[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]
gEDA-bug: [Bug 700333] [NEW] Local configuration should be parsed, not evaluated
*** This bug is a security vulnerability ***
Public security bug reported:
affects geda
security yes
private no
done
Currently, per-directory rc files are evaluated as Scheme scripts. This
is an arbitrary code execution security risk. For example, users (and
in particular *new* users) are likely to want to download and open
designs from elsewhere, and almost all designs include a 'gafrc' file to
set up per-project component libraries.
Instead of being evaluated, local configuration files should be parsed.
This way it would be much harder to craft malicious designs.
An example of a parsable configuration file format is the resource file
format used by PCB.
In addition, a tool should be developed for migrating existing designs'
rc files to the any configuration system.
** Affects: geda
Importance: Undecided
Status: New
--
You received this bug notification because you are a member of gEDA Bug
Team, which is a direct subscriber.
https://bugs.launchpad.net/bugs/700333
Title:
Local configuration should be parsed, not evaluated
Status in GPL Electronic Design Automation tools:
New
Bug description:
affects geda
security yes
private no
done
Currently, per-directory rc files are evaluated as Scheme scripts. This
is an arbitrary code execution security risk. For example, users (and
in particular *new* users) are likely to want to download and open
designs from elsewhere, and almost all designs include a 'gafrc' file to
set up per-project component libraries.
Instead of being evaluated, local configuration files should be parsed.
This way it would be much harder to craft malicious designs.
An example of a parsable configuration file format is the resource file
format used by PCB.
In addition, a tool should be developed for migrating existing designs'
rc files to the any configuration system.
_______________________________________________
geda-bug mailing list
geda-bug@xxxxxxxxxxxxxx
http://www.seul.org/cgi-bin/mailman/listinfo/geda-bug
- Follow-Ups:
- gEDA-bug: [Bug 700333] Re: Local configuration should be parsed, not evaluated
- From: Krzysztof KoÅciuszkiewicz
- gEDA-bug: [Bug 700333] Re: Local configuration should be parsed, not evaluated
- From: Krzysztof KoÅciuszkiewicz
- gEDA-bug: [Bug 700333] Re: Local configuration should be parsed, not evaluated
- From: Krzysztof KoÅciuszkiewicz
- gEDA-bug: [Bug 700333] Re: Local configuration should be parsed, not evaluated
- gEDA-bug: [Bug 700333] Re: Local configuration should be parsed, not evaluated
- gEDA-bug: [Bug 700333] [NEW] Local configuration should be parsed, not evaluated
- gEDA-bug: [Bug 700333] Re: Local configuration should be parsed, not evaluated
- gEDA-bug: [Bug 700333] Re: Local configuration should be parsed, not evaluated
- gEDA-bug: [Bug 700333] Re: Local configuration should be parsed, not evaluated
- gEDA-bug: [Bug 700333] Re: Local configuration should be parsed, not evaluated
- gEDA-bug: [Bug 700333] Re: Local configuration should be parsed, not evaluated