[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]
gEDA-bug: [Bug 700194] [NEW] gsch2pcb `gnetlist-arg' in project file can lead to arbitrary code execution.
*** This bug is a security vulnerability ***
Private security bug reported:
affects geda
tag gsch2pcb
security yes
done
The `--gnetlist-arg' option to gsch2pcb is used to pass arbitrary
arguments to gnetlist. This option can also be provided in a project
file.
This option can allow arbitrary code execution via a maliciously crafted
project file and/or schematics, by several possible vectors.
The most blatant is direct Scheme code execution:
gnetlist-arg "-c (display 'EVIL) (newline)"
Of middling deviousness is execution of Scheme programs disguised as
schematics:
gnetlist-arg -minnocuous.sch
gnetlist-arg -lharmless.sch
Most subtle is manipulation of the Scheme load path via the -L option:
gnetlist-arg -L.
If a file called `gnetlist' is placed in the same directory as
`evil.project' (easily confused with `gnetlistrc' by the hapless user),
it will be loaded in preference to `gnetlist.scm' installed with gEDA
and always loaded during gnetlist initialisation.
These attacks can all be easily reproduced.
Because gsch2pcb project files are usually considered in the minds of
users to be datafiles, this option (which would be fine if present in a
Makefile or some other file normally considered as an executed file) is
a security risk.
Recommended fix: `--gnetlist-arg' option should be disallowed in
gsch2pcb project files. The only "legitimate" gnetlist command-line
option it enables is `-O' (for passing backend options), and none of the
backends used by gsch2pcb currently take any options.
** Affects: geda
Importance: Undecided
Status: New
** Tags: gsch2pcb
--
You received this bug notification because you are a member of gEDA Bug
Team, which is a direct subscriber.
https://bugs.launchpad.net/bugs/700194
Title:
gsch2pcb `gnetlist-arg' in project file can lead to arbitrary code execution.
Status in GPL Electronic Design Automation tools:
New
Bug description:
affects geda
tag gsch2pcb
security yes
done
The `--gnetlist-arg' option to gsch2pcb is used to pass arbitrary
arguments to gnetlist. This option can also be provided in a project
file.
This option can allow arbitrary code execution via a maliciously crafted
project file and/or schematics, by several possible vectors.
The most blatant is direct Scheme code execution:
gnetlist-arg "-c (display 'EVIL) (newline)"
Of middling deviousness is execution of Scheme programs disguised as
schematics:
gnetlist-arg -minnocuous.sch
gnetlist-arg -lharmless.sch
Most subtle is manipulation of the Scheme load path via the -L option:
gnetlist-arg -L.
If a file called `gnetlist' is placed in the same directory as
`evil.project' (easily confused with `gnetlistrc' by the hapless user),
it will be loaded in preference to `gnetlist.scm' installed with gEDA
and always loaded during gnetlist initialisation.
These attacks can all be easily reproduced.
Because gsch2pcb project files are usually considered in the minds of
users to be datafiles, this option (which would be fine if present in a
Makefile or some other file normally considered as an executed file) is
a security risk.
Recommended fix: `--gnetlist-arg' option should be disallowed in
gsch2pcb project files. The only "legitimate" gnetlist command-line
option it enables is `-O' (for passing backend options), and none of the
backends used by gsch2pcb currently take any options.
_______________________________________________
geda-bug mailing list
geda-bug@xxxxxxxxxxxxxx
http://www.seul.org/cgi-bin/mailman/listinfo/geda-bug