[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]
Re: gEDA-bug: [Bug 700194] gsch2pcb `gnetlist-arg' in project file can lead to arbitrary code execution.
affects geda
status fixcommitted
done
Fix committed to 'stable-1.6' branch for inclusion in geda-gaf 1.6.2:
commit 16b3d32fcf8458389a491aed9437be835131b4b9
Author: Peter TB Brett <peter@xxxxxxxxxxxxx>
Date: Sat Jan 8 10:55:12 2011 +0000
gsch2pcb: Don't allow `gnetlist-arg' in project file.
Closes-bug: lp-700194
Fix committed to 'master' branch for inclusion in geda-gaf 1.7.0:
commit 8ea29eed4fdc4b756e0437bb086b27d61b1eb7a0
Author: Peter TB Brett <peter@xxxxxxxxxxxxx>
Date: Sat Jan 8 11:48:28 2011 +0000
gsch2pcb: Don't allow `gnetlist-arg' in project file.
Closes-bug: lp-700194
Updated patch against 1.6.1 attached.
** Patch added: "0001-gsch2pcb-Don-t-allow-gnetlist-arg-in-project-file.patch"
https://bugs.launchpad.net/bugs/700194/+attachment/1787922/+files/0001-gsch2pcb-Don-t-allow-gnetlist-arg-in-project-file.patch
** Changed in: geda
Status: In Progress => Fix Committed
--
You received this bug notification because you are a member of gEDA Bug
Team, which is a direct subscriber.
https://bugs.launchpad.net/bugs/700194
Title:
gsch2pcb `gnetlist-arg' in project file can lead to arbitrary code execution.
Status in GPL Electronic Design Automation tools:
Fix Committed
Status in âgeda-gafâ package in Ubuntu:
New
Bug description:
affects geda
tag gsch2pcb
security yes
done
The `--gnetlist-arg' option to gsch2pcb is used to pass arbitrary
arguments to gnetlist. This option can also be provided in a project
file.
This option can allow arbitrary code execution via a maliciously crafted
project file and/or schematics, by several possible vectors.
The most blatant is direct Scheme code execution:
gnetlist-arg "-c (display 'EVIL) (newline)"
Of middling deviousness is execution of Scheme programs disguised as
schematics:
gnetlist-arg -minnocuous.sch
gnetlist-arg -lharmless.sch
Most subtle is manipulation of the Scheme load path via the -L option:
gnetlist-arg -L.
If a file called `gnetlist' is placed in the same directory as
`evil.project' (easily confused with `gnetlistrc' by the hapless user),
it will be loaded in preference to `gnetlist.scm' installed with gEDA
and always loaded during gnetlist initialisation.
These attacks can all be easily reproduced.
Because gsch2pcb project files are usually considered in the minds of
users to be datafiles, this option (which would be fine if present in a
Makefile or some other file normally considered as an executed file) is
a security risk.
Recommended fix: `--gnetlist-arg' option should be disallowed in
gsch2pcb project files. The only "legitimate" gnetlist command-line
option it enables is `-O' (for passing backend options), and none of the
backends used by gsch2pcb currently take any options.
_______________________________________________
geda-bug mailing list
geda-bug@xxxxxxxxxxxxxx
http://www.seul.org/cgi-bin/mailman/listinfo/geda-bug