[sr #111048] Add a syntax check to code snippets

[anonymous]

URL:
  <https://savannah.gnu.org/support/?111048>

                 Summary: Add a syntax check to code snippets
                   Group: Autoconf
               Submitter: None
               Submitted: Fri 05 Apr 2024 07:44:13 AM UTC
                Priority: 5 - Unprioritized
                Severity: 3 - Normal
                  Status: None
                 Privacy: Public
             Assigned to: None
        Originator Email: fbauzac@amadeus.com
             Open/Closed: Open
         Discussion Lock: Any
        Operating System: GNU/Linux


    _______________________________________________________

Follow-up Comments:


-------------------------------------------------------
Date: Fri 05 Apr 2024 07:44:13 AM UTC By: Anonymous
Hello,

As you may know, an attack related to XZ Utils (lzma) has been
discovered:

https://gist.github.com/thesamesam/223949d5a074ebc3dce9ee78baad9e27

The malicious account has disabled a feature by sneakily forging an
always-failing code.  This has been done by introducing a syntax error
in a CMake file (a dot at the beginning of a line):

https://git.tukaani.org/?p=xz.git;a=commitdiff;h=328c52da8a2bbb81307644efdb58db2c422d9ba7

So the CMake project is considering adding a preliminary syntax check
(with a verbose error message) in addition to the full check (which
fails rather silently), so that such disabling does not go unnoticed:

https://gitlab.kitware.com/cmake/cmake/-/issues/25846

This makes me think that Autoconf does compilation checks similar to
that of CMake, and therefore an attacker could similarly, sneakily
disable a feature.

Should Autoconf similarly add a syntax check?  I'm leaving this open
question to the community.

Thanks!

Best regards
Fabrice








    _______________________________________________________

Reply to this item at:

  <https://savannah.gnu.org/support/?111048>

_______________________________________________
Message sent via Savannah
https://savannah.gnu.org/