Received: by 2002:ab2:1689:0:b0:1f7:5705:b850 with SMTP id d9csp48103lqa; Fri, 26 Apr 2024 13:59:42 -0700 (PDT) X-Forwarded-Encrypted: i=2; AJvYcCWakx+xxY32N7b3NvHnWgUd5W6qALXP13EG2DFnt1kHn0Pr+g6e1rNaSOemQHRzdM8oc36m9PoA8B7otL8zroHmjNDpzvkrh7EwWjedFA== X-Google-Smtp-Source: AGHT+IHFR7i+2t3ZOBWbOux0kblS30E7pR9jlwYRF11S4ZvXlwX5MVwPnyAKeBIOcIqoEVpaTp4w X-Received: by 2002:a17:906:3156:b0:a58:b479:8fdc with SMTP id e22-20020a170906315600b00a58b4798fdcmr651800eje.1.1714165182209; Fri, 26 Apr 2024 13:59:42 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1714165182; cv=none; d=google.com; s=arc-20160816; b=h88nz5G37t9dBhJ9tHLN8wGEUVhB4PT4PNwwMIudClv4D1ov66LhGs0tYqVpZtwKqi ZQpDbVKtzcjv01aS/F/P1hLaYZkeDe1q4IFN0EI/cdsLPxpRAXhCwMlyO+nLJ7DeEFwp nQz1Ai79hfKR+6MGFP2qkaRf+rDErd28zIkibhGd2qZJqM5fdAZwkNDZIhVcGE6ji6sk WG25qNgy/F81oeIL+havFGb5mXHe4C/Onue3yi+N7IjPNDmYpAPIDHsv5JpyuZdCxrUa AzURhTCPGrb/Nsm5MTfbIa9uCVmNigxE3xrq7/v6rCaz9gWXTjZKbLmv+oj76U2nYX3F SHWg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=subject:in-reply-to:content-disposition:mime-version:references :message-id:to:from:date:dkim-signature:delivered-to:reply-to :list-id:list-subscribe:list-unsubscribe:list-help:list-post :precedence:mailing-list; bh=qQKonZLy/G1nwlnZ5zl4/kBinlbpzE4q7hNIrmQqFxU=; fh=9jsPTyo6edd9xvAeG+KFFrRrXMmgB/RdwUKOrvy9dcA=; b=M2+ki/woP//6GvV37k4P98Dk9uF4PhuFLWrSs1hGG3QJBHhEOOzSXLsKCFlBZuU0zk gL0oADJP6mcxbHm4hZ9z/H+ri4u2WIvF4gIMq/aXVSAn34f0JoFzeoscax0ga8NmAzzh GQGDdWAEIuI/uc2bs/J8qqE98DsIGCoeNs+RnpgsBO+OtkizWbIj87jbuuqPdk+Ft7UG UVX1MVTiYIZtgokXbCUdqvk68HDsqssHQDWvr+AaVfFlZKXZbQWR/nRsvWls8brrCCnm YThoe5TH8kHiG3kXQZMX8mATVE7bznqN9L1RtSGixv/QfNdbddPIXLsHyZuJPS+psxPS al2g==; dara=google.com ARC-Authentication-Results: i=1; mx.google.com; dkim=fail header.i=@debian.org header.s=smtpauto.stravinsky header.b=UfPTeadV; spf=pass (google.com: domain of oss-security-return-30085-linux.lists.archive=gmail.com@lists.openwall.com designates 193.110.157.125 as permitted sender) smtp.mailfrom="oss-security-return-30085-linux.lists.archive=gmail.com@lists.openwall.com" Return-Path: Received: from second.openwall.net (second.openwall.net. [193.110.157.125]) by mx.google.com with SMTP id hq31-20020a1709073f1f00b00a5883f37d0bsi4866005ejc.389.2024.04.26.13.59.42 for ; Fri, 26 Apr 2024 13:59:42 -0700 (PDT) Received-SPF: pass (google.com: domain of oss-security-return-30085-linux.lists.archive=gmail.com@lists.openwall.com designates 193.110.157.125 as permitted sender) client-ip=193.110.157.125; Authentication-Results: mx.google.com; dkim=fail header.i=@debian.org header.s=smtpauto.stravinsky header.b=UfPTeadV; spf=pass (google.com: domain of oss-security-return-30085-linux.lists.archive=gmail.com@lists.openwall.com designates 193.110.157.125 as permitted sender) smtp.mailfrom="oss-security-return-30085-linux.lists.archive=gmail.com@lists.openwall.com" Received: (qmail 32727 invoked by uid 550); 26 Apr 2024 20:59:27 -0000 Mailing-List: contact oss-security-help@lists.openwall.com; run by ezmlm Precedence: bulk List-Post: List-Help: List-Unsubscribe: List-Subscribe: List-ID: Reply-To: oss-security@lists.openwall.com Delivered-To: mailing list oss-security@lists.openwall.com Received: (qmail 32709 invoked from network); 26 Apr 2024 20:59:27 -0000 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=debian.org; s=smtpauto.stravinsky; h=X-Debian-User:In-Reply-To:Content-Type:MIME-Version: References:Message-ID:Subject:To:From:Date:Reply-To:Cc: Content-Transfer-Encoding:Content-ID:Content-Description; bh=qQKonZLy/G1nwlnZ5zl4/kBinlbpzE4q7hNIrmQqFxU=; b=UfPTeadVtwxeIaBBWVpDTuQ7Nc sDqnNWswHQ/VXkOSfT7+W0ZUrOmZpDS2mNNSKR1NPgLHO/alv29kwsdlZi9X/3+ozaX9DNRaMUiDk Ob6xllqk5u02ywyRHTzTwQXiagRd5bBR0nFZldCmykwR/agAdJAu3xn62zU06XBnvCONSPYOQnSzf HBhqjmtQasEr1YdG5evP3iQvj5mfjn511oqkfeheopizCcvnMxHd1gWlfvsEWZcR+A6RmoXv/z61S DCTHMqZk444OZ9Od68xPWugAayF7mX6P5Hnz4jLhhCA34B1mMI6KjhiN7Vz/katnA5xdV3dTePQQt V6f0dqAQ==; Date: Fri, 26 Apr 2024 21:59:06 +0100 From: Simon McVittie To: oss-security@lists.openwall.com Message-ID: References: <20240426135217.a103ce0c-a775-4a49-ae2c-94dfd64f6695@korelogic.com> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20240426135217.a103ce0c-a775-4a49-ae2c-94dfd64f6695@korelogic.com> X-Debian-User: smcv Subject: Re: [oss-security] Update on the distro-backdoor-scanner effort On Fri, 26 Apr 2024 at 14:06:16 -0600, Hank Leininger wrote: > - Turns out serial numbers are made up and the points don't matter. > But still, this author appears to have _thought_ they were > important. The serial number of a m4 file matters if the attacker wants their back door to remain in place when a distro runs autoreconf -fi or similar (as many Autoconf-built Debian packages do, for example); or, less maliciously, if the author of a legitimate set of Autoconf macros wants their bug fixes to remain in place when an older distro does the same. The purpose of the serial number is so that autoreconf can upgrade bundled macros in the `make dist` tarball to the distro version if it happens to be newer (for example if I prepared a Flatpak release on Debian 12 but you are building it on Arch), without downgrading to an older distro version that might be lacking newer features or bug fixes (for example when someone else builds that same Flatpak release on Debian 11). If a developer of Autoconf macros is following its documentation, the serial number should go up whenever the code changes. The observant will of course notice that this doesn't account for the possibility of non-linear development (macros being modified in a non-canonical location, forked, edited collaboratively, or otherwise not having a monotonically increasing version number) which I think is a reflection of what was and wasn't considered to be normal when it was designed - it's very much from the "cathedral" era. (Many projects don't follow the documentation and do make changes without incrementing the serial number, which is a bug.) Beyond that single purpose, yes, the serial number is made up and doesn't matter. smcv