This is the mail archive of the
gdb-patches@sourceware.org
mailing list for the GDB project.
Re: [RFA] Add $pdir as entry for libthread-db-search-path.
- From: Jan Kratochvil <jan dot kratochvil at redhat dot com>
- To: Doug Evans <dje at google dot com>
- Cc: gdb-patches at sourceware dot org, Tom Tromey <tromey at redhat dot com>
- Date: Mon, 2 May 2011 21:14:55 +0200
- Subject: Re: [RFA] Add $pdir as entry for libthread-db-search-path.
- References: <20110429035837.9A1EA24619F@ruffy.mtv.corp.google.com> <20110429123634.GA23843@host1.jankratochvil.net> <BANLkTinAR8yLHhR7KF8ROLTVQskA6fLQdg@mail.gmail.com> <20110429170824.GA6107@host1.jankratochvil.net> <BANLkTinagVcXZqvOg80eoFMnyaw9T0OYUw@mail.gmail.com> <BANLkTin84GeKykSDmc=heySNtCypMqWgdA@mail.gmail.com>
On Sun, 01 May 2011 20:34:02 +0200, Doug Evans wrote:
> 1) This is a patch for the FSF tree, not Fedora.
> If this kind of security concern is the rule for the FSF tree
As both libthread_db and pretty printers have the same attack surface (*) as
DWARF expression overflow
http://cve.mitre.org/cgi-bin/cvename.cgi?name=2006-4146
where this CVE lists all public GNU/Linux vendors I do not think such security
requirement is Fedora specific.
(*) That is a foreign binary which is enough to just load into GDB.
OTOH the other attack
.gdbinit current directory execution
http://cve.mitre.org/cgi-bin/cvename.cgi?name=2005-1705
also lists multiple GNU/Linux vendors and the issue is not yet fixed in FSF
GDB. But this is IMO just still work in prograss / unfinished, not rejected:
[RFA] .gdbinit security (revived) [incl doc]
http://sourceware.org/ml/gdb-patches/2010-11/msg00276.html
Thanks,
Jan