From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: (qmail 6179 invoked by alias); 1 May 2011 18:34:21 -0000 Received: (qmail 5954 invoked by uid 22791); 1 May 2011 18:34:20 -0000 X-SWARE-Spam-Status: No, hits=-1.9 required=5.0 tests=AWL,BAYES_00,DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,SPF_HELO_PASS,T_RP_MATCHES_RCVD X-Spam-Check-By: sourceware.org Received: from smtp-out.google.com (HELO smtp-out.google.com) (216.239.44.51) by sourceware.org (qpsmtpd/0.43rc1) with ESMTP; Sun, 01 May 2011 18:34:06 +0000 Received: from wpaz33.hot.corp.google.com (wpaz33.hot.corp.google.com [172.24.198.97]) by smtp-out.google.com with ESMTP id p41IY5dw021337 for ; Sun, 1 May 2011 11:34:05 -0700 Received: from yxe42 (yxe42.prod.google.com [10.190.2.42]) by wpaz33.hot.corp.google.com with ESMTP id p41IXLS3009727 (version=TLSv1/SSLv3 cipher=RC4-SHA bits=128 verify=NOT) for ; Sun, 1 May 2011 11:34:04 -0700 Received: by yxe42 with SMTP id 42so2082412yxe.2 for ; Sun, 01 May 2011 11:34:04 -0700 (PDT) MIME-Version: 1.0 Received: by 10.91.33.31 with SMTP id l31mr2443117agj.153.1304274843069; Sun, 01 May 2011 11:34:03 -0700 (PDT) Received: by 10.90.72.6 with HTTP; Sun, 1 May 2011 11:34:02 -0700 (PDT) In-Reply-To: References: <20110429035837.9A1EA24619F@ruffy.mtv.corp.google.com> <20110429123634.GA23843@host1.jankratochvil.net> <20110429170824.GA6107@host1.jankratochvil.net> Date: Sun, 01 May 2011 18:34:00 -0000 Message-ID: Subject: Re: [RFA] Add $pdir as entry for libthread-db-search-path. From: Doug Evans To: Jan Kratochvil Cc: gdb-patches@sourceware.org, Tom Tromey Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: quoted-printable X-System-Of-Record: true X-IsSubscribed: yes Mailing-List: contact gdb-patches-help@sourceware.org; run by ezmlm Precedence: bulk List-Id: List-Subscribe: List-Archive: List-Post: List-Help: , Sender: gdb-patches-owner@sourceware.org X-SW-Source: 2011-05/txt/msg00007.txt.bz2 On Fri, Apr 29, 2011 at 12:00 PM, Doug Evans wrote: > On Fri, Apr 29, 2011 at 10:08 AM, Jan Kratochvil > wrote: >> >> On Fri, 29 Apr 2011 18:49:09 +0200, Doug Evans wrote: >> > On Fri, Apr 29, 2011 at 5:36 AM, Jan Kratochvil >> > wrote: >> > > This is insecure default. =A0It is something like the FSF GDB insecu= re >> > > .gdbinit >> > > behavior which many distros (at least Fedora but even others) have to >> > > patch. >> > >> > Does Fedora turn off the autoloading of python? >> >> No. >> >> > How do your pretty printers Just Work? >> > [Or maybe you only autoload if the directory is in $prefix/lib/debug >> > or some such?] >> >> You are right it is a security hole, I have not tracked to Python >> autoloading >> much. =A0It should get CVE and security errata assigned as it is the same >> category of a security breach as was: >> =A0 =A0 =A0 =A0http://cve.mitre.org/cgi-bin/cvename.cgi?name=3D2006-4146 >> >> >> > Plus I wonder how easy it would be to build a program that used an >> > accompanying libpthread that didn't match the system libthread_db - >> > gdb would then pick the accompanying libthread_db. =A0Or does Fedora n= ot >> > ever look in the directory of libpthread for its libthread_db? >> >> This may be also a security exploit I did not catch. > > I wonder if gdb needs to record a list of trusted paths. > btw, is system_gdbinit trustable? I'd like to keep this patch moving, but I don't know what to do next. Some thoughts: 1) This is a patch for the FSF tree, not Fedora. If this kind of security concern is the rule for the FSF tree then I think it's required to be documented somewhere. [Maybe it already is and I've missed it? If not, let's get it documented.] 2) Can we satisfy the security concern by adding to gdb a list of trusted paths and then everywhere we open a file that can expose a such a security concern we see if it's on a path on the list? As for how to handle the case of not being on the list I suppose one could have a restrictive/permissive mode. User-written pretty-printers should Just Work - I could argue for either choice being the default. Or ... ?