[prev in list] [next in list] [prev in thread] [next in thread] 

List:       gdb-patches
Subject:    [RFA] Add $pdir as entry for libthread-db-search-path.
From:       jan.kratochvil () redhat ! com (Jan Kratochvil)
Date:       2011-04-29 17:08:00
Message-ID: 20110429170824.GA6107 () host1 ! jankratochvil ! net
[Download RAW message or body]

On Fri, 29 Apr 2011 18:49:09 +0200, Doug Evans wrote:
> On Fri, Apr 29, 2011 at 5:36 AM, Jan Kratochvil <jan.kratochvil@redhat.com> wrote:
> > This is insecure default. ??It is something like the FSF GDB insecure .gdbinit
> > behavior which many distros (at least Fedora but even others) have to patch.
> 
> Does Fedora turn off the autoloading of python?

No.

> How do your pretty printers Just Work?
> [Or maybe you only autoload if the directory is in $prefix/lib/debug
> or some such?]

You are right it is a security hole, I have not tracked to Python autoloading
much.  It should get CVE and security errata assigned as it is the same
category of a security breach as was:
	http://cve.mitre.org/cgi-bin/cvename.cgi?name=2006-4146


> Plus I wonder how easy it would be to build a program that used an
> accompanying libpthread that didn't match the system libthread_db -
> gdb would then pick the accompanying libthread_db.  Or does Fedora not
> ever look in the directory of libpthread for its libthread_db?

This may be also a security exploit I did not catch.


Thanks,
Jan


[prev in list] [next in list] [prev in thread] [next in thread]