Hi, I recently read about the major xz backdoor that's been all over
the internet, for example, here:
https://openwall.com/lists/oss-security/2024/03/29/4
One thing I noticed in the writeup is that part of the way it worked
involved a modified copy of gnulib's build-to-host.m4 macro file;
compare the xz copy here:
https://salsa.debian.org/debian/xz-utils/-/blob/debian/unstable/m4/build-to-host.m4
...with the gnulib copy here:
https://git.savannah.gnu.org/cgit/gnulib.git/tree/m4/build-to-host.m4
So, one thing I'm wondering, is if there's anything gnulib can add on
its end to ensure that the macro actually does what it's supposed to
do? From checking `git grep build-to-host.m4` in gnulib, it seems that
the build-to-host.m4 macro file is used in the configmake and gettext
modules, however, when I do ./gnulib-tool --test configmake, I don't
see any output to indicate that the macro file in question is actually
being tested; is it supposed to be? (And then ./gnulib-tool --test
gettext just doesn't even work for me.)
What do people think?
Thanks,
Eric
