On Sat, Mar 30, 2024 at 08:22:06PM +0900, Dominique Martinet wrote:
the initial injection (original: https://git.savannah.gnu.org/gitweb/?p=gnulib.git;a=blob;f=m4/build-to-host....).
(Honestly I did compare the backdoored script and the real one this morning and I would be hard pressed to say if either is backdoored just looking at either version... Admitedly it was 3AM when I looked at it, but I don't think it's just a late hour problem)
Right! Definitely not a 3am problem :-/
(3) We should have a "security path", like "critical path".
...
Before making each of these safer we should make sshd not link with so many things in the first place. On oss-security, Solar Designer made a lot of good points about it (around here: https://www.openwall.com/lists/oss-security/2024/03/29/27 , but the full thread is interesting)
Agreed.
Rich.