From: Doug Evans <dje@google.com>
To: Jan Kratochvil <jan.kratochvil@redhat.com>
Cc: gdb-patches@sourceware.org, Tom Tromey <tromey@redhat.com>
Subject: Re: [RFA] Add $pdir as entry for libthread-db-search-path.
Date: Sun, 01 May 2011 18:34:00 -0000 [thread overview]
Message-ID: <BANLkTin84GeKykSDmc=heySNtCypMqWgdA@mail.gmail.com> (raw)
In-Reply-To: <BANLkTinagVcXZqvOg80eoFMnyaw9T0OYUw@mail.gmail.com>
On Fri, Apr 29, 2011 at 12:00 PM, Doug Evans <dje@google.com> wrote:
> On Fri, Apr 29, 2011 at 10:08 AM, Jan Kratochvil <jan.kratochvil@redhat.com>
> wrote:
>>
>> On Fri, 29 Apr 2011 18:49:09 +0200, Doug Evans wrote:
>> > On Fri, Apr 29, 2011 at 5:36 AM, Jan Kratochvil
>> > <jan.kratochvil@redhat.com> wrote:
>> > > This is insecure default. It is something like the FSF GDB insecure
>> > > .gdbinit
>> > > behavior which many distros (at least Fedora but even others) have to
>> > > patch.
>> >
>> > Does Fedora turn off the autoloading of python?
>>
>> No.
>>
>> > How do your pretty printers Just Work?
>> > [Or maybe you only autoload if the directory is in $prefix/lib/debug
>> > or some such?]
>>
>> You are right it is a security hole, I have not tracked to Python
>> autoloading
>> much. It should get CVE and security errata assigned as it is the same
>> category of a security breach as was:
>> http://cve.mitre.org/cgi-bin/cvename.cgi?name=2006-4146
>>
>>
>> > Plus I wonder how easy it would be to build a program that used an
>> > accompanying libpthread that didn't match the system libthread_db -
>> > gdb would then pick the accompanying libthread_db. Or does Fedora not
>> > ever look in the directory of libpthread for its libthread_db?
>>
>> This may be also a security exploit I did not catch.
>
> I wonder if gdb needs to record a list of trusted paths.
> btw, is system_gdbinit trustable?
I'd like to keep this patch moving, but I don't know what to do next.
Some thoughts:
1) This is a patch for the FSF tree, not Fedora.
If this kind of security concern is the rule for the FSF tree then I
think it's required to be documented somewhere.
[Maybe it already is and I've missed it? If not, let's get it documented.]
2) Can we satisfy the security concern by adding to gdb a list of
trusted paths and then everywhere we open a file that can expose a
such a security concern we see if it's on a path on the list?
As for how to handle the case of not being on the list I suppose one
could have a restrictive/permissive mode.
User-written pretty-printers should Just Work - I could argue for
either choice being the default.
Or ... ?
next prev parent reply other threads:[~2011-05-01 18:34 UTC|newest]
Thread overview: 9+ messages / expand[flat|nested] mbox.gz Atom feed top
2011-04-29 3:59 Doug Evans
2011-04-29 12:36 ` Jan Kratochvil
2011-04-29 16:49 ` Doug Evans
2011-04-29 17:08 ` Jan Kratochvil
[not found] ` <BANLkTinagVcXZqvOg80eoFMnyaw9T0OYUw@mail.gmail.com>
2011-05-01 18:34 ` Doug Evans [this message]
2011-05-02 19:15 ` Jan Kratochvil
2011-05-02 19:51 ` Doug Evans
2011-05-06 18:40 ` Tom Tromey
2011-05-09 22:30 ` Doug Evans
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to='BANLkTin84GeKykSDmc=heySNtCypMqWgdA@mail.gmail.com' \
--to=dje@google.com \
--cc=gdb-patches@sourceware.org \
--cc=jan.kratochvil@redhat.com \
--cc=tromey@redhat.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox