URL:
<https://savannah.gnu.org/support/?111048>
Summary: Add a syntax check to code snippets
Group: Autoconf
Submitter: None
Submitted: Fri 05 Apr 2024 07:44:13 AM UTC
Priority: 5 - Unprioritized
Severity: 3 - Normal
Status: None
Privacy: Public
Assigned to: None
Originator Email: [email protected]
Open/Closed: Open
Discussion Lock: Any
Operating System: GNU/Linux
_______________________________________________________
Follow-up Comments:
-------------------------------------------------------
Date: Fri 05 Apr 2024 07:44:13 AM UTC By: Anonymous
Hello,
As you may know, an attack related to XZ Utils (lzma) has been
discovered:
https://gist.github.com/thesamesam/223949d5a074ebc3dce9ee78baad9e27
The malicious account has disabled a feature by sneakily forging an
always-failing code. This has been done by introducing a syntax error
in a CMake file (a dot at the beginning of a line):
https://git.tukaani.org/?p=xz.git;a=commitdiff;h=328c52da8a2bbb81307644efdb58db2c422d9ba7
So the CMake project is considering adding a preliminary syntax check
(with a verbose error message) in addition to the full check (which
fails rather silently), so that such disabling does not go unnoticed:
https://gitlab.kitware.com/cmake/cmake/-/issues/25846
This makes me think that Autoconf does compilation checks similar to
that of CMake, and therefore an attacker could similarly, sneakily
disable a feature.
Should Autoconf similarly add a syntax check? I'm leaving this open
question to the community.
Thanks!
Best regards
Fabrice
_______________________________________________________
Reply to this item at:
<https://savannah.gnu.org/support/?111048>
_______________________________________________
Message sent via Savannah
https://savannah.gnu.org/
