Bug 832698
Summary: | Review Request: CERT Triage tools - a gdb extension similar to microsoft's !exploitable | ||
---|---|---|---|
Product: | [Fedora] Fedora | Reporter: | Josh Bressers <bressers> |
Component: | Package Review | Assignee: | Nobody's working on this, feel free to take it <nobody> |
Status: | CLOSED DUPLICATE | QA Contact: | Fedora Extras Quality Assurance <extras-qa> |
Severity: | medium | Docs Contact: | |
Priority: | medium | ||
Version: | rawhide | CC: | bugzilla.throwaway.232425, dwrobel, fj-lsoft-kernel-it, package-review, tcallawa |
Target Milestone: | --- | ||
Target Release: | --- | ||
Hardware: | All | ||
OS: | Linux | ||
Whiteboard: | |||
Fixed In Version: | Doc Type: | Bug Fix | |
Doc Text: | Story Points: | --- | |
Clone Of: | Environment: | ||
Last Closed: | 2018-06-28 18:30:39 UTC | Type: | --- |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: |
Description
Josh Bressers
2012-06-16 16:59:59 UTC
I feel the license might be an issue. I interpret the license of this package (file LICENSE.txt) as "BSD with advertising" because of the following section: -- 3. All advertising materials for third-party software mentioning features or use of this software must display the following disclaimer: "Neither Carnegie Mellon University nor its Software Engineering Institute have reviewed or endorsed this software" -- http://fedoraproject.org/wiki/Licensing:Main indicates that the "BSD with advertising" license is free but _incompatible with GPLv3_, which is the license of GDB including its Python interface. The package is built on the top of that GDB Python interface. Do you agree with this interpretation? Richard Fontana looked at this, here is his response: Based on the information provided about the technical context I do not believe there is a licensing conflict, despite the fact that the CMU license is GPL-incompatible under orthodox understanding. The fact that the license of GDB allows for cure opportunities, and the likelihood that we could obtain a special permission from the FSF should they consider there to be a problem, has influenced my thinking on this. Therefore, packaging of the triage tools in Fedora can proceed. I found a couple of minor issues. Fixing them would make the package better. 1. The spec file should not include the %clean section with "rm -rf %{buildroot}". 2. There should be no "rm -rf %{buildroot}" at the beginning of the %install section. 3. "%defattr(-,root,root,-)" should not be included at the beginning of the %files section. 4. Rpmlint warnings should be fixed rpmlint exploitable-1.01-1.fc19.noarch.rpm exploitable.noarch: W: wrong-file-end-of-line-encoding /usr/share/doc/exploitable-1.01/README.txt exploitable.noarch: W: wrong-file-end-of-line-encoding /usr/share/doc/exploitable-1.01/AUTHORS.txt 1 packages and 0 specfiles checked; 0 errors, 2 warnings. Perhaps the following link helps? http://fedoraproject.org/wiki/Packaging_tricks#Remove_DOS_line_endings 5. AUTHORS.txt and README.txt from /usr/share/triage-tools should be installed in %doc (/usr/share/doc/exploitable-1.01/). 6. LICENSE.txt should be included in %doc files. I have also tested the package on RHEL-6. The GDB command works only after importing it manually: (gdb) exploitable Undefined command: "exploitable". Try "help". (gdb) require command exploitable_gdb (gdb) exploitable Description: Heap error Short description: HeapError (9/21) Hash: 6687658ff11fd9da15c43c9e6f5259bd.6687658ff11fd9da15c43c9e6f5259bd Exploitability Classification: EXPLOITABLE ... The cert-triage command line tool doesn't work as it cannot find the "exploitable" GDB command: $ cert-triage ./testBranchAv.test Undefined command: "exploitable". Try "help". /usr/bin/cert-triage:152: UserWarning: triage failed ([Errno 2] No such file or directory: '/tmp/triage.pkl'), call=gdb --batch -ex "source exploitable/exploitable-gdb.py" -ex run -ex "exploitable -p /tmp/triage.pkl" --args ./testBranchAv.test warnings.warn("triage failed (%s), call=%s" % (e, call)) Failed to triage (no crash?): ./testBranchAv.test Are you going to include the package in EPEL6? If it is not so, I can test it later today on my Fedora 17 machine at home. OK, so this isn't going to work on RHEL6 as is. I spoke with the RHEL6 gdb maintainer. The ability to auto-load commands doesn't exist there. I'm going to think about how to best address that. For now let's target Fedora with plans to include this in EPEL6 eventually. I've updated the package and spec file addressing the concerns http://fedorapeople.org/~bressers/exploitable-review/ bress@rh rpmbuild % rpmlint RPMS/noarch/exploitable-1.01-2.fc16.noarch.rpm exploitable.noarch: W: no-manual-page-for-binary cert-triage 1 packages and 0 specfiles checked; 0 errors, 1 warnings. bress@rh rpmbuild % rpmlint SRPMS/exploitable-1.01-2.fc16.src.rpm 1 packages and 0 specfiles checked; 0 errors, 0 warnings. The man page will be added in the near future. This review needs to stop. I found some GPL code in this package. I'm going to consult Fontana on what's next. This ticket is in an odd state... Not ASSIGNED, and in fact assigned to nobody anyway, but the "fedora-review?" flag is set. I set it back, except the needinfo. Please package 1.04 when you are free. Reblocking FE-Legal, since there are legal issues (re: Comment 5) koschei's scratch build of gdb-7.10.50.20151113-33.fc24.src.rpm for f24 completed http://koji.fedoraproject.org/koji/taskinfo?taskID=12414110 The GPL licensed code was removed in a commit in 2015: https://github.com/jfoote/exploitable/commit/f5cf8fc1dbacf6647c3a746936ead7bebd411f63 This resolves the internal licensing concerns with this code, should someone wish to take it up again. Lifting FE-Legal Seems to be already available in Fedora since f25 [1]. [1] https://src.fedoraproject.org/rpms/gdb-exploitable It does seem that in the meantime this package was reviewed and accepted under the new name the developer chose after leaving CERT. *** This bug has been marked as a duplicate of bug 1472405 *** The needinfo request[s] on this closed bug have been removed as they have been unresolved for 1000 days |