From: crtxcr <crtxcr@users.noreply.github.com>
To: ml@inbox.vuxu.org
Subject: [ISSUE] vscode template is vulnerable to a supply chain attack
Date: Thu, 08 Dec 2022 11:49:41 +0100 [thread overview]
Message-ID: <gh-mailinglist-notifications-41a7ca26-5023-4802-975b-f1789d68868e-void-packages-40977@inbox.vuxu.org> (raw)
[-- Attachment #1: Type: text/plain, Size: 2362 bytes --]
New issue by crtxcr on void-packages repository
https://github.com/void-linux/void-packages/issues/40977
Description:
There is an issue in the way the vscode template manages dependencies.
The voidlinux vscode template contains the following patch: https://github.com/void-linux/void-packages/blob/master/srcpkgs/vscode/patches/ripgrep.patch
It makes the packages.json point to a custom ripgrep nodejs module: https://github.com/atk/void-vscode-ripgrep.git
As we can see, this is a voidlinux specific modification, primarily introduced in d5e7fdb4510bc2353bcccde2ca134b65c4b599cf to make it build with ppc64le even though MS does not ship such binaries and does not support it: https://github.com/microsoft/vscode/issues/80042
**Problem**
Should an attacker gain access to @atk 's account then he can put something malicious into that repo. Thus, it can be used to launch supply chain attacks against voidlinux users when vscode is build.
The main problem is that there is is no specific git commit id pinned or anything, it just blindly takes the content of the repo.
This should be addressed by for example either:
(1) Getting rid of that ripgrep patch. As its reason for existing is to make it build on platforms not supported by upstream, the option of getting rid of it has to be mentioned I think. However, this implies some users would be affected.
(2) By adding appropriate yaml.lock entries which would point to known good git commit ids.
Furthermore, this only works because for that patch to work, the yarn option "--frozen-lockfile" was removed in d5e7fdb4510bc2353bcccde2ca134b65c4b599cf I think it's better to enable it...
I realize node.js has not the best reputation when it comes to security anyway but we should not make it worse.
If a decision is made to keep this patch I hope we can at least build it with pinned dependencies.
I have attached a patch that would pin the commitid in yarn.lock and with that, I can build 1.73.1 with --frozen-lockfile enabled again. If the commit id does not match the build is aborted.
[ripgrep-yarn.patch.txt](https://github.com/void-linux/void-packages/files/10184378/ripgrep-yarn.patch.txt)
Of course, keeping that yarn patch applying between version updates could be a bit annoying but I think that's not a reason to not do it.
@atk @shizonic
next reply other threads:[~2022-12-08 10:49 UTC|newest]
Thread overview: 5+ messages / expand[flat|nested] mbox.gz Atom feed top
2022-12-08 10:49 crtxcr [this message]
2022-12-08 10:57 ` atk
2022-12-08 11:17 ` atk
2022-12-08 11:59 ` atk
2022-12-12 7:26 ` [ISSUE] [CLOSED] " classabbyamp
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=gh-mailinglist-notifications-41a7ca26-5023-4802-975b-f1789d68868e-void-packages-40977@inbox.vuxu.org \
--to=crtxcr@users.noreply.github.com \
--cc=ml@inbox.vuxu.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).