Remove dependency on libjansson

Rui Ueyama rui314@gmail.com
Mon Apr 1 03:31:25 GMT 2024


Hi,

The recent xz incident demonstrated that supply chain attacks are a
real threat, and dependence on third-party libraries can have
significant consequences.

In the wake of the incident, I propose we remove the dependency on
libjansson from GNU ld.

First of all, why does GNU ld depend on libjansson which is a JSON
parsing library? GNU ld gained the `--package-metadata` option in May
2022 to embed a JSON string into a .note section for package
management for Fedora and other Linux distributions. At the same time,
the dependency on libjansson, a library for parsing JSON-format
strings, was introduced to validate an argument for that option. If an
argument is not a valid JSON string, ld reports an error. If the
library is unavailable, or if `--disable-jansson` was passed to the
configure script, the library will not be linked and the error check
will be disabled. By default, the library will be linked if it exists.

I opposed adding an extra dependency to GNU ld just for string
verification purposes because it didn't seem worth adding extra
dependency to the linker. LLVM lld and the mold linker also support
the option, but they do not verify if the argument is a valid JSON
string -- they simply treat it as an opaque string. If libjansson is
unavailable, even GNU ld doesn't verify arguments. Therefore, the
verification is not trustworthy, and the reader must be prepared for a
malformed JSON string when reading a .note section. Moreover,
verifying a string is straightforward without the feature; you can
simply `echo` the string to pipe it to `jq` for verification before
passing it to GNU ld.

I just checked /usr/bin/ld on Ubuntu 24.04, which is set to be
released this month, and the dependency on libjansson was indeed
present.

How much risk does it pose? Probably not much, as long as the library
is maintained properly. However, the stakes are high; if someone takes
control of the library and introduces malicious code, they could
execute a Ken Thompson-style supply chain attack. Since GNU ld is used
to build essentially everything, the attacker could in theory gain the
power to not just contaminate a specific program such as openssh, but
every executable in an official Linux distribution image. I think the
risk is not worth taking. I believe we just should remove the string
verification code and the dependency on the library from GNU ld.

Rui Ueyama


More information about the Binutils mailing list