RFC: Adding a SECURITY.md document to the Binutils

Siddhesh Poyarekar siddhesh@gotplt.org
Thu Apr 13 15:02:05 GMT 2023


On 2023-04-13 10:50, Richard Earnshaw wrote:
> No, whilst elf can be executed, objdump should never be doing that: it's 
> a tool for examining a file, not running it.  You have to have a tool 
> that can safely examine the contents of an elf file or you can never 
> verify it for issues - opening it up in emacs to examine the contents is 
> not the way to do that :)

You can verify it for issues, in a sandbox.

> But all that is beside the point.  The original case I gave was a 
> /corrupt/ elf file that caused a buffer overrun in the objdump binary.

... and that's a robustness issue.  Any buffer overrun in any program 
could in theory be exploited to send out files.

Sid


More information about the Gdb mailing list