Re: openwrt Conclusions from CVE-2024-3094 (libxz disaster)

[Francois-Xavier Le Bail via tcpdump-workers <tcpdump-workers () lists tcpdump org>]

> --- Begin Message ---
>
>
> From: Francois-Xavier Le Bail <devel.fx.lebail () orange fr>
>
> Date: Tue, 2 Apr 2024 14:06:28 +0200
>
> On 01/04/2024 20:18, Guy Harris wrote:
> > On Apr 1, 2024, at 6:53 AM, Michael Richardson <mcr () sandelman ca> wrote:
> >
> > > I wonder if we should nuke our own make tarball system.
> >
> > I.e., replace:
> >
> >       to get {libpcap,tcpdump,tcpslice} version X.Y.Z, download 
> > {libpcap,tcpdump,tcpslice}-X.Y.Z.tar.{compression-suffix}
> >
> > with
> >
> >       to get {libpcap,tcpdump,tcpslice} version X.Y.Z, do
> >
> >               git clone {repository}
> >
> >       and then check out Git tag {libpcap,tcpdump,tcpslice}-X.Y.Z?
> >
> > If so, do we
> >
> >       1) require people to have autotools installed and run ./autogen.sh
> >
> > or
> >
> >       2) generate the configure scripts on some standard platform and check it in
> >
> > so that they have a configure script?  Or is there some other way to arrange that people can get the configure 
> > scripts?
>
> Even if we keep the tarball archive, we could have a host compromise (bad autoconf, etc.) and if the "configure" script 
> is generated on it, we risk to open a door to an attack.
>
> Thus, don't deliver "configure" in the tarball and ask to run "./autogen.sh" with autotools installed.
>
>
> --- End Message ---
_______________________________________________
tcpdump-workers mailing list -- tcpdump-workers () lists tcpdump org
To unsubscribe send an email to tcpdump-workers-leave () lists tcpdump org
%(web_page_url)slistinfo%(cgiext)s/%(_internal_name)s