Weinand X-Mailer: iPhone Mail (21D61) From: ben@benramsey.com (Ben Ramsey) --Apple-Mail-13FFCF99-7797-413D-AFF2-C96183F95ED7 Content-Type: text/html; charset=utf-8 Content-Transfer-Encoding: quoted-printable
= On Mar 29, 2024, at 20:20, Bob Weinand <bobwei9@hotmail.com> wrote:
=EF=BB=BF= =20 =20
On 29.3.2024 23:31:26, Daniil Gentili wrote:
=20 In light of= the recent supply chain attack in xz/lzma, leading to a backdoor in openSSH (https://www.openwall.com/lists/oss-securit= y/2024/03/29/4), I believe that it would be a good idea to remove the huge attack surface offered by the pre-generated autoconf build scripts and lexers, offered in the release tarballs.

In particular, the xz supply chain attack injected the exploit with a few obfuscated lines, manually added to the end of the pre-generated configure script, that was only bundled in the tarballs.

Even if the= exploits themselves were committed to the repo in the form of test files, the code that actually injected the exploit in the library was not committed to the repo, and was only present in the pre-generated configure script in the tarball: this injection mode makes sense, as extra files in the tarball not present in the git repo would raise suspicions, but machine-generated configure scripts containing hundreds of thousands of lines of code not present in the upstream VCS are the norm, and are usually not checked before execution.

Specificall= y in the case of PHP, along from the configure script, the tarball also bundles generated lexer files which contain actual C code, which is an additional attack vector, i.e. here's the diff between the tarball of the 8.3.4 release, and the PHP-8.3.4 tag on the git repo:

```
~ $ diff -r= php-8.3.4 php-src -q
Only in php-src: .git          &nbs= p;            &n= bsp;            =             &nbs= p;     Files php-8.3.4/NEWS and php-src/NEWS differ          &n= bsp;            =         Files php-8.3.4/Zend/zend.h and php-src/Zend/zend.h differ      &n= bsp;          Only in php-8.3.4/Zend: zend_ini_parser.c
Only in php-8.3.4/Zend: zend_ini_parser.h
Only in php-8.3.4/Zend: zend_ini_parser.output       &nbs= p;            &n= bsp;        Only in php-8.3.4/Zend: zend_ini_scanner.c
Only in php-8.3.4/Zend: zend_ini_scanner_defs.h
Only in php-8.3.4/Zend: zend_language_parser.c       &nbs= p;            &n= bsp;        Only in php-8.3.4/Zend: zend_language_parser.h       &nbs= p;            &n= bsp;        Only in php-8.3.4/Zend: zend_language_parser.output
Only in php-8.3.4/Zend: zend_language_scanner.c
Only in php-8.3.4/Zend: zend_language_scanner_defs.h      &nbs= p;            &n= bsp;   Only in php-8.3.4: configure          = ;            &nb= sp;            &= nbsp;           Files php-8.3.4/configure.ac and php-src/configure.ac differ          &n= bsp;    Only in php-8.3.4/ext/json: json_parser.tab.c        &nb= sp;            &= nbsp;        Only in php-8.3.4/ext/json: json_parser.tab.h
Only in php-8.3.4/ext/json: json_scanner.c
Only in php-8.3.4/ext/json: php_json_scanner_defs.h       &nb= sp;            &= nbsp;   Only in php-8.3.4/ext/pdo: pdo_sql_parser.c
Only in php-8.3.4/ext/phar: phar_path_check.c        &nb= sp;            &= nbsp;        Only in php-8.3.4/ext/standard: url_scanner_ex.c
Only in php-8.3.4/ext/standard: var_unserializer.c
Only in php-8.3.4/main: php_config.h.in
Files php-8.3.4/main/php_version.h and php-src/main/php_version.h differ   Only in php-8.3.4/pear: install-pear-nozlib.phar       &n= bsp;            =        Only in php-8.3.4/sapi/phpdbg: phpdbg_lexer.c         =             &nbs= p;        Only in php-8.3.4/sapi/phpdbg: phpdbg_parser.c         = ;            &nb= sp;       Only in php-8.3.4/sapi/phpdbg: phpdbg_parser.h
Only in php-8.3.4/sapi/phpdbg: phpdbg_parser.output
```

To prevent attacks from malevolent/compromised RMs, I propose completely removing all autogenerated files from the release tarballs, and ensuring their content exactly matches the content of the associated git tag (this means also removing the -dev prefix from the version number in main/php_version.h, Zend/zend.h, configure.ac and NEWS in the git tag).

Of course this means that users will have to generate the build scripts when compiling PHP, as when installing PHP from the VCS repo.=

I'm sending= a copy of this email to security@php.net as well.

Hey Daniil,

You can also have a public CI (i.e. a github action) generate the artifacts, along with hash computation.
It should be a github action which runs on tags. This makes it fully verifiable; i.e. the code for the generation of action, including the hash. Anyone who wants can trivially trace this back.

There's nothing in the tarballs which cannot be trivially automated and made verifiable.

I don't think providing pre-generated files is fundamentally flawed, the primary lacking thing is verifiability. Which is also what enabled the xz backdoor.

Bob

=20

This is also why our release managers sign the t= arballs with their own GPG keys, after generating the artifacts. This verifi= es the release manager was the one who generated the files.

Cheers,
Ben

= --Apple-Mail-13FFCF99-7797-413D-AFF2-C96183F95ED7--