Comment 1 for bug 700194
Revision history for this message
| Peter TB Brett (peter-b) wrote Re: [Bug 700194] gsch2pcb `gnetlist-arg' in project file can lead to arbitrary code execution. | #1 |
© 2004
Canonical Ltd.
•
Terms of use
•
Data privacy
•
Contact Launchpad Support
•
Blog
•
Careers
•
System status
•
a60fb26
(Get the code!)
> Most subtle is manipulation of the Scheme load path via the -L option:
>
> gnetlist-arg -L.
>
> If a file called `gnetlist' is placed in the same directory as
> `evil.project' (easily confused with `gnetlistrc' by the hapless user),
> it will be loaded in preference to `gnetlist.scm' installed with gEDA
> and always loaded during gnetlist initialisation.
This doesn't actually work exactly as described here, because gnetlist
tries to load a file called `gnetlist.scm' explicitly. A possible
attack is instead to use `-L' to replace a Scheme file loaded via
`(use-module)', e.g. part of the standard Scheme library.
I attach a proof-of-concept exploit for each attack detailed in this
bug. To reproduce, `cd' to the appropriate directory and run:
gsch2pcb evil.project
Note that "Arbitrary code" is printed to gsch2pcb output.