Re: Following up on: Three steps we could take to make supply chain attacks a bit harder

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

tl;dr: Quick update, and one question: Are there other packages that should be monitored? 



On 2024-06-24 9:03 PM, Gordon Messmer wrote:
(As a topic for later: the tirpc library exports functions with the same name as functions that appear in libc, so the behavior of erroring on duplicate symbols needs to be rationalized.  Maybe an exemption for libtirpc.so?  Are there other libraries that do this?)
For now, I've added a list of symbols have have been found in multiple libraries in services that I've checked.  There are some symbols defined in libc and libm, and in libc and libtirpc, and in libsasl2 and some of its related libraries.  There's probably a better implementation than this...
I have a proof-of-concept test implemented for the openssh package, in this pull request: https://src.fedoraproject.org/rpms/openssh/pull-request/73
Over the weekend, I opened a series of PRs for other services that are probably frequently exposed to the public: sendmail, exim, postfix, cyrus-imapd, haproxy, nginx, and httpd.  These are lower-value targets than sshd, since they don't run as root and may be run in a restricted SELinux domain, but I tend to think that anything that provides an authentication backend or listens for public connections should be checked.  I'll work on 389-ds and the krb5 packages later...  Any other packages that might be worth monitoring? 



The current implementation compares the result to an expected result.
I've simplified the test script.  It now simply does a check for a string that indicates that symbols in libc were scanned, and then reports any errors that appear in the output.
The proof-of-concept only audits symbols in the binary, but shared objects have their own set of dynamic symbols loaded from shared libraries.
Since the test is only looking for errors, it now audits all dynamic symbols, in the binary and in shared libraries. 


--
_______________________________________________
devel mailing list -- devel@xxxxxxxxxxxxxxxxxxxxxxx
To unsubscribe send an email to devel-leave@xxxxxxxxxxxxxxxxxxxxxxx
Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedoraproject.org/archives/list/devel@xxxxxxxxxxxxxxxxxxxxxxx
Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Index of Archives]     [Fedora Announce]     [Fedora Users]     [Fedora Kernel]     [Fedora Testing]     [Fedora Formulas]     [Fedora PHP Devel]     [Kernel Development]     [Fedora Legacy]     [Fedora Maintainers]     [Fedora Desktop]     [PAM]     [Red Hat Development]     [Gimp]     [Yosemite News]

  Powered by Linux