On Sat, Mar 30, 2024 at 08:22:06PM +0900, Dominique Martinet wrote:
> the initial injection (original:
>
https://git.savannah.gnu.org/gitweb/?p=gnulib.git;a=blob;f=m4/build-to-ho...).
(Honestly I did compare the backdoored script and the real one this
morning and I would be hard pressed to say if either is backdoored just
looking at either version... Admitedly it was 3AM when I looked at it,
but I don't think it's just a late hour problem)
Right! Definitely not a 3am problem :-/
> (3) We should have a "security path", like
"critical path".
...
Before making each of these safer we should make sshd not link with
so
many things in the first place.
On oss-security, Solar Designer made a lot of good points about it
(around here:
https://www.openwall.com/lists/oss-security/2024/03/29/27
, but the full thread is interesting)
Agreed.
Rich.
--
Richard Jones, Virtualization Group, Red Hat
http://people.redhat.com/~rjones
Read my programming and virtualization blog:
http://rwmj.wordpress.com
virt-builder quickly builds VMs from scratch
http://libguestfs.org/virt-builder.1.html