On Apr 09 2024, anderson.jonath...@gmail.com wrote: > - This xz backdoor injection unpacked attacker-controlled files and ran them > during `configure`. Newer build systems implement a build abstraction (aka > DSL) that acts similar to a sandbox and enforces rules (e.g. the only code > run during `meson setup` is from `meson.build` files and CMake). Generally > speaking the only way to disobey those rules is via an "escape" command (e.g. > `run_command()`) of which there are few. This reduces the task of auditing > the build scripts for sandbox-breaking malicious intent significantly, only > the "escapes" need investigation and they which should(tm) be rare for > well-behaved projects.
Just like you can put your backdoor in *.m4 files, you can put them in *.cmake files. -- Andreas Schwab, sch...@linux-m68k.org GPG Key fingerprint = 7578 EB47 D4E5 4D69 2510 2552 DF73 E780 A9DA AEC1 "And now for something completely different."
