Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) Source code repositories (CVSweb) File archive & mirrors How to verify digital signatures OVE IDs What's new

Message-ID: <ZiwVmhV2muRhsAfy@remnant.pseudorandom.co.uk>
Date: Fri, 26 Apr 2024 21:59:06 +0100
From: Simon McVittie <smcv@...ian.org>
To: oss-security@...ts.openwall.com
Subject: Re: Update on the distro-backdoor-scanner effort

On Fri, 26 Apr 2024 at 14:06:16 -0600, Hank Leininger wrote:
>   - Turns out serial numbers are made up and the points don't matter.
>     But still, this author appears to have _thought_ they were
>     important.

The serial number of a m4 file matters if the attacker wants their back
door to remain in place when a distro runs autoreconf -fi or similar
(as many Autoconf-built Debian packages do, for example); or, less
maliciously, if the author of a legitimate set of Autoconf macros wants
their bug fixes to remain in place when an older distro does the same.

The purpose of the serial number is so that autoreconf can upgrade bundled
macros in the `make dist` tarball to the distro version if it happens
to be newer (for example if I prepared a Flatpak release on Debian 12
but you are building it on Arch), without downgrading to an older distro
version that might be lacking newer features or bug fixes (for example
when someone else builds that same Flatpak release on Debian 11).

If a developer of Autoconf macros is following its documentation, the
serial number should go up whenever the code changes. The observant
will of course notice that this doesn't account for the possibility of
non-linear development (macros being modified in a non-canonical location,
forked, edited collaboratively, or otherwise not having a monotonically
increasing version number) which I think is a reflection of what was
and wasn't considered to be normal when it was designed - it's very much
from the "cathedral" era.

(Many projects don't follow the documentation and do make changes without
incrementing the serial number, which is a bug.)

Beyond that single purpose, yes, the serial number is made up and doesn't
matter.

    smcv

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.