Skip to content

Support using the system version of brotli #66462

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 1 commit into from
Mar 23, 2022
Merged

Support using the system version of brotli #66462

merged 1 commit into from
Mar 23, 2022

Conversation

omajid
Copy link
Member

@omajid omajid commented Mar 10, 2022

This is mainly motivated by the March 2022 release of .NET 5. .NET 5 was
found to be vulnerable to CVE-2020-8927, which was caused by the older
version of brotli built into .NET. .NET was vulernable even in
environments where a system-wide version of brotli was present and had
already received fixes for this CVE. We could have avoided a Remove Code
Execution vulnerability in such environments by using the system's
version of brotli.

This is similar to the existing support for disabling distro-agnostic
OpenSSL (except no OpenSSL is embedded) and libunwind (a copy of
libunwind is embedded this repo).

@ghost ghost added community-contribution Indicates that the PR has been added by a community member area-System.IO.Compression labels Mar 10, 2022
@ghost
Copy link

ghost commented Mar 10, 2022

Tagging subscribers to this area: @dotnet/area-system-io-compression
See info in area-owners.md if you want to be subscribed.

Issue Details

This is mainly motivated by the March 2022 release of .NET 5. .NET 5 was
found to be vulnerable to CVE-2020-8927, which was caused by the older
version of brotli built into .NET. .NET was vulernable even in
environments where a system-wide version of brotli was present and had
already received fixes for this CVE. We could have avoided a Remove Code
Execution vulnerability in such environments by using the system's
version of brotli.

This is similar to the existing support for disabling distro-agnostic
OpenSSL (except no OpenSSL is embedded) and libunwind (a copy of
libunwind is embedded this repo).

Author: omajid
Assignees: -
Labels:

area-System.IO.Compression, community-contribution
Milestone: -

omajid
omajid commented Mar 10, 2022
View reviewed changes
@omajid omajid force-pushed the system-brotli branch 2 times, most recently from 3ce0f94 to 5623c2d Compare March 14, 2022 18:49
@omajid omajid changed the title Add a flag to link against the system brotli Support using the system version of brotli Mar 15, 2022
@crummel
Copy link
Contributor

crummel commented Mar 17, 2022

@VSadov @janvorli Any suggestions on the problem @omajid is having? It'd be nice to make progress on this since it's helpful for security going forward.

@jkotas
Copy link
Member

jkotas commented Mar 17, 2022

I don't know how to handle this build issue. These symbols are defined as fully bound in entrypoints.c when using the bundled copy of brotli. These symbols are defined as "undefined" (nm shows a U) in entrypoints.c when using the system copy.

Does it fail at runtime as well; or is it just a problem with the verification script?

@omajid
Copy link
Member Author

omajid commented Mar 17, 2022

Does it fail at runtime as well; or is it just a problem with the verification script?

The unit tests all passed, so it should be working at runtime. I think it's just a verification script issue.

@jkotas
Copy link
Member

jkotas commented Mar 17, 2022

The easiest fix would be disable the verification script when using system brotli, and depend on tests to find problems if there are any.

@VSadov
Copy link
Member

VSadov commented Mar 17, 2022

Yes. I'd disable verification when using system brotli. The verification is to catch if entry points are inconsistent in embedded case.

@omajid
Copy link
Member Author

omajid commented Mar 17, 2022

Okay, I will undo my changes to entrypoints.c and verify-entrypoints.sh (which were locally working/passing for both bundled and system brotli) and simply skip verification for system brotli.

@janvorli
Copy link
Member

I agree with this plan.

@omajid omajid force-pushed the system-brotli branch 2 times, most recently from 142ee68 to 029c1f8 Compare March 22, 2022 13:14
omajid
omajid commented Mar 22, 2022
View reviewed changes
@omajid omajid marked this pull request as ready for review March 22, 2022 14:20
This was referenced Mar 22, 2022
Closed
Closed
Closed
@omajid
Support using the system version of brotli
310da88 
This is mainly motivated by the March 2022 release of .NET 5. .NET 5 was
found to be vulnerable to CVE-2020-8927, which was caused by the older
version of brotli built into .NET. .NET was vulernable even in
environments where a system-wide version of brotli was present and had
already received fixes for this CVE. We could have avoided a Remote Code
Execution vulnerability in such environments by using the system's
version of brotli.

This is similar to the existing support for disabling distro-agnostic
OpenSSL (except no OpenSSL is embedded) and using the system libunwind
(a copy of libunwind is embedded this repo).

One small twist is the presence of entrypoint verification. In a
system-brotli build, the verification fails, because the built library,
libSystem.IO.Compression.Native.so, doesn't include the symbols for
Brotli. Those symbols are instead used from the system brotli libraries.
@jkotas
Copy link
Member

jkotas commented Mar 23, 2022

Opened dotnet/arcade#8670 on the infrastructure failure

@jkotas jkotas merged commit 5ca9223 into dotnet:main Mar 23, 2022
@adamsitnik adamsitnik added this to the 7.0.0 milestone Mar 23, 2022
radekdoulik pushed a commit to radekdoulik/runtime that referenced this pull request Mar 30, 2022
@omajid @radekdoulik
Support using the system version of brotli (dotnet#66462)
fc065cc 
This is mainly motivated by the March 2022 release of .NET 5. .NET 5 was
found to be vulnerable to CVE-2020-8927, which was caused by the older
version of brotli built into .NET. .NET was vulernable even in
environments where a system-wide version of brotli was present and had
already received fixes for this CVE. We could have avoided a Remote Code
Execution vulnerability in such environments by using the system's
version of brotli.

This is similar to the existing support for disabling distro-agnostic
OpenSSL (except no OpenSSL is embedded) and using the system libunwind
(a copy of libunwind is embedded this repo).

One small twist is the presence of entrypoint verification. In a
system-brotli build, the verification fails, because the built library,
libSystem.IO.Compression.Native.so, doesn't include the symbols for
Brotli. Those symbols are instead used from the system brotli libraries.
@ghost ghost locked as resolved and limited conversation to collaborators Apr 22, 2022
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Reviewers

@jkotas jkotas jkotas approved these changes

Assignees
No one assigned
Labels
area-System.IO.Compression community-contribution Indicates that the PR has been added by a community member
Projects
None yet
Milestone
7.0.0
Development

Successfully merging this pull request may close these issues.
6 participants
@omajid @crummel @jkotas @VSadov @janvorli @adamsitnik