From: Alan Modra via Gdb <gdb@sourceware.org>
To: Siddhesh Poyarekar <siddhesh@gotplt.org>
Cc: Richard Earnshaw <Richard.Earnshaw@foss.arm.com>,
Nick Clifton <nickc@redhat.com>,
Binutils <binutils@sourceware.org>,
"gdb@sourceware.org" <gdb@sourceware.org>
Subject: Re: RFC: Adding a SECURITY.md document to the Binutils
Date: Thu, 13 Apr 2023 13:21:14 +0930 [thread overview]
Message-ID: <ZDd8Mgio0SQvg7K5@squeak.grove.modra.org> (raw)
In-Reply-To: <73bc480a-a927-2773-8756-50350f76dfbf@gotplt.org>
On Wed, Apr 12, 2023 at 01:10:01PM -0400, Siddhesh Poyarekar wrote:
> OK, then how about this for the first paragraph:
>
> ~~~
> A security bug is one that threatens the security of a system or network.
> In the context of GNU Binutils, there are two ways in which a bug could have
> security consequences. The primary method is when the tools introduce a
> vulnerability in the output file that was not present in the input files
> being processed. The other, albeit unlikely way is when a bug in the tools
> results in a privilege boundary is crossed in either the tools themselves or
> in the code they generate.
> ~~~
I don't see that talking about privilege boundaries is particularly
relevant. Consider this:
It is trivially easy to craft an object file that when examined with
objdump will read your ssh private keys. That's not a bug, it's a
feature of thin archives.
Now all you need is some means of delivering those private keys, and
I'm sure there are plenty of buffer overflows in libbfd waiting to be
exploited, especially with --enable-targets=all.
--
Alan Modra
Australia Development Lab, IBM
next prev parent reply other threads:[~2023-04-13 3:51 UTC|newest]
Thread overview: 56+ messages / expand[flat|nested] mbox.gz Atom feed top
2023-04-07 8:42 Nick Clifton via Gdb
2023-04-07 10:36 ` Eli Zaretskii via Gdb
2023-04-11 13:29 ` Nick Clifton via Gdb
2023-04-11 14:23 ` Simon Marchi via Gdb
2023-04-11 15:00 ` Eli Zaretskii via Gdb
2023-04-11 16:22 ` Nick Clifton via Gdb
2023-04-11 16:32 ` Matt Rice via Gdb
2023-04-11 18:18 ` J.W. Jagersma via Gdb
2023-04-12 8:43 ` Nick Clifton via Gdb
2023-04-08 6:30 ` Jan Beulich via Gdb
2023-04-10 18:30 ` John Baldwin
2023-04-20 15:56 ` Nick Clifton via Gdb
2023-04-11 19:45 ` Ian Lance Taylor via Gdb
2023-04-12 16:02 ` Richard Earnshaw via Gdb
2023-04-12 16:26 ` Siddhesh Poyarekar
2023-04-12 16:52 ` Richard Earnshaw via Gdb
2023-04-12 16:58 ` Paul Koning via Gdb
2023-04-12 17:10 ` Siddhesh Poyarekar
2023-04-13 3:51 ` Alan Modra via Gdb [this message]
2023-04-13 4:25 ` Siddhesh Poyarekar
2023-04-13 5:16 ` Alan Modra via Gdb
2023-04-13 12:00 ` Siddhesh Poyarekar
2023-04-13 10:25 ` Richard Earnshaw via Gdb
2023-04-13 11:53 ` Siddhesh Poyarekar
2023-04-13 12:37 ` Richard Earnshaw via Gdb
2023-04-13 12:54 ` Siddhesh Poyarekar
2023-04-13 13:11 ` Richard Earnshaw via Gdb
2023-04-13 13:35 ` Siddhesh Poyarekar
2023-04-13 13:40 ` Richard Earnshaw via Gdb
2023-04-13 13:56 ` Siddhesh Poyarekar
2023-04-13 14:50 ` Richard Earnshaw via Gdb
2023-04-13 15:02 ` Siddhesh Poyarekar
2023-04-13 15:05 ` Richard Earnshaw via Gdb
2023-04-13 16:42 ` Siddhesh Poyarekar
2023-04-14 9:52 ` Richard Earnshaw via Gdb
2023-04-14 12:43 ` Siddhesh Poyarekar
2023-04-14 12:49 ` Richard Earnshaw via Gdb
2023-04-14 13:13 ` Siddhesh Poyarekar
2023-04-13 15:08 ` Paul Koning via Gdb
2023-04-13 16:02 ` Siddhesh Poyarekar
2023-04-13 16:49 ` Paul Koning via Gdb
2023-04-13 17:00 ` Siddhesh Poyarekar
2023-04-13 17:05 ` Paul Koning via Gdb
2023-04-13 17:29 ` Siddhesh Poyarekar
2023-04-13 17:37 ` Paul Koning via Gdb
2023-04-13 18:16 ` Siddhesh Poyarekar
2023-04-14 17:37 ` Ian Lance Taylor via Gdb
2023-04-14 18:27 ` Siddhesh Poyarekar
2023-04-14 20:46 ` Ian Lance Taylor via Gdb
2023-04-14 21:24 ` Siddhesh Poyarekar
2023-04-17 15:31 ` Michael Matz via Gdb
2023-04-17 19:55 ` Ian Lance Taylor via Gdb
2023-04-14 19:45 ` DJ Delorie via Gdb
2023-04-14 20:49 ` Ian Lance Taylor via Gdb
2023-04-15 6:41 ` Xi Ruoyao via Gdb
2023-04-13 16:06 ` Richard Earnshaw via Gdb
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=ZDd8Mgio0SQvg7K5@squeak.grove.modra.org \
--to=gdb@sourceware.org \
--cc=Richard.Earnshaw@foss.arm.com \
--cc=amodra@gmail.com \
--cc=binutils@sourceware.org \
--cc=nickc@redhat.com \
--cc=siddhesh@gotplt.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox