Re: Why no security support for binutils? What to do about it?

To: debian-security@lists.debian.org
Subject: Re: Why no security support for binutils? What to do about it?
From: Florian Weimer <fw@deneb.enyo.de>
Date: Wed, 01 Jan 2020 13:58:59 +0100
Message-id: <[🔎] 87sgkzib8s.fsf@mid.deneb.enyo.de>
In-reply-to: <[🔎] CAKTje6FZr67Wf-J5EKBwBh2egnKhqHXpQtZPkyAbG4z+6ev+dA@mail.gmail.com> (Paul Wise's message of "Wed, 1 Jan 2020 02:14:23 +0000")
References: <87h81h8dg2.fsf@hfph.mwn.de> <87lfqsomtg.fsf@mid.deneb.enyo.de> <[🔎] CAKTje6FZr67Wf-J5EKBwBh2egnKhqHXpQtZPkyAbG4z+6ev+dA@mail.gmail.com>

* Paul Wise:

> On Tue, Dec 31, 2019 at 9:47 AM Florian Weimer wrote:
>
>> BFD and binutils have not been designed to process untrusted data.
>> Usually, this does not matter at all.  For example, no security
>> boundary is crossed when linking object files that have been just been
>> compiled.
>
> There are definitely situations where vulnerabilities in binutils
> (mostly objdump) are important and a security boundary could be
> crossed, for example; running lintian on ftp-master, malware reverse
> engineering and inspection of binaries for hardening features.

Doesn't lintian on ftp-master use disposable VMs?  Some of its checks
look inherently dangerous, e.g. the bash -n check for shell syntax.

Reply to:

Follow-Ups:
- Re: Why no security support for binutils? What to do about it?
  - From: Paul Wise <pabs@debian.org>
- Re: Why no security support for binutils? What to do about it?
  - From: Daniel Reichelt <debian@nachtgeist.net>

References:
- Re: Why no security support for binutils? What to do about it?
  - From: Paul Wise <pabs@debian.org>

Prev by Date: Re: Why no security support for binutils? What to do about it?
Next by Date: Re: Why no security support for binutils? What to do about it?
Previous by thread: Re: Why no security support for binutils? What to do about it?
Next by thread: Re: Why no security support for binutils? What to do about it?
Index(es):
- Date
- Thread