search

unitaryfund / qrack

Comprehensive, GPU accelerated framework for developing universal virtual quantum processors
https://qrack.readthedocs.io/en/latest/
GNU Lesser General Public License v3.0
164 stars 36 forks source link

Potential security breach #1004

Closed WrathfulSpatula closed 3 months ago

WrathfulSpatula commented 3 months ago

I discovered yesterday that, maybe since February, I have been linking Qrack against a version of OpenCL that was installed in /usr/local instead of /usr. The issue was flagged by the Debian packaging tools, since the /usr/local version of OpenCL in the isolated build environment was not in my Debian manifest, when I attempted to update the Qrack Ubuntu PPA. Call me "nuts" (apologies): in a UNIX(-like) operating system, this would have been worrisome in 1980, and today is no different.

System packages (like from Canonical Launchpad, for Ubuntu) go in /usr; /usr/local is reserved for "local" software, like when installing locally from source. /usr/local isn't necessarily as secure, by design, since users should have the control to install the software they want (or that they develop for themselves) on *NIX operating systems. When one installs OpenCL from an Ubuntu system package (or the official, signed CUDA installer), it should go in /usr, not /usr/local: it's that simple.

Finding the installation in /usr/local could be evidence of a "supply-chain attack." My local copy of OpenCL would have been linked into the Qrack releases, in this period. I would advise extreme caution and discernment in installing pre-compiled binary versions of Qrack from this period.

Notably, the Ubuntu PPA itself theoretically is not affected (unless its source code was surreptitiously modified on my compromised machine, though the source itself is provided by the packages, which users can inspect). It provides a source package that installed its dependencies (OpenCL and libc, to memory) on the remote and secure Launchpad servers, directly from the official Canonical Ubuntu PPAs.

I am working on a plan to recover the security of my local build environments. (Among other steps, this will likely entail reinstalling Ubuntu entirely, but this step might not be sufficient in itself.) When my operating systems are reasonably secure, I intend to publish new releases of all packaged Qrack binaries. The progress will be tracked in this issue ticket.

For now, consider limiting installations to Qrack releases prior to February 3rd, or use the Ubuntu PPA.

WrathfulSpatula commented 3 months ago

Everyone will be happy to hear me say it: this was a false alarm (even if I'm glad I investigated it). My research gathers that the January release of CUDA toolkit seems to use /usr/local. Notwithstanding... I, personally, am uninstalling it, for security reasons, explained above.