[[[ To any NSA and FBI agents reading my email: please consider ]]] [[[ whether defending the US Constitution against all enemies, ]]] [[[ foreign or domestic, requires you to follow Snowden's example. ]]]
> While it does not /prevent/ cracks, there is something we can ensure > that we *keep* doing: GCC, when reading from a pipe, records the input > file as "<stdin>" in debug info *even* if a "#" directive to set the > filename has been included. This was noticed by Adrien Nader (who > posted it to oss-security; > <URL:https://www.openwall.com/lists/oss-security/2024/04/03/2> and > <URL:https://marc.info/?l=oss-security&m=171214932201156&w=2>; those are > the same post at different public archives) and should provide a > "smoking gun" test to detect this type of backdoor dropping technique in > the future. This GCC behavior should be documented as a security > feature, because most program sources are not read from pipes. Are you suggesting fixing GCC to put the specified file into those linenumbers, or are you suggesting we keep this behavior to help with analysis? In principle it could be posible to output something different to describe this stramge situation explicitly. For instance, output "via stdin" as a comment, or output `stdin/../filename' as the file name. (Programs that optimize the file name by deleting XXX/.../ are likely not to check whether XXX is a real directory.) Are the GCC developers discussing these questions? If not, please send them a bug report about this so they start doing so. -- Dr Richard Stallman (https://stallman.org) Chief GNUisance of the GNU Project (https://gnu.org) Founder, Free Software Foundation (https://fsf.org) Internet Hall-of-Famer (https://internethalloffame.org)
