X-Authentication-Warning: delorie.com: mail set sender to geda-user-bounces using -f
X-Recipient: geda-user AT delorie DOT com
X-Original-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=20210112;
        h=date:from:to:subject:message-id:in-reply-to:references:mime-version
         :content-transfer-encoding;
        bh=3OCwD2P5WJLl3iLmHKpOiomLCdc3QKJxtNIYUeg9DS0=;
        b=bIy3oSdMGLX6ykCpYbkrCv7xKLK8CRegoXvvs8BhNSfIKXbavlz5LJ+243nnBGfbzn
         MVAuYDePfQFaWidySXSc/NOaovCXNNnA17N3dIBtoI+ovXaQ5PHwcOCXksTOj7RV7vBe
         Wcqa5Mla/Uq+6LAw0s8FTvlsqYTxB5fVCO2GyR+Vpwhy2FFAMKbEZwc1B5f8fmvHbWVy
         8cljcEq2LdnUk2kgDrkQU+NQsZYG0AX/HmbWB/K3y2nhl2zjRxajRbJ3hCs1COkY91NA
         jOfPMI9lRLXM2UJKClZ/QbaT41Kls+e68sxXfkhW0SizfKz81VoyzOT0qsODr++jDpQ3
         sKMg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20210112;
        h=x-gm-message-state:date:from:to:subject:message-id:in-reply-to
         :references:mime-version:content-transfer-encoding;
        bh=3OCwD2P5WJLl3iLmHKpOiomLCdc3QKJxtNIYUeg9DS0=;
        b=2xeyF3zrQcxru+JNWpROPjwYU9yOI4IlYZIBwEACOreMHsi9sr2mHG/4m1g/9s60qC
         QudfZChZ2DEqF4o0xYY2+WkDDLqfrtB8fhjTS8ppW4M1gtIvbMtQ2wCCjryFW9xl6h49
         zj5eSYvn50csgo+4xO1azpoAHAbUNemwtJfLTfY4jsy2OTeji7WRtniEPZNOEa2HCnlt
         XBzRMtfnaQg7Eo5awhzC/aCk4VCHqX5mMZ+qozev4lEyc+rPl96nt1fO0CE2KeIJ5qWX
         1810KG5sjBT26CFBRMWwlJqYZv3130ZsnXCKQEZ9JxDVbraLhnYRIjJe9wIJl/j2oBR2
         gb/g==
X-Gm-Message-State: AOAM531a8Qdf3AWsxJ4GZqelbcQYAf5Ns9T9kUTNKlgbzssiRyc9pY2h
	V8+MtLsnjo+Q/vchbQzARvA37Vj2qdw=
X-Google-Smtp-Source: ABdhPJwtT4sg4yR1wofTOGCIymc4aqiNbiMnLOTbLLtyByGZC3Wn1c/357mijmjeukKY+6Pj+aP7DA==
X-Received: by 2002:a2e:8942:0:b0:24b:405d:ce6d with SMTP id b2-20020a2e8942000000b0024b405dce6dmr24048753ljk.270.1651229627456;
        Fri, 29 Apr 2022 03:53:47 -0700 (PDT)
Date: Fri, 29 Apr 2022 13:53:41 +0300
From: "dmn (graahnul DOT grom AT gmail DOT com) [via geda-user AT delorie DOT com]" <geda-user AT delorie DOT com>
To: geda-user AT delorie DOT com
Subject: Re: [geda-user] Re: gschem/lepton: gafrc security issue
Message-ID: <20220429135341.4559b215@yo>
In-Reply-To: <fbaecf7b-1c84-fe7-5f30-35722fb35f13@grinsen-ohne-katze.de>
References: <alpine DOT DEB DOT 2 DOT 20 DOT 2204280758280 DOT 25839 AT igor2priv>
	<fbaecf7b-1c84-fe7-5f30-35722fb35f13 AT grinsen-ohne-katze DOT de>
X-Mailer: Claws Mail 3.18.0 (GTK+ 2.24.33; amd64-portbld-freebsd14.0)
MIME-Version: 1.0
Content-Type: text/plain; charset=US-ASCII
Content-Transfer-Encoding: 7bit
Reply-To: geda-user AT delorie DOT com
Errors-To: nobody AT delorie DOT com
X-Mailing-List: geda-user AT delorie DOT com
X-Unsubscribes-To: listserv AT delorie DOT com
Precedence: bulk

On Thu, 28 Apr 2022 12:39:49 +0200 (CEST)
Roland Lutz <rlutz AT hedmen DOT org> wrote:

> Hi Igor2,
> 
> On Thu, 28 Apr 2022, rnd2 AT igor2 DOT repo DOT hu wrote:
> > I've figured there's a security flaw in the desing of gafrc. Both 
> > geda/gaf (including gschem and gnetlist) and lepton-eda (including 
> > lepton-schematics and lepton-netlist) are affected.
> >
> > (Now that I think about it, it looks so obvious. I don't know why I 
> > can't find any reference on this on the web. Maybe it's a long
> > known problem, maybe nobody though of it before.)
> >
> > [...]
> >
> > If you download a gschem/lepton project someone else made, _before_
> > you open it with gschem or lepton-eda or run the netlister on it,
> > always read through the gafrc file. Read every single line and see
> > if it does anything suspicious.
> 
> thank you for raising awareness about this issue.  (I took the
> liberty of cross-posting to geda-user to reach the relevant audience.)
> 
> This is a known issue that has been a thorn in my side for a long
> time, but unfortunately, there's only so much I can do about it.
> 
> The underlying problem is that gEDA/gaf executes configuration files. 
> Configuration should be data; but by making gafrc, gschemrc, and 
> gnetlistrc executable scripts, some corners could be cut regarding
> common cases like home directory expansion or project-aware settings.
> 
> Changing this would not only require introducing a non-execuable 
> configuration format, it would also require offering special-case 
> solutions for these situations.
> 
> Roland
> 


It is a well-known and well-understood problem [1].
That's why Lapton EDA is migrating its settings
to the new configuration system [2]. It uses a
declarative style configuration stored in ini-like
files. More than 100 configuration parameters have
already been migrated (supporting backward compatibility).
Currently, gafrc and gschemerc files are still used
to define the following remaining settings [3]:
- gafrc:
  - component and source libraries
  - print color scheme
- gschemrc:
  - keyboard shortcuts
  - color scheme

All of the gnetlistrc options are defined in the new
configuration system, there's no need to use this
file anymore (again, backward compatibility is supported).

[1] https://blueprints.launchpad.net/geda/+spec/config-sys-transition
[2] https://lepton-eda.github.io/lepton-manual.html/Configuration.html
[3]
https://lepton-eda.github.io/lepton-manual.html/Legacy-configuration.html

Regards,
Dmitry.