Re: lt_dlerror changes

[Charles Wilson]

On 6/18/2010 2:52 PM, Bob Friesenhahn wrote:
> On Fri, 18 Jun 2010, Charles Wilson wrote:
>>
>>> If so, this raises security implications
>>> that we want to avoid.
>>
>> I don't think so.
> 
> Hopefully not.  If a binary from an executable program is placed at the
> path "C:\cygwin\bin\last" (with no .exe extension) does LoadLibrary()
> load it?

On Vista, no.  I moved last.exe out of the way (last-foo).  I copied
last-foo to 'last' with no extension, and verified that it did not, in
fact, have the .exe added.

I then stepped thru the code, and both dlopen and LoadLibrary returned
null when given (in either unix or dos format, as appropriate)
"/usr/bin/last"

However, since this exe image had no exports, I thought perhaps it might
be failing for that reason. So, I copied a DLL to /usr/bin/last, and
tried again. Same story: neither dlopen nor LoadLibrary opened it.

Now, this is on Vista. I dunno how earlier OSes might react.

> Since we are on the subject, it is good to make sure that Windows really
> is in good shape security-wise.

Ooooh, oooh, pick me, pick me -- I know this one...

It (meaning windows, not necessarily "libltdl" on windows) isn't.

But we're NOT on the subject. We're talking about a patch for
lt_dlerror, and how it -- or, with slight modifications to the machinery
the patch puts into place -- enables easier debugging of a long-standing
cygwin regression.

Now, however, we've drifted off topic more thoroughly into the details
of that cygwin regression and that's my fault.  Sorry Peter.

But we shouldn't go off on yet another tangent, so if we want to start a
new "Let's make Bill Gates' masterpiece secure for him" thread, let's do
that and not make this one more incoherent than it already is.

> Windows paranoia about downloaded files might go away if the file
> extension is missing so it is good to know if it will still attempt to
> load an exectuable or DLL which has its file extension missing.

Well, apparently it won't -- on Vista.

--
Chuck