X-Authentication-Warning: delorie.com: mail set sender to geda-user-bounces using -f X-Recipient: geda-user AT delorie DOT com Date: Thu, 28 Apr 2022 12:39:49 +0200 (CEST) From: Roland Lutz To: pcb-rnd AT list DOT repo DOT hu, geda-user AT delorie DOT com Subject: [geda-user] Re: gschem/lepton: gafrc security issue In-Reply-To: Message-ID: References: MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII; format=flowed Reply-To: geda-user AT delorie DOT com Errors-To: nobody AT delorie DOT com X-Mailing-List: geda-user AT delorie DOT com X-Unsubscribes-To: listserv AT delorie DOT com Precedence: bulk Hi Igor2, On Thu, 28 Apr 2022, rnd2 AT igor2 DOT repo DOT hu wrote: > I've figured there's a security flaw in the desing of gafrc. Both > geda/gaf (including gschem and gnetlist) and lepton-eda (including > lepton-schematics and lepton-netlist) are affected. > > (Now that I think about it, it looks so obvious. I don't know why I > can't find any reference on this on the web. Maybe it's a long known > problem, maybe nobody though of it before.) > > [...] > > If you download a gschem/lepton project someone else made, _before_ you > open it with gschem or lepton-eda or run the netlister on it, always > read through the gafrc file. Read every single line and see if it does > anything suspicious. thank you for raising awareness about this issue. (I took the liberty of cross-posting to geda-user to reach the relevant audience.) This is a known issue that has been a thorn in my side for a long time, but unfortunately, there's only so much I can do about it. The underlying problem is that gEDA/gaf executes configuration files. Configuration should be data; but by making gafrc, gschemrc, and gnetlistrc executable scripts, some corners could be cut regarding common cases like home directory expansion or project-aware settings. Changing this would not only require introducing a non-execuable configuration format, it would also require offering special-case solutions for these situations. Roland