Re: Compiling NetBSD mtree in-tree with meson.build

To: PHO <pho%cielonegro.org@localhost>
Subject: Re: Compiling NetBSD mtree in-tree with meson.build
From: Taylor R Campbell <riastradh%NetBSD.org@localhost>
Date: Thu, 16 Jan 2025 14:28:38 +0000

> From: PHO <pho%cielonegro.org@localhost>
> Date: Thu, 16 Jan 2025 14:06:48 +0900
> 
> This is how the XZ backdoor went unnoticed: a part of the malicious
> code was hidden in the generated "configure" script while its
> source, configure.ac, was left unmodified.

This is incorrect.  The malicious entry point was in the source code
to an autoconf module called build-to-host.m4.  If you ran
`autoreconf' to regenerate configure from source code, the malicious
entry point would remain.

This malicious source code was only present in the distribution
tarball, not in the git repository.  That attack vector can't be
addressed by switching from autoconf to meson or whatever.

Reference:
https://gist.github.com/thesamesam/223949d5a074ebc3dce9ee78baad9e27

References:
- Re: Compiling NetBSD mtree in-tree with meson.build
  - From: PHO

Prev by Date: Re: Compiling NetBSD mtree in-tree with meson.build
Next by Date: Re: [PATCH] Transitive LIBDPLIBS, PROGDPLIBS
Previous by Thread: Re: Compiling NetBSD mtree in-tree with meson.build
Next by Thread: Re: Compiling NetBSD mtree in-tree with meson.build
Indexes:

Home | Main Index | Thread Index | Old Index