This is the mail archive of the
gdb-patches@sourceware.org
mailing list for the GDB project.
Re: [RFA] Add $pdir as entry for libthread-db-search-path.
On Fri, 29 Apr 2011 18:49:09 +0200, Doug Evans wrote:
> On Fri, Apr 29, 2011 at 5:36 AM, Jan Kratochvil <jan.kratochvil@redhat.com> wrote:
> > This is insecure default. ÂIt is something like the FSF GDB insecure .gdbinit
> > behavior which many distros (at least Fedora but even others) have to patch.
>
> Does Fedora turn off the autoloading of python?
No.
> How do your pretty printers Just Work?
> [Or maybe you only autoload if the directory is in $prefix/lib/debug
> or some such?]
You are right it is a security hole, I have not tracked to Python autoloading
much. It should get CVE and security errata assigned as it is the same
category of a security breach as was:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=2006-4146
> Plus I wonder how easy it would be to build a program that used an
> accompanying libpthread that didn't match the system libthread_db -
> gdb would then pick the accompanying libthread_db. Or does Fedora not
> ever look in the directory of libpthread for its libthread_db?
This may be also a security exploit I did not catch.
Thanks,
Jan