Re: Security lessons from liblzma
Bruce Momjian <bruce@momjian.us>
From: Bruce Momjian <bruce@momjian.us>
To: Robert Haas <robertmhaas@gmail.com>
Cc: Andres Freund <andres@anarazel.de>, PostgreSQL-development <pgsql-hackers@postgresql.org>
Date: 2024-03-30T23:22:28Z
Lists: pgsql-hackers
Commits
Same data as JSON:
GET /api/v1/messages/:b64id/commits
the thread's linked commits as JSON, with link sources.
API reference →
-
Introduce a non-recursive JSON parser
- 3311ea86edc7 17.0 cited
On Sat, Mar 30, 2024 at 04:50:26PM -0400, Robert Haas wrote: > On Fri, Mar 29, 2024 at 7:00 PM Andres Freund <andres@anarazel.de> wrote: > > I am doubtful that every committer would find something sneaky hidden in > > e.g. one of the test changes in a large commit. It's not too hard to hide > > something sneaky. I comparison to that hiding something in configure.ac seems > > less likely to succeed IMO, that imo tends to be more scrutinized. And hiding > > just in configure directly wouldn't get you far, it'd just get removed when > > the committer or some other committer at a later time, regenerates configure. > > I agree with this. If I were trying to get away with a malicious > commit, I'd look for files that other people would be unlikely to > examine closely, or would have difficulty examining closely. Test data > or test scripts seem like great possibilities. And I also would like > it to be part of some relatively large commit that is annoying to read > through visually. We don't have a lot of binary format files in the > tree, which is good, but there's probably some things like Unicode > tables and ECPG expected output files that very, very few people ever > actually examine. If we had a file in the tree that looked based on > the name like an expected output file for a test, but there was no > corresponding test, how many of us would notice that? How many of us > would scrutinize it? Imagine hiding something bad in the middle of > that file somewhere. So, in this case, the hooks were in 'configure', but not configure.ac, and the exploit was in a test file which was in the tarball but _not_ in the git tree. So, they used the obfuscation of 'configure's syntax, and the lack of git oversight by not putting the test files in the git tree. -- Bruce Momjian <bruce@momjian.us> https://momjian.us EDB https://enterprisedb.com Only you can decide what is important to you.