gsch2pcb `gnetlist-arg' in project file can lead to arbitrary code execution.

> Most subtle is manipulation of the Scheme load path via the -L option:
>
> gnetlist-arg -L.
>
> If a file called `gnetlist' is placed in the same directory as
> `evil.project' (easily confused with `gnetlistrc' by the hapless user),
> it will be loaded in preference to `gnetlist.scm' installed with gEDA
> and always loaded during gnetlist initialisation.

This doesn't actually work exactly as described here, because gnetlist
tries to load a file called `gnetlist.scm' explicitly. A possible
attack is instead to use `-L' to replace a Scheme file loaded via
`(use-module)', e.g. part of the standard Scheme library.

I attach a proof-of-concept exploit for each attack detailed in this
bug. To reproduce, `cd' to the appropriate directory and run:

  gsch2pcb evil.project

Note that "Arbitrary code" is printed to gsch2pcb output.

The `--gnetlist-arg' parameter was introduced in:

  http://git.gpleda.org/?p=gaf.git;h=f1104b263b21

This bug affects the following gEDA releases:

  1.5.1-20081221
  1.5.2-20090328
  1.5.3-20090829
  1.5.4-20090830
  1.6.0-20091004
  1.6.1-20100214

Proposed patch for gEDA/gaf 1.6.x attached.

 affects ubuntu/geda-gaf
 assigned peter-b
 status inprogress
 importance high

Oops, sorry about my error with the Launchpad e-mail interface.

 affects geda
 status fixcommitted
 done

Fix committed to 'stable-1.6' branch for inclusion in geda-gaf 1.6.2:

commit 16b3d32fcf8458389a491aed9437be835131b4b9
Author: Peter TB Brett <email address hidden>
Date: Sat Jan 8 10:55:12 2011 +0000

    gsch2pcb: Don't allow `gnetlist-arg' in project file.

    Closes-bug: lp-700194

Fix committed to 'master' branch for inclusion in geda-gaf 1.7.0:

commit 8ea29eed4fdc4b756e0437bb086b27d61b1eb7a0
Author: Peter TB Brett <email address hidden>
Date: Sat Jan 8 11:48:28 2011 +0000

    gsch2pcb: Don't allow `gnetlist-arg' in project file.

    Closes-bug: lp-700194

Updated patch against 1.6.1 attached.

What is really scary about yuor example is that gschem is so silent when loading the malicious code.

See the gsch2pcb-700194/-l,-m/one.sch example.

NOTHING is printed in the schem log, and it treats the schematic as if it were a blank file. (Which it otherwise is).

On the console we have:

Read garbage in [/home/pcjc2/gsch2pcb-700194/-l,-m/one.sch] :
>>
(display "Arbitrary code (1)\n")
<<

This would not be seen if running via xgsch2pcb, or loading the schematic from a copy of gschem started from a GUI environment.

This bug was fixed in the package geda-gaf - 1:1.6.2-1

---------------
geda-gaf (1:1.6.2-1) experimental; urgency=low

  * New upstream release.
  * Upload to experimental to avoid poisoning freeze exception for 1.6.1-5
  * debian/watch: Updated watch file.
  * Removed sch2eaglepos_bashism.diff and fix_string_exceptions.diff patches,
    as they got applied upstream.
  * debian/libgeda38.symbols: Added new symbols
  * debian/control:
    + Bumped Standards-Version to 3.9.1
    + Use Breaks instead of Conflicts for geda-symbols (<< 1:1.2.0) and
      geda (<= 19990516-1)
  * debian/copyright: Updated copyright years

geda-gaf (1:1.6.1-5) unstable; urgency=low

  * Added disable_gnetlist-arg.diff patch, to fix arbitrary code execution.
    (LP: #700194)
 -- ALEFHAHMEEMDAL ALEFLAMMEEMHAHMEEMWAWDALYEH (Ahmed El-Mahmoudy) <email address hidden> Wed, 26 Jan 2011 07:51:03 +0200