Le 11/05/2024 à 04:55, Joel Roth via Dng a écrit :
> Steve Litt wrote:
>> Systemd is a complexificated catastrophe.
> I probably shouldn't be stoking the fires again, but what
> the hell?
>
> By some definitions (thanks to its gigantic code base and
> diatomaceous surface area) systemd is a huge contribution to
> the IT economy, creating new layers and dimensions of
> mystery, not to mention opportunities for security holes.
>
> Or, it's a power grab, so cleverly engineered that in a
> decade, 98% or so of linux computers have been innoculated
> with this alien code, the evil spawn of Microsoft ;-)
> Interestingly, the engineer who discovered the exploit was
> working on Microsoft's Postgresql offering.
>
> There was significant social engineering to introduce
> malicious code into the xz distribution distribution
> tarball.
>
> The final step in the chain of vulnerabilities came by
> the linking of the xz and sshd libraries to systemd.
>
> Any library can tamper with the inner workings of any
> executable it is linked against.
>
> IFUNC, a mechanism in glibc that allows for indirect
> function calls, is used to perform runtime
> hooking/redirection of OpenSSH's authentication
> routines. IFUNC is a tool that is normally used for
> legitimate things, but in this case it is exploited for
> this attack path. [introduced in v 2.11.1, 2009]
>
> Debian and many other Linux distributions add a patch to
> link sshd to systemd, a program that loads a variety of
> services during the system bootup. Systemd, in turn,
> links to liblzma, and this allows xz Utils to exert
> control over sshd.
>
> https://arstechnica.com/security/2024/04/what-we-know-about-the-xz-utils-backdoor-that-almost-infected-the-world/
>
> Cheers, and wishing you safe computing,
>
This is the major argument for Musl libc to *not* support IFUNC.
Dependencies are like hell, both for package management and
security. Try to avoid them as much as possible; this was the original
reason why I developped hopman, and I'm currently working on a web
application with absolutely no dependency (except libc and kernel, of
course).
-- Didier