Mail Archives: geda-user/2022/04/28/06:41:44
Hi Igor2,
On Thu, 28 Apr 2022, rnd2 AT igor2 DOT repo DOT hu wrote:
> I've figured there's a security flaw in the desing of gafrc. Both
> geda/gaf (including gschem and gnetlist) and lepton-eda (including
> lepton-schematics and lepton-netlist) are affected.
>
> (Now that I think about it, it looks so obvious. I don't know why I
> can't find any reference on this on the web. Maybe it's a long known
> problem, maybe nobody though of it before.)
>
> [...]
>
> If you download a gschem/lepton project someone else made, _before_ you
> open it with gschem or lepton-eda or run the netlister on it, always
> read through the gafrc file. Read every single line and see if it does
> anything suspicious.
thank you for raising awareness about this issue. (I took the liberty of
cross-posting to geda-user to reach the relevant audience.)
This is a known issue that has been a thorn in my side for a long time,
but unfortunately, there's only so much I can do about it.
The underlying problem is that gEDA/gaf executes configuration files.
Configuration should be data; but by making gafrc, gschemrc, and
gnetlistrc executable scripts, some corners could be cut regarding common
cases like home directory expansion or project-aware settings.
Changing this would not only require introducing a non-execuable
configuration format, it would also require offering special-case
solutions for these situations.
Roland
- Raw text -