On Sat, Mar 30, 2024 at 04:50:26PM -0400, Robert Haas wrote: > On Fri, Mar 29, 2024 at 7:00 PM Andres Freund <and...@anarazel.de> wrote: > > I am doubtful that every committer would find something sneaky hidden in > > e.g. one of the test changes in a large commit. It's not too hard to hide > > something sneaky. I comparison to that hiding something in configure.ac > > seems > > less likely to succeed IMO, that imo tends to be more scrutinized. And > > hiding > > just in configure directly wouldn't get you far, it'd just get removed when > > the committer or some other committer at a later time, regenerates > > configure. > > I agree with this. If I were trying to get away with a malicious > commit, I'd look for files that other people would be unlikely to > examine closely, or would have difficulty examining closely. Test data > or test scripts seem like great possibilities. And I also would like > it to be part of some relatively large commit that is annoying to read > through visually. We don't have a lot of binary format files in the > tree, which is good, but there's probably some things like Unicode > tables and ECPG expected output files that very, very few people ever > actually examine. If we had a file in the tree that looked based on > the name like an expected output file for a test, but there was no > corresponding test, how many of us would notice that? How many of us > would scrutinize it? Imagine hiding something bad in the middle of > that file somewhere.
So, in this case, the hooks were in 'configure', but not configure.ac, and the exploit was in a test file which was in the tarball but _not_ in the git tree. So, they used the obfuscation of 'configure's syntax, and the lack of git oversight by not putting the test files in the git tree. -- Bruce Momjian <br...@momjian.us> https://momjian.us EDB https://enterprisedb.com Only you can decide what is important to you.
