https://bugzilla.redhat.com/show_bug.cgi?id=832698
Bug ID: 832698 QA Contact: extras-qa@fedoraproject.org Severity: medium Version: rawhide Priority: medium CC: notting@redhat.com, package-review@lists.fedoraproject.org Assignee: nobody@fedoraproject.org Summary: Review Request: CERT Triage tools - a gdb extension similar to microsoft's !exploitable Regression: --- Story Points: --- Classification: Fedora OS: Linux Reporter: bressers@redhat.com Type: --- Documentation: --- Hardware: All Mount Type: --- Status: NEW Component: Package Review Product: Fedora
Spec URL: http://fedorapeople.org/~bressers/exploitable-review/exploitable.spec SRPM URL: http://fedorapeople.org/~bressers/exploitable-review/exploitable-1.01-1.fc16... Description: CERT Triage tools, which currently only contain a gdb extension called exploitable Fedora Account System Username: bressers
I've packaged up CERT's Triage tools, which are really just a gdb extension right now. The package installs an extension specific python module, and a script into /usr/bin
The script doesn't currently have a man page (it's on my list). I wanted to start the review now as I'm certain this will need some work.
The extension basically will show the user if their application crash is exploitable or not (it's certainly not perfect, but getting this to a wider audience should help improve it greatly).
For example:
bress@localhost ~ % cert-triage /tmp/test
warning: Current output protocol does not support redirection
Description: Access violation near NULL on destination operand Short description: DestAvNearNull (14/21) Hash: f7ba00781cd7cb6b8ae2fbf50d65e661.f7ba00781cd7cb6b8ae2fbf50d65e661 Exploitability Classification: PROBABLY_EXPLOITABLE Explanation: The target crashed on an access violation at an address matching the destination operand of the instruction. This likely indicates a write access violation, which means the attacker may control write address and/or value. However, it there is a chance it could be a NULL dereference. Other tags: AccessViolation (20/21)
Additionally this can be run directly from gdb via the 'exploitable' command.
Thanks.
https://bugzilla.redhat.com/show_bug.cgi?id=832698
Karel Klíč kklic@redhat.com changed:
What |Removed |Added ---------------------------------------------------------------------------- Status|NEW |ASSIGNED CC| |kklic@redhat.com Flags| |fedora-review?
https://bugzilla.redhat.com/show_bug.cgi?id=832698
--- Comment #1 from Karel Klíč kklic@redhat.com --- I feel the license might be an issue.
I interpret the license of this package (file LICENSE.txt) as "BSD with advertising" because of the following section:
-- 3. All advertising materials for third-party software mentioning features or use of this software must display the following disclaimer:
"Neither Carnegie Mellon University nor its Software Engineering Institute have reviewed or endorsed this software" --
http://fedoraproject.org/wiki/Licensing:Main indicates that the "BSD with advertising" license is free but _incompatible with GPLv3_, which is the license of GDB including its Python interface. The package is built on the top of that GDB Python interface.
Do you agree with this interpretation?
https://bugzilla.redhat.com/show_bug.cgi?id=832698
--- Comment #2 from Josh Bressers bressers@redhat.com --- Richard Fontana looked at this, here is his response:
Based on the information provided about the technical context I do not believe there is a licensing conflict, despite the fact that the CMU license is GPL-incompatible under orthodox understanding. The fact that the license of GDB allows for cure opportunities, and the likelihood that we could obtain a special permission from the FSF should they consider there to be a problem, has influenced my thinking on this.
Therefore, packaging of the triage tools in Fedora can proceed.
https://bugzilla.redhat.com/show_bug.cgi?id=832698
--- Comment #3 from Karel Klíč kklic@redhat.com --- I found a couple of minor issues. Fixing them would make the package better.
1. The spec file should not include the %clean section with "rm -rf %{buildroot}".
2. There should be no "rm -rf %{buildroot}" at the beginning of the %install section.
3. "%defattr(-,root,root,-)" should not be included at the beginning of the %files section.
4. Rpmlint warnings should be fixed
rpmlint exploitable-1.01-1.fc19.noarch.rpm
exploitable.noarch: W: wrong-file-end-of-line-encoding /usr/share/doc/exploitable-1.01/README.txt exploitable.noarch: W: wrong-file-end-of-line-encoding /usr/share/doc/exploitable-1.01/AUTHORS.txt 1 packages and 0 specfiles checked; 0 errors, 2 warnings.
Perhaps the following link helps? http://fedoraproject.org/wiki/Packaging_tricks#Remove_DOS_line_endings
5. AUTHORS.txt and README.txt from /usr/share/triage-tools should be installed in %doc (/usr/share/doc/exploitable-1.01/).
6. LICENSE.txt should be included in %doc files.
I have also tested the package on RHEL-6. The GDB command works only after importing it manually:
(gdb) exploitable Undefined command: "exploitable". Try "help". (gdb) require command exploitable_gdb (gdb) exploitable Description: Heap error Short description: HeapError (9/21) Hash: 6687658ff11fd9da15c43c9e6f5259bd.6687658ff11fd9da15c43c9e6f5259bd Exploitability Classification: EXPLOITABLE ...
The cert-triage command line tool doesn't work as it cannot find the "exploitable" GDB command:
$ cert-triage ./testBranchAv.test Undefined command: "exploitable". Try "help". /usr/bin/cert-triage:152: UserWarning: triage failed ([Errno 2] No such file or directory: '/tmp/triage.pkl'), call=gdb --batch -ex "source exploitable/exploitable-gdb.py" -ex run -ex "exploitable -p /tmp/triage.pkl" --args ./testBranchAv.test warnings.warn("triage failed (%s), call=%s" % (e, call))
Failed to triage (no crash?): ./testBranchAv.test
Are you going to include the package in EPEL6? If it is not so, I can test it later today on my Fedora 17 machine at home.
https://bugzilla.redhat.com/show_bug.cgi?id=832698
--- Comment #4 from Josh Bressers bressers@redhat.com --- OK, so this isn't going to work on RHEL6 as is. I spoke with the RHEL6 gdb maintainer. The ability to auto-load commands doesn't exist there. I'm going to think about how to best address that. For now let's target Fedora with plans to include this in EPEL6 eventually.
I've updated the package and spec file addressing the concerns http://fedorapeople.org/~bressers/exploitable-review/
bress@rh rpmbuild % rpmlint RPMS/noarch/exploitable-1.01-2.fc16.noarch.rpm exploitable.noarch: W: no-manual-page-for-binary cert-triage 1 packages and 0 specfiles checked; 0 errors, 1 warnings.
bress@rh rpmbuild % rpmlint SRPMS/exploitable-1.01-2.fc16.src.rpm 1 packages and 0 specfiles checked; 0 errors, 0 warnings.
The man page will be added in the near future.
https://bugzilla.redhat.com/show_bug.cgi?id=832698
Josh Bressers bressers@redhat.com changed:
What |Removed |Added ---------------------------------------------------------------------------- Status|ASSIGNED |NEW
--- Comment #5 from Josh Bressers bressers@redhat.com --- This review needs to stop. I found some GPL code in this package. I'm going to consult Fontana on what's next.
https://bugzilla.redhat.com/show_bug.cgi?id=832698
Christopher Meng cickumqt@gmail.com changed:
What |Removed |Added ---------------------------------------------------------------------------- CC| |cickumqt@gmail.com Blocks| |182235 (FE-Legal)
https://bugzilla.redhat.com/show_bug.cgi?id=832698
Christopher Meng cickumqt@gmail.com changed:
What |Removed |Added ---------------------------------------------------------------------------- CC| |bressers@redhat.com Flags| |needinfo?(bressers@redhat.c | |om)
https://bugzilla.redhat.com/show_bug.cgi?id=832698
Mario Blättermann mario.blaettermann@gmail.com changed:
What |Removed |Added ---------------------------------------------------------------------------- CC| |mario.blaettermann@gmail.co | |m Flags|fedora-review? |
--- Comment #6 from Mario Blättermann mario.blaettermann@gmail.com --- This ticket is in an odd state... Not ASSIGNED, and in fact assigned to nobody anyway, but the "fedora-review?" flag is set. I set it back, except the needinfo.
https://bugzilla.redhat.com/show_bug.cgi?id=832698
Christopher Meng cickumqt@gmail.com changed:
What |Removed |Added ---------------------------------------------------------------------------- Blocks|182235 (FE-Legal) |
--- Comment #7 from Christopher Meng cickumqt@gmail.com --- Please package 1.04 when you are free.
Referenced Bugs:
https://bugzilla.redhat.com/show_bug.cgi?id=182235 [Bug 182235] Fedora Legal Tracker
https://bugzilla.redhat.com/show_bug.cgi?id=832698
Tom "spot" Callaway tcallawa@redhat.com changed:
What |Removed |Added ---------------------------------------------------------------------------- CC| |tcallawa@redhat.com Blocks| |182235 (FE-Legal)
--- Comment #8 from Tom "spot" Callaway tcallawa@redhat.com --- Reblocking FE-Legal, since there are legal issues (re: Comment 5)
Referenced Bugs:
https://bugzilla.redhat.com/show_bug.cgi?id=182235 [Bug 182235] Fedora Legal Tracker
https://bugzilla.redhat.com/show_bug.cgi?id=832698
--- Comment #9 from Upstream Release Monitoring upstream-release-monitoring@fedoraproject.org --- koschei's scratch build of gdb-7.10.50.20151113-33.fc24.src.rpm for f24 completed http://koji.fedoraproject.org/koji/taskinfo?taskID=12414110
https://bugzilla.redhat.com/show_bug.cgi?id=832698
Tom "spot" Callaway tcallawa@redhat.com changed:
What |Removed |Added ---------------------------------------------------------------------------- Blocks|182235 (FE-Legal) |
--- Comment #10 from Tom "spot" Callaway tcallawa@redhat.com --- The GPL licensed code was removed in a commit in 2015: https://github.com/jfoote/exploitable/commit/f5cf8fc1dbacf6647c3a746936ead7b...
This resolves the internal licensing concerns with this code, should someone wish to take it up again. Lifting FE-Legal
Referenced Bugs:
https://bugzilla.redhat.com/show_bug.cgi?id=182235 [Bug 182235] Fedora Legal Tracker
https://bugzilla.redhat.com/show_bug.cgi?id=832698
Damian Wrobel dwrobel@ertelnet.rybnik.pl changed:
What |Removed |Added ---------------------------------------------------------------------------- CC| |dwrobel@ertelnet.rybnik.pl
--- Comment #11 from Damian Wrobel dwrobel@ertelnet.rybnik.pl --- Seems to be already available in Fedora since f25 [1].
[1] https://src.fedoraproject.org/rpms/gdb-exploitable
https://bugzilla.redhat.com/show_bug.cgi?id=832698
Jason Tibbitts tibbs@math.uh.edu changed:
What |Removed |Added ---------------------------------------------------------------------------- Status|NEW |CLOSED Resolution|--- |DUPLICATE Last Closed| |2018-06-28 14:30:39
--- Comment #12 from Jason Tibbitts tibbs@math.uh.edu --- It does seem that in the meantime this package was reviewed and accepted under the new name the developer chose after leaving CERT.
*** This bug has been marked as a duplicate of bug 1472405 ***
package-review@lists.fedoraproject.org