* [ISSUE] vscode template is vulnerable to a supply chain attack
@ 2022-12-08 10:49 crtxcr
2022-12-08 10:57 ` atk
` (3 more replies)
0 siblings, 4 replies; 5+ messages in thread
From: crtxcr @ 2022-12-08 10:49 UTC (permalink / raw)
To: ml
[-- Attachment #1: Type: text/plain, Size: 2362 bytes --]
New issue by crtxcr on void-packages repository
https://github.com/void-linux/void-packages/issues/40977
Description:
There is an issue in the way the vscode template manages dependencies.
The voidlinux vscode template contains the following patch: https://github.com/void-linux/void-packages/blob/master/srcpkgs/vscode/patches/ripgrep.patch
It makes the packages.json point to a custom ripgrep nodejs module: https://github.com/atk/void-vscode-ripgrep.git
As we can see, this is a voidlinux specific modification, primarily introduced in d5e7fdb4510bc2353bcccde2ca134b65c4b599cf to make it build with ppc64le even though MS does not ship such binaries and does not support it: https://github.com/microsoft/vscode/issues/80042
**Problem**
Should an attacker gain access to @atk 's account then he can put something malicious into that repo. Thus, it can be used to launch supply chain attacks against voidlinux users when vscode is build.
The main problem is that there is is no specific git commit id pinned or anything, it just blindly takes the content of the repo.
This should be addressed by for example either:
(1) Getting rid of that ripgrep patch. As its reason for existing is to make it build on platforms not supported by upstream, the option of getting rid of it has to be mentioned I think. However, this implies some users would be affected.
(2) By adding appropriate yaml.lock entries which would point to known good git commit ids.
Furthermore, this only works because for that patch to work, the yarn option "--frozen-lockfile" was removed in d5e7fdb4510bc2353bcccde2ca134b65c4b599cf I think it's better to enable it...
I realize node.js has not the best reputation when it comes to security anyway but we should not make it worse.
If a decision is made to keep this patch I hope we can at least build it with pinned dependencies.
I have attached a patch that would pin the commitid in yarn.lock and with that, I can build 1.73.1 with --frozen-lockfile enabled again. If the commit id does not match the build is aborted.
[ripgrep-yarn.patch.txt](https://github.com/void-linux/void-packages/files/10184378/ripgrep-yarn.patch.txt)
Of course, keeping that yarn patch applying between version updates could be a bit annoying but I think that's not a reason to not do it.
@atk @shizonic
^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: vscode template is vulnerable to a supply chain attack
2022-12-08 10:49 [ISSUE] vscode template is vulnerable to a supply chain attack crtxcr
@ 2022-12-08 10:57 ` atk
2022-12-08 11:17 ` atk
` (2 subsequent siblings)
3 siblings, 0 replies; 5+ messages in thread
From: atk @ 2022-12-08 10:57 UTC (permalink / raw)
To: ml
[-- Attachment #1: Type: text/plain, Size: 235 bytes --]
New comment by atk on void-packages repository
https://github.com/void-linux/void-packages/issues/40977#issuecomment-1342530365
Comment:
I have thought about this before. Maybe I can provide a better solution. Give me a few minutes.
^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: vscode template is vulnerable to a supply chain attack
2022-12-08 10:49 [ISSUE] vscode template is vulnerable to a supply chain attack crtxcr
2022-12-08 10:57 ` atk
@ 2022-12-08 11:17 ` atk
2022-12-08 11:59 ` atk
2022-12-12 7:26 ` [ISSUE] [CLOSED] " classabbyamp
3 siblings, 0 replies; 5+ messages in thread
From: atk @ 2022-12-08 11:17 UTC (permalink / raw)
To: ml
[-- Attachment #1: Type: text/plain, Size: 286 bytes --]
New comment by atk on void-packages repository
https://github.com/void-linux/void-packages/issues/40977#issuecomment-1342558824
Comment:
Yes, I can remove this in very much the same way as the telemtry urls and remove the ripgrep-patch. I think this is a much more reliable solution.
^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: vscode template is vulnerable to a supply chain attack
2022-12-08 10:49 [ISSUE] vscode template is vulnerable to a supply chain attack crtxcr
2022-12-08 10:57 ` atk
2022-12-08 11:17 ` atk
@ 2022-12-08 11:59 ` atk
2022-12-12 7:26 ` [ISSUE] [CLOSED] " classabbyamp
3 siblings, 0 replies; 5+ messages in thread
From: atk @ 2022-12-08 11:59 UTC (permalink / raw)
To: ml
[-- Attachment #1: Type: text/plain, Size: 257 bytes --]
New comment by atk on void-packages repository
https://github.com/void-linux/void-packages/issues/40977#issuecomment-1342620274
Comment:
I have added the solution to my current PR for version 1.74.0: https://github.com/void-linux/void-packages/pull/40964
^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: [ISSUE] [CLOSED] vscode template is vulnerable to a supply chain attack
2022-12-08 10:49 [ISSUE] vscode template is vulnerable to a supply chain attack crtxcr
` (2 preceding siblings ...)
2022-12-08 11:59 ` atk
@ 2022-12-12 7:26 ` classabbyamp
3 siblings, 0 replies; 5+ messages in thread
From: classabbyamp @ 2022-12-12 7:26 UTC (permalink / raw)
To: ml
[-- Attachment #1: Type: text/plain, Size: 2365 bytes --]
Closed issue by crtxcr on void-packages repository
https://github.com/void-linux/void-packages/issues/40977
Description:
There is an issue in the way the vscode template manages dependencies.
The voidlinux vscode template contains the following patch: https://github.com/void-linux/void-packages/blob/master/srcpkgs/vscode/patches/ripgrep.patch
It makes the packages.json point to a custom ripgrep nodejs module: https://github.com/atk/void-vscode-ripgrep.git
As we can see, this is a voidlinux specific modification, primarily introduced in d5e7fdb4510bc2353bcccde2ca134b65c4b599cf to make it build with ppc64le even though MS does not ship such binaries and does not support it: https://github.com/microsoft/vscode/issues/80042
**Problem**
Should an attacker gain access to @atk 's account then he can put something malicious into that repo. Thus, it can be used to launch supply chain attacks against voidlinux users when vscode is build.
The main problem is that there is is no specific git commit id pinned or anything, it just blindly takes the content of the repo.
This should be addressed by for example either:
(1) Getting rid of that ripgrep patch. As its reason for existing is to make it build on platforms not supported by upstream, the option of getting rid of it has to be mentioned I think. However, this implies some users would be affected.
(2) By adding appropriate yaml.lock entries which would point to known good git commit ids.
Furthermore, this only works because for that patch to work, the yarn option "--frozen-lockfile" was removed in d5e7fdb4510bc2353bcccde2ca134b65c4b599cf I think it's better to enable it...
I realize node.js has not the best reputation when it comes to security anyway but we should not make it worse.
If a decision is made to keep this patch I hope we can at least build it with pinned dependencies.
I have attached a patch that would pin the commitid in yarn.lock and with that, I can build 1.73.1 with --frozen-lockfile enabled again. If the commit id does not match the build is aborted.
[ripgrep-yarn.patch.txt](https://github.com/void-linux/void-packages/files/10184378/ripgrep-yarn.patch.txt)
Of course, keeping that yarn patch applying between version updates could be a bit annoying but I think that's not a reason to not do it.
@atk @shizonic
^ permalink raw reply [flat|nested] 5+ messages in thread
end of thread, other threads:[~2022-12-12 7:26 UTC | newest]
Thread overview: 5+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2022-12-08 10:49 [ISSUE] vscode template is vulnerable to a supply chain attack crtxcr
2022-12-08 10:57 ` atk
2022-12-08 11:17 ` atk
2022-12-08 11:59 ` atk
2022-12-12 7:26 ` [ISSUE] [CLOSED] " classabbyamp
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).