* Paul Wise: > On Tue, Dec 31, 2019 at 9:47 AM Florian Weimer wrote: > >> BFD and binutils have not been designed to process untrusted data. >> Usually, this does not matter at all. For example, no security >> boundary is crossed when linking object files that have been just been >> compiled. > > There are definitely situations where vulnerabilities in binutils > (mostly objdump) are important and a security boundary could be > crossed, for example; running lintian on ftp-master, malware reverse > engineering and inspection of binaries for hardening features.
Doesn't lintian on ftp-master use disposable VMs? Some of its checks look inherently dangerous, e.g. the bash -n check for shell syntax.
