From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from simark.ca by simark.ca with LMTP id 6A1KJAsbOGTHvyoAWB0awg (envelope-from ) for ; Thu, 13 Apr 2023 11:08:59 -0400 Received: by simark.ca (Postfix, from userid 112) id 9214F1E221; Thu, 13 Apr 2023 11:08:59 -0400 (EDT) Authentication-Results: simark.ca; dkim=pass (1024-bit key; secure) header.d=sourceware.org header.i=@sourceware.org header.a=rsa-sha256 header.s=default header.b=f5bEscjo; dkim-atps=neutral X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on simark.ca X-Spam-Level: X-Spam-Status: No, score=-4.3 required=5.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,MAILING_LIST_MULTI,RCVD_IN_DNSWL_MED, RDNS_DYNAMIC,URIBL_BLOCKED autolearn=ham autolearn_force=no version=3.4.6 Received: from sourceware.org (ip-8-43-85-97.sourceware.org [8.43.85.97]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by simark.ca (Postfix) with ESMTPS id 2FF031E110 for ; Thu, 13 Apr 2023 11:08:59 -0400 (EDT) Received: from server2.sourceware.org (localhost [IPv6:::1]) by sourceware.org (Postfix) with ESMTP id 9436F385802F for ; Thu, 13 Apr 2023 15:08:58 +0000 (GMT) DKIM-Filter: OpenDKIM Filter v2.11.0 sourceware.org 9436F385802F DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=sourceware.org; s=default; t=1681398538; bh=PkPfzZzzXV27eG8vOo8Ayx9f2DusmIOfh1NzgXP94u4=; h=Subject:In-Reply-To:Date:Cc:References:To:List-Id: List-Unsubscribe:List-Archive:List-Post:List-Help:List-Subscribe: From:Reply-To:From; b=f5bEscjoPL5d3J1odIQUm6L6NaSJSIK3hXtic0bP06w4k0Kkkj33V04/9OXunigmX p0nBgAYDYd8kSU2vukclAqKe9xc1tBewXVBxOkdt47PKzTGD75nmttmFAhCd/GSJMr +fJXgLSZ1/TKn5TAgNVC80wj0Qdn/3SLrEJUHO2s= Received: from resdmta-a1p-077741.sys.comcast.net (resdmta-a1p-077741.sys.comcast.net [IPv6:2001:558:fd01:2bb4::e]) by sourceware.org (Postfix) with ESMTPS id 2B1453858D37 for ; Thu, 13 Apr 2023 15:08:32 +0000 (GMT) DMARC-Filter: OpenDMARC Filter v1.4.2 sourceware.org 2B1453858D37 Received: from resomta-a1p-076781.sys.comcast.net ([96.103.145.226]) by resdmta-a1p-077741.sys.comcast.net with ESMTP id muiCpdz8wgZsomyYopARFu; Thu, 13 Apr 2023 15:08:30 +0000 Received: from smtpclient.apple ([73.60.223.101]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 256/256 bits) (Client did not present a certificate) by resomta-a1p-076781.sys.comcast.net with ESMTPSA id myYlptdCmNc7QmyYmp90vL; Thu, 13 Apr 2023 15:08:30 +0000 X-Xfinity-VAAS: gggruggvucftvghtrhhoucdtuddrgedvhedrvdekkedgkeeiucetufdoteggodetrfdotffvucfrrhhofhhilhgvmecuvehomhgtrghsthdqtfgvshhipdfqfgfvpdfpqffurfetoffkrfenuceurghilhhouhhtmecufedtudenucesvcftvggtihhpihgvnhhtshculddquddttddmnecujfgurheptggguffhjgffvefgkfhfvffosehtqhhmtdhhtddvnecuhfhrohhmpefrrghulhcumfhonhhinhhguceophgruhhlkhhonhhinhhgsegtohhmtggrshhtrdhnvghtqeenucggtffrrghtthgvrhhnpeevkeevleffleeigfeiudefheegjedthfegudejheeukeeitdfgteffvefggffgvdenucfkphepjeefrdeitddrvddvfedruddtudenucevlhhushhtvghrufhiiigvpedtnecurfgrrhgrmhephhgvlhhopehsmhhtphgtlhhivghnthdrrghpphhlvgdpihhnvghtpeejfedriedtrddvvdefrddutddupdhmrghilhhfrhhomhepphgruhhlkhhonhhinhhgsegtohhmtggrshhtrdhnvghtpdhnsggprhgtphhtthhopeehpdhrtghpthhtohepshhiugguhhgvshhhsehgohhtphhlthdrohhrghdprhgtphhtthhopehrihgthhgrrhgurdgvrghrnhhshhgrfiesfhhoshhsrdgrrhhmrdgtohhmpdhrtghpthhtohepnhhitghktgesrhgvughhrghtrdgtohhmpdhrtghpthhtohepsghinhhuthhilhhssehsohhurhgtvgifrghrvgdrohhrghdprhgtphhtthhopehguggssehsohhurhgtvgifrghrvgdrohhrgh X-Xfinity-VMeta: sc=-100.00;st=legit Content-Type: text/plain; charset=us-ascii Mime-Version: 1.0 (Mac OS X Mail 16.0 \(3696.120.41.1.3\)) Subject: Re: RFC: Adding a SECURITY.md document to the Binutils In-Reply-To: Date: Thu, 13 Apr 2023 11:08:27 -0400 Cc: Richard Earnshaw , Nick Clifton , Binutils , "gdb@sourceware.org" Content-Transfer-Encoding: quoted-printable Message-Id: References: <1c38b926-e003-0e21-e7f1-3d5dbec2aabf@redhat.com> <5b147005-bd28-4cf9-b9e7-479ef02cb1ad@foss.arm.com> <5d044987-39eb-a060-1b2b-9d07b1515e7d@gotplt.org> <73bc480a-a927-2773-8756-50350f76dfbf@gotplt.org> <4ed86e65-0b7f-11d4-8061-2c5d0b1e147e@foss.arm.com> <7b6b10f8-e480-8efa-fbb8-4fc4bf2cf356@gotplt.org> <0224757b-6b17-f82d-c0bf-c36042489f5e@foss.arm.com> <01e846c0-c6bf-defe-0563-1ed6309b7038@gotplt.org> <2d4c7f13-8a35-3ce5-1f90-ce849a690e66@foss.arm.com> <01b8e177-abfd-549e-768f-1995cab5c81d@gotplt.org> To: Siddhesh Poyarekar X-Mailer: Apple Mail (2.3696.120.41.1.3) X-BeenThere: gdb@sourceware.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: Gdb mailing list List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , From: Paul Koning via Gdb Reply-To: Paul Koning Errors-To: gdb-bounces+public-inbox=simark.ca@sourceware.org Sender: "Gdb" > On Apr 13, 2023, at 11:02 AM, Siddhesh Poyarekar = wrote: >=20 > On 2023-04-13 10:50, Richard Earnshaw wrote: >> No, whilst elf can be executed, objdump should never be doing that: = it's a tool for examining a file, not running it. You have to have a = tool that can safely examine the contents of an elf file or you can = never verify it for issues - opening it up in emacs to examine the = contents is not the way to do that :) >=20 > You can verify it for issues, in a sandbox. >=20 >> But all that is beside the point. The original case I gave was a = /corrupt/ elf file that caused a buffer overrun in the objdump binary. >=20 > ... and that's a robustness issue. Any buffer overrun in any program = could in theory be exploited to send out files. No. Buffer overruns are generally recognized as security issues, = precisely because they (often) can be used to produce arbitrary code = execution exploits. A buiffer overrun would be merely a robustness issue if it is guaranteed = to cause nothing worse than a program abort. paul