Newsgroups: php.internals Path: news.php.net Xref: news.php.net php.internals:122836 X-Original-To: internals@lists.php.net Delivered-To: internals@lists.php.net Received: from php-smtp4.php.net (php-smtp4.php.net [45.112.84.5]) by qa.php.net (Postfix) with ESMTPS id 7568E1A009C for ; Sun, 31 Mar 2024 15:36:55 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=php.net; s=mail; t=1711899442; bh=lNjWO1PREe4SiYetVrj3BPnhIK3AoG5sU8WlUB7+kGg=; h=Date:Subject:To:References:From:In-Reply-To:From; b=IrMzyXsdINp0QZPzjI/zGyk+T67VKeDAofb/azcEPIaKArECQXApwZiYH3Fg/i30p 7rNIZsAVBB1IVq15pszW8V9M4OFwFfokv8hgseYkDScyHs+0hL7fuXf135b6LYPQU4 JafxllNW0gcZ7DaTf6RswdX5v7AAy6wv3I6R6AoEtWBDxTodCArK8OBbUWQbZU46mc JdROOGg0im4FGPKl4YMPr9h6RDgbrU1J721tQNCdeALijyshtz7S0ZuxLbsqT3BS21 9zR4j4otBabTXzL1tk4cT4AuZBnsqvYsy7LgrOs32zhSJsnWt5OaOglN/WwGRz7Af2 Eu9c2adW6/euA== Received: from php-smtp4.php.net (localhost [127.0.0.1]) by php-smtp4.php.net (Postfix) with ESMTP id F05F3180078 for ; Sun, 31 Mar 2024 15:37:20 +0000 (UTC) X-Spam-Checker-Version: SpamAssassin 4.0.0 (2022-12-13) on php-smtp4.php.net X-Spam-Level: X-Spam-Status: No, score=-0.1 required=5.0 tests=BAYES_50,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,DMARC_MISSING,HTML_MESSAGE, RCVD_IN_DNSWL_LOW,SPF_HELO_NONE,SPF_PASS,T_SCC_BODY_TEXT_LINE autolearn=no autolearn_force=no version=4.0.0 X-Spam-Virus: No X-Envelope-From: Received: from fhigh1-smtp.messagingengine.com (fhigh1-smtp.messagingengine.com [103.168.172.152]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by php-smtp4.php.net (Postfix) with ESMTPS for ; Sun, 31 Mar 2024 15:37:20 +0000 (UTC) Received: from compute1.internal (compute1.nyi.internal [10.202.2.41]) by mailfhigh.nyi.internal (Postfix) with ESMTP id D443911400A1 for ; Sun, 31 Mar 2024 11:36:52 -0400 (EDT) Received: from mailfrontend1 ([10.202.2.162]) by compute1.internal (MEProxy); Sun, 31 Mar 2024 11:36:52 -0400 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=rwec.co.uk; h=cc :content-type:content-type:date:date:from:from:in-reply-to :in-reply-to:message-id:mime-version:references:reply-to:subject :subject:to:to; s=fm2; t=1711899412; x=1711985812; bh=rR+4ELLH0O RV21bg7TAS4iF4coZ/5uSO4r3wmCS0fAk=; b=gYouaripE/Y3JuWeh6py1X9QjQ SbRElnLo7vJZ87NymBZBzK8joxn+teKOLcDPuLFwGAJjfvFhNhnDlBy6bcccDdwM aTtQdRGhPZbUIp0nKhj00tog/O+0xpMmhwVvIHXYIL7n9j7BhCYCfs0NxzW1VDBk iky5Bkxj8ObgcGj3WjxUoyjhY6eK49R4oqjk93QOxFL8Uc5vClEgQ3K8HNmlh13I HuLgMdALxNVreYnWaYkAio2/k5kwncceRyqaiTOZ3xp+Jwonb+Y5fo2F6N8cTxJs HZ4JHSSu0uNZ73MyqSVwGqkWs2LBLMM54UPF/6WYYNyGu6fnf0g6K1bBSkIg== DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d= messagingengine.com; h=cc:content-type:content-type:date:date :feedback-id:feedback-id:from:from:in-reply-to:in-reply-to :message-id:mime-version:references:reply-to:subject:subject:to :to:x-me-proxy:x-me-proxy:x-me-sender:x-me-sender:x-sasl-enc; s= fm2; t=1711899412; x=1711985812; bh=rR+4ELLH0ORV21bg7TAS4iF4coZ/ 5uSO4r3wmCS0fAk=; b=XsFbghf5LPT7UYDZf6ryP8bw1eHzbGGf8oVijxcwZzJj 9bD7VrAWZhVrgAFe63VTBQ3B3MtncILlGewPrQtUcUGDPQCfE3CHFnIEsFbG+VVz 9fnZm91DJM4lFqD5uEEXimtp7qmrWWNP4j0qoEkuLqfBVIi28P75r/43T/L7nyBJ AflC0BDAf+PRE1rANCAcZaKcuvliTodt6WgU3DyUD30gXUSQZksWGZese1I3tHDE UHQxDA4IfBsRslQodq9k8Ew9UH8bLl2J30+Ya9B55sao6SR3akhrJcssLOvAm5zr WP6S/JLBr5hM0zx57Iz0dm98gSNY2nsP8KzmQOHShQ== X-ME-Sender: X-ME-Received: X-ME-Proxy-Cause: gggruggvucftvghtrhhoucdtuddrgedvledruddvkedgieekucetufdoteggodetrfdotf fvucfrrhhofhhilhgvmecuhfgrshhtofgrihhlpdfqfgfvpdfurfetoffkrfgpnffqhgen uceurghilhhouhhtmecufedttdenucenucfjughrpegtkfffgggfuffvfhfhjgesrgdtre ertddvjeenucfhrhhomhepfdftohifrghnucfvohhmmhhinhhsucglkffoufhorfgnfdcu oehimhhsohhprdhphhhpsehrfigvtgdrtghordhukheqnecuggftrfgrthhtvghrnhephe etleeiiefgueduieeuieffvdevheduueefkeejuefgffeftdeitdegtedtleetnecuvehl uhhsthgvrhfuihiivgeptdenucfrrghrrghmpehmrghilhhfrhhomhepihhmshhophdrph hhphesrhifvggtrdgtohdruhhk X-ME-Proxy: Feedback-ID: id5114917:Fastmail Received: by mail.messagingengine.com (Postfix) with ESMTPA for ; Sun, 31 Mar 2024 11:36:52 -0400 (EDT) Content-Type: multipart/alternative; boundary="------------l609mjJj6emCHXKDaC2VU6di" Message-ID: <972440f6-64b3-488e-be75-367532ba9d87@rwec.co.uk> Date: Sun, 31 Mar 2024 16:36:48 +0100 Precedence: bulk list-help: list-post: List-Id: internals.lists.php.net MIME-Version: 1.0 User-Agent: Mozilla Thunderbird Subject: Re: [PHP-DEV] Consider removing autogenerated files from tarballs To: internals@lists.php.net References: <9008050F-4EE1-4E19-B513-654602E118A7@benramsey.com> <3d90e236-49d8-4f80-a6dd-3584267a83e3@php.net> <586c3320-b38b-47bb-9c06-6762f1eb242b@gmail.com> <1c7bcd0e-4e32-480f-acd2-2c8eb049bde2@gmail.com> <3E13B046-FE40-48D7-AAF0-13362B12C438@cschneid.com> Content-Language: en-GB In-Reply-To: <3E13B046-FE40-48D7-AAF0-13362B12C438@cschneid.com> From: imsop.php@rwec.co.uk ("Rowan Tommins [IMSoP]") This is a multi-part message in MIME format. --------------l609mjJj6emCHXKDaC2VU6di Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: 7bit On 31/03/2024 14:53, Christian Schneider wrote: > But my main question is: I fail to see the difference whether I plant my > malicious code in configure, configure.ac or *.c: Someone has to review > the changes and notice the problem. And we have to trust the RMs. What > am I missing? As I understand it, the attack being discussed involved*code that was never committed to version control*. The bulk of the payload was committed in fake binary test artifacts, which are unlikely to be inspected but harmless by themselves; but the trigger to incorporate it into the binary was added*manually* in between the automated build and producing the signed release archive. So the theory is that if there's no human involved in that process, there is no way for a human to introduce a malicious change at that step. An exploit would need to be introduced somewhere in version controlled, human-readable, code; giving extra chances for it to be detected. On 30/03/2024 18:24, Jakub Zelenka wrote: > Do you think it would be different if the change happened in the > distributed source file instead? I mean you could still modify tarball > of the distributed file (e.g. hide somewhere in configure.ac or in our > case more easily in less visible files like various Makefile.frag and > similar). The only thing that you get by using just VCS files is that > people could hash the distributed content of the files and compare it > with the hash of the VCS files but does anyone do this sort of > verification? We already use a version control system built entirely on comparing hashes of source files. So given a signed tarball that claimed to match the content of a signed tag, any user can trivially check out the tag, expand the tarball, and run "git diff" to detect any anomalies. The question of who would do that in practice is a valid one, and something that I'm sure has been discussed elsewhere regarding reproducible binary builds. On 30/03/2024 15:35, Daniil Gentili wrote: > Btw, I do not believe that "it would require end users to install > autotools and bison in order to compile PHP from tarballs" is valid > reason to delay the patching of a serious attack vector ASAP. As is always the case, there is a trade-off between security and convenience - in this case, distributing something that's usable without large amounts of extra tooling (including, for some generated files, a copy of PHP itself), vs distributing something that is 100% reviewable by humans. Ultimately, 99.999% of users are not going to compile their own copy of PHP from source; they are going to trust some chain of providers to take the source, perform all the necessary build steps, and produce a binary. Removing generated files from the tarballs doesn't eliminate that need for trust, it just shifts more of it to organisations like Debian and RedHat; and maybe that's a valid aim, because those organisations have more resources than us to build appropriate processes. Making things reproducible aims to attack the same problem from a different angle: rather than placing more trust in one part of the chain, it allows multiple parallel chains, which should all give the same result. If builds from different sources start showing unexplained differences, it can be flagged automatically. Regards, -- Rowan Tommins [IMSoP] --------------l609mjJj6emCHXKDaC2VU6di Content-Type: text/html; charset=UTF-8 Content-Transfer-Encoding: 7bit
On 31/03/2024 14:53, Christian Schneider wrote:
But my main question is: I fail to see the difference whether I plant my
 malicious code in configure, configure.ac or *.c: Someone has to review
 the changes and notice the problem. And we have to trust the RMs. What 
am I missing?


As I understand it, the attack being discussed involved *code that was never committed to version control*. The bulk of the payload was committed in fake binary test artifacts, which are unlikely to be inspected but harmless by themselves; but the trigger to incorporate it into the binary was added *manually* in between the automated build and producing the signed release archive.

So the theory is that if there's no human involved in that process, there is no way for a human to introduce a malicious change at that step. An exploit would need to be introduced somewhere in version controlled, human-readable, code; giving extra chances for it to be detected.
On 30/03/2024 18:24, Jakub Zelenka wrote:
Do you think it would be different if the change happened in the distributed source file instead? I mean you could still modify tarball of the distributed file (e.g. hide somewhere in configure.ac or in our case more easily in less visible files like various Makefile.frag and similar). The only thing that you get by using just VCS files is that people could hash the distributed content of the files and compare it with the hash of the VCS files but does anyone do this sort of verification?


We already use a version control system built entirely on comparing hashes of source files. So given a signed tarball that claimed to match the content of a signed tag, any user can trivially check out the tag, expand the tarball, and run "git diff" to detect any anomalies.

The question of who would do that in practice is a valid one, and something that I'm sure has been discussed elsewhere regarding reproducible binary builds.
On 30/03/2024 15:35, Daniil Gentili wrote:
Btw, I do not believe that "it would require end users to install autotools and bison in order to compile PHP from tarballs" is valid reason to delay the patching of a serious attack vector ASAP.


As is always the case, there is a trade-off between security and convenience - in this case, distributing something that's usable without large amounts of extra tooling (including, for some generated files, a copy of PHP itself), vs distributing something that is 100% reviewable by humans.

Ultimately, 99.999% of users are not going to compile their own copy of PHP from source; they are going to trust some chain of providers to take the source, perform all the necessary build steps, and produce a binary. Removing generated files from the tarballs doesn't eliminate that need for trust, it just shifts more of it to organisations like Debian and RedHat; and maybe that's a valid aim, because those organisations have more resources than us to build appropriate processes.

Making things reproducible aims to attack the same problem from a different angle: rather than placing more trust in one part of the chain, it allows multiple parallel chains, which should all give the same result. If builds from different sources start showing unexplained differences, it can be flagged automatically.


Regards,


-- 
Rowan Tommins
[IMSoP]
--------------l609mjJj6emCHXKDaC2VU6di--