Closed stevep-arm closed 12 months ago
Yes, the problem in this case was that a single mirror (the Korean mirror of Sourceforge) was briefly supplying a subverted file.
SCA-5 does mitigate the attack for others, but not really for the downloader. The strongest countermeasure in this case is signing & checking the signature of packages.
Do we need to modify the specification?
This sounds like phpMyAdmin should be attributed to AUD-3: Validate digital signature or hash match for each component. I will adjust this accordingly. I am having trouble locating an incident example of "Intentional vulnerabilities/backdoors added to an OSS code base" - if anyone has any suggestions?
@jasminewang0 let's use colors v1.4.1 as an example here, as they intentionally added an infinite loop to their code, which would cause apps to crash https://snyk.io/blog/open-source-npm-packages-colors-faker/
In the section 'Common OSS Supply Chain Threats' there is a table of threats with examples given.
phpMyAdmin is given as an example of 'Intentional vulnerabilities/backdoors added to an OSS code base'. Following the link for the example to the ars technica article about the incident it seems that it was a single mirror of a download package that was impacted and not the code base itself.
SCA-5 "Identify zero-day vulnerabilities and confidentially contribute fixes back to the upstream maintainer" wouldn't mitigate the threat of a distribution mirror being compromised.