URL: <https://savannah.gnu.org/support/?111048>
Summary: Add a syntax check to code snippets Group: Autoconf Submitter: None Submitted: Fri 05 Apr 2024 07:44:13 AM UTC Priority: 5 - Unprioritized Severity: 3 - Normal Status: None Privacy: Public Assigned to: None Originator Email: fbau...@amadeus.com Open/Closed: Open Discussion Lock: Any Operating System: GNU/Linux _______________________________________________________ Follow-up Comments: ------------------------------------------------------- Date: Fri 05 Apr 2024 07:44:13 AM UTC By: Anonymous Hello, As you may know, an attack related to XZ Utils (lzma) has been discovered: https://gist.github.com/thesamesam/223949d5a074ebc3dce9ee78baad9e27 The malicious account has disabled a feature by sneakily forging an always-failing code. This has been done by introducing a syntax error in a CMake file (a dot at the beginning of a line): https://git.tukaani.org/?p=xz.git;a=commitdiff;h=328c52da8a2bbb81307644efdb58db2c422d9ba7 So the CMake project is considering adding a preliminary syntax check (with a verbose error message) in addition to the full check (which fails rather silently), so that such disabling does not go unnoticed: https://gitlab.kitware.com/cmake/cmake/-/issues/25846 This makes me think that Autoconf does compilation checks similar to that of CMake, and therefore an attacker could similarly, sneakily disable a feature. Should Autoconf similarly add a syntax check? I'm leaving this open question to the community. Thanks! Best regards Fabrice _______________________________________________________ Reply to this item at: <https://savannah.gnu.org/support/?111048> _______________________________________________ Message sent via Savannah https://savannah.gnu.org/