RFC: Adding a SECURITY.md document to the Binutils
Siddhesh Poyarekar
siddhesh@gotplt.org
Thu Apr 13 15:02:05 GMT 2023
On 2023-04-13 10:50, Richard Earnshaw wrote:
> No, whilst elf can be executed, objdump should never be doing that: it's
> a tool for examining a file, not running it. You have to have a tool
> that can safely examine the contents of an elf file or you can never
> verify it for issues - opening it up in emacs to examine the contents is
> not the way to do that :)
You can verify it for issues, in a sandbox.
> But all that is beside the point. The original case I gave was a
> /corrupt/ elf file that caused a buffer overrun in the objdump binary.
... and that's a robustness issue. Any buffer overrun in any program
could in theory be exploited to send out files.
Sid
More information about the Gdb
mailing list