| delorie.com/archives/browse.cgi | search |
| X-Authentication-Warning: | delorie.com: mail set sender to geda-user-bounces using -f |
| X-Recipient: | geda-user AT delorie DOT com |
| X-Original-DKIM-Signature: | v=1; a=rsa-sha256; c=relaxed/relaxed; |
| d=gmail.com; s=20210112; | |
| h=date:from:to:subject:message-id:in-reply-to:references:mime-version | |
| :content-transfer-encoding; | |
| bh=3OCwD2P5WJLl3iLmHKpOiomLCdc3QKJxtNIYUeg9DS0=; | |
| b=bIy3oSdMGLX6ykCpYbkrCv7xKLK8CRegoXvvs8BhNSfIKXbavlz5LJ+243nnBGfbzn | |
| MVAuYDePfQFaWidySXSc/NOaovCXNNnA17N3dIBtoI+ovXaQ5PHwcOCXksTOj7RV7vBe | |
| Wcqa5Mla/Uq+6LAw0s8FTvlsqYTxB5fVCO2GyR+Vpwhy2FFAMKbEZwc1B5f8fmvHbWVy | |
| 8cljcEq2LdnUk2kgDrkQU+NQsZYG0AX/HmbWB/K3y2nhl2zjRxajRbJ3hCs1COkY91NA | |
| jOfPMI9lRLXM2UJKClZ/QbaT41Kls+e68sxXfkhW0SizfKz81VoyzOT0qsODr++jDpQ3 | |
| sKMg== | |
| X-Google-DKIM-Signature: | v=1; a=rsa-sha256; c=relaxed/relaxed; |
| d=1e100.net; s=20210112; | |
| h=x-gm-message-state:date:from:to:subject:message-id:in-reply-to | |
| :references:mime-version:content-transfer-encoding; | |
| bh=3OCwD2P5WJLl3iLmHKpOiomLCdc3QKJxtNIYUeg9DS0=; | |
| b=2xeyF3zrQcxru+JNWpROPjwYU9yOI4IlYZIBwEACOreMHsi9sr2mHG/4m1g/9s60qC | |
| QudfZChZ2DEqF4o0xYY2+WkDDLqfrtB8fhjTS8ppW4M1gtIvbMtQ2wCCjryFW9xl6h49 | |
| zj5eSYvn50csgo+4xO1azpoAHAbUNemwtJfLTfY4jsy2OTeji7WRtniEPZNOEa2HCnlt | |
| XBzRMtfnaQg7Eo5awhzC/aCk4VCHqX5mMZ+qozev4lEyc+rPl96nt1fO0CE2KeIJ5qWX | |
| 1810KG5sjBT26CFBRMWwlJqYZv3130ZsnXCKQEZ9JxDVbraLhnYRIjJe9wIJl/j2oBR2 | |
| gb/g== | |
| X-Gm-Message-State: | AOAM531a8Qdf3AWsxJ4GZqelbcQYAf5Ns9T9kUTNKlgbzssiRyc9pY2h |
| V8+MtLsnjo+Q/vchbQzARvA37Vj2qdw= | |
| X-Google-Smtp-Source: | ABdhPJwtT4sg4yR1wofTOGCIymc4aqiNbiMnLOTbLLtyByGZC3Wn1c/357mijmjeukKY+6Pj+aP7DA== |
| X-Received: | by 2002:a2e:8942:0:b0:24b:405d:ce6d with SMTP id b2-20020a2e8942000000b0024b405dce6dmr24048753ljk.270.1651229627456; |
| Fri, 29 Apr 2022 03:53:47 -0700 (PDT) | |
| Date: | Fri, 29 Apr 2022 13:53:41 +0300 |
| From: | "dmn (graahnul DOT grom AT gmail DOT com) [via geda-user AT delorie DOT com]" <geda-user AT delorie DOT com> |
| To: | geda-user AT delorie DOT com |
| Subject: | Re: [geda-user] Re: gschem/lepton: gafrc security issue |
| Message-ID: | <20220429135341.4559b215@yo> |
| In-Reply-To: | <fbaecf7b-1c84-fe7-5f30-35722fb35f13@grinsen-ohne-katze.de> |
| References: | <alpine DOT DEB DOT 2 DOT 20 DOT 2204280758280 DOT 25839 AT igor2priv> |
| <fbaecf7b-1c84-fe7-5f30-35722fb35f13 AT grinsen-ohne-katze DOT de> | |
| X-Mailer: | Claws Mail 3.18.0 (GTK+ 2.24.33; amd64-portbld-freebsd14.0) |
| MIME-Version: | 1.0 |
| Reply-To: | geda-user AT delorie DOT com |
| Errors-To: | nobody AT delorie DOT com |
| X-Mailing-List: | geda-user AT delorie DOT com |
| X-Unsubscribes-To: | listserv AT delorie DOT com |
On Thu, 28 Apr 2022 12:39:49 +0200 (CEST) Roland Lutz <rlutz AT hedmen DOT org> wrote: > Hi Igor2, > > On Thu, 28 Apr 2022, rnd2 AT igor2 DOT repo DOT hu wrote: > > I've figured there's a security flaw in the desing of gafrc. Both > > geda/gaf (including gschem and gnetlist) and lepton-eda (including > > lepton-schematics and lepton-netlist) are affected. > > > > (Now that I think about it, it looks so obvious. I don't know why I > > can't find any reference on this on the web. Maybe it's a long > > known problem, maybe nobody though of it before.) > > > > [...] > > > > If you download a gschem/lepton project someone else made, _before_ > > you open it with gschem or lepton-eda or run the netlister on it, > > always read through the gafrc file. Read every single line and see > > if it does anything suspicious. > > thank you for raising awareness about this issue. (I took the > liberty of cross-posting to geda-user to reach the relevant audience.) > > This is a known issue that has been a thorn in my side for a long > time, but unfortunately, there's only so much I can do about it. > > The underlying problem is that gEDA/gaf executes configuration files. > Configuration should be data; but by making gafrc, gschemrc, and > gnetlistrc executable scripts, some corners could be cut regarding > common cases like home directory expansion or project-aware settings. > > Changing this would not only require introducing a non-execuable > configuration format, it would also require offering special-case > solutions for these situations. > > Roland > It is a well-known and well-understood problem [1]. That's why Lapton EDA is migrating its settings to the new configuration system [2]. It uses a declarative style configuration stored in ini-like files. More than 100 configuration parameters have already been migrated (supporting backward compatibility). Currently, gafrc and gschemerc files are still used to define the following remaining settings [3]: - gafrc: - component and source libraries - print color scheme - gschemrc: - keyboard shortcuts - color scheme All of the gnetlistrc options are defined in the new configuration system, there's no need to use this file anymore (again, backward compatibility is supported). [1] https://blueprints.launchpad.net/geda/+spec/config-sys-transition [2] https://lepton-eda.github.io/lepton-manual.html/Configuration.html [3] https://lepton-eda.github.io/lepton-manual.html/Legacy-configuration.html Regards, Dmitry.
| webmaster | delorie software privacy |
| Copyright © 2019 by DJ Delorie | Updated Jul 2019 |