Enforcing package source code integrity checks [Was: Re: Conclusions from CVE-2024-3094 (libxz disaster)]

Fri, 05 Apr 2024 01:18:02 -0700 

[removed openwrt-adm@ from the Cc: loop]

Petr Štetiar <yn...@true.cz> [2024-04-01 14:49:46]:

> Perhaps this package source code integrity checks should be mandatory, not
> optional?

BTW I looked into this a bit and these are likely breakages caused by the
recent APK releated changes:

 $ curl -s https://buildbot.openwrt.org/images/api/v2/logs/1157227/raw | grep 
Wrong

 mdio-netlink-0~1.3.1.tar.xz: Wrong hash (probably caused by .gitattributes), 
expecting 97dfd25d8cdf5994eeb8cb0a5862c993b8aef373b280bca567d41d4113f494a9, got 
f72f170941430eb793902fc3f736839e362d53136bf0459aa98cd1b1152ad5e2
 v4l2loopback-0~v0.12.7.tar.xz: Wrong hash (probably caused by .gitattributes), 
expecting e5e5d897bdaa7f2fb0b897e503cecaeee234fcdc7f2f138aae501ef742f5b2b2, got 
09fcc9a66c820855136fae517c8102564eed7070dd07c272eb14bf2af9b536a3
 usb-serial-xr_usb_serial_common-2023.03.21~90ad5301.tar.xz: Wrong hash 
(probably caused by .gitattributes), expecting 
0cea56120542d3d546028d17389a3419ca930448005a9208728c40583ccf027d, got 
ca9e4f48a1a71e8d8e595ce8981a876d11a7d3d0f67b9e68c7825730f2f8756a
 dahdi-linux-2023.09.21~1bb9088f.tar.xz: Wrong hash (probably caused by 
.gitattributes), expecting 
b32eb405d64c981f64922840f616cf362636ccc93506986c0b92bd4dcca5ab30, got 
ca88184419f85e87e9b8fd89132a0cf441625230f694954c9a3315247c4adc4a

yet we still seems to be happily producing binary packages with those
theoretically tainted sources.

My understanding of the situation:

 1. tarball is downloaded from sources.openwrt.org, but the package hash
    doesn't match (might be corrupted or malicious tarball)
 2. tarball is deleted, Git clone is performed and source code tarball
    recreated
 3.  [ here is the possible blind spot, tarball hash is not checked again,
       although it should be ]
 4. build continues using Git cloned source tree from 2., which in case of
    PKG_SOURCE_VERSION being a Git tag is not trustworthy enough

How to approach that?

 A. Add additional post Git clone hash check (implement 3. above) and fail the
    build if the package hash still doesn't match.

 B. Turn the current hash check warnings into errors by default, making it
    opt-out via config option, so if you enjoy JiaTanning, then be our guest.

 C. Forbid usage of Git tags in PKG_SOURCE_VERSION, but I find that a bit harsh.

 D. Combination of the above

 E. ?


Cheers,

Petr

_______________________________________________
openwrt-devel mailing list
openwrt-devel@lists.openwrt.org
https://lists.openwrt.org/mailman/listinfo/openwrt-devel

Reply via email to