gdb: Update SECURITY.txt to mention extension scripts and internal errors

Given the recent CVE filed for GDB (CVE-2024-36699), I decided to update the gdb/SECURITY.txt to be more explicit about some details. Specifically, we now explicitly say that internal errors aren't security vulnerabilities, and mention that users should review plugins before running them, and under which conditions a plugin can cause a security bug. Reviewed-By: Tom Tromey <tom@tromey.com> Approved-By: Luis Machado <luis.machado@arm.com> Approved-By: Andrew Burgess <aburgess@redhat.com>
2024-11-23 01:53:38 +08:00 · 2024-06-13 15:34:26 -03:00 · 2024-06-13 15:34:26 -03:00 · b02e6f38a6
commit b02e6f38a6
parent 35d53ce642
1 changed files with 37 additions and 12 deletions
--- a/gdb/SECURITY.txt
+++ b/gdb/SECURITY.txt
@ -62,19 +62,25 @@ What Is A Security Bug?
  (either from the GDB command line, a GDB configuration file, or from
  the GDB prompt) are considered security bugs.

-  GDB will check for and load multiple configuration files.  When
-  initially started GDB can load user- and system-specific
-  configuration files, this is done unconditionally as it is assumed
-  these files are under control of the user and are always safe to
-  load.
+  GDB will check for and load multiple configuration files, sometimes
+  referred to as extension scripts or plugins.  When initially started
+  GDB can load user-specific and/or system-specific configuration files,
+  this is done unconditionally as it is assumed these files are under
+  control of the user and are always safe to load.  All of these files
+  are treated as trusted input, meaning GDB makes no attempt to sanitize
+  commands and has no sandboxing or other protections against effects of
+  commands run by any automatically loaded file.  It is up to the user to
+  audit files against documentation provided by the relevant projects to
+  protect against malicious commands.  If executing commands provided by
+  the GDB project generates undocumented side effects, this is a bug.  For
+  that bug to be considered a security bug, it must meet other definitions
+  of security bugs outlined in this document.

-  GDB can also load per-project and per-program configuration files,
-  this is done when a program to debug is loaded into GDB.  These
-  configuration files will only be loaded if the user has given GDB
-  permission to load these files.  Any bug in GDB which allows
-  per-project or per-program configuration files to be loaded without
-  permission having been granted by the user is considered a security
-  bug.
+  GDB can also load per-project and/or per-program configuration files
+  when a program is loaded for debugging.  Such files will only be loaded
+  if the user has given GDB permission to load them.  Any bug in GDB which
+  allows per-project or per-program configuration files to be loaded without
+  permission having been granted by the user is considered a security bug.

  When gdbserver is started, if it is passed a program on its command
  line then that program will be started, but paused before executing
@ -101,6 +107,25 @@ What Is Not A Security Bug
  In the context of local debugging, when GDB is used to execute a
  program, the program runs with the same privileges as GDB itself.

+  GDB is not meant to be offered as a service (that is, offered
+  over an insecure connection to non-local users), and so denial of
+  service attacks targeting GDB itself, or other bugs that target
+  this use case, are not considered a security bug.
+
+  By the same token, simply triggering an internal error in GDB is not
+  considered a security bug, since GDB has detected an issue and
+  handled it in a non-exploitable manner.  If it can be demonstrated
+  that some bug other than the internal error happens, this other bug
+  should be evaluated independently of the error, and may be a security
+  bug if it fits some of the definitions in this document.
+
+  GDB provides 3 different turing complete languages, Guile, Python
+  and direct access to the shell.  Making use of these languages can
+  have unknown effects, including outside of the GDB process.  Such
+  effects will only be considered security bugs if they fit some of the
+  definitions in this document and the effect can only be reproduced
+  when executed in the GDB environment.
+
  Any issues that arise from running an untrusted program outside of a
  secure environment are not security bugs in GDB.  Any issues that
  arise from running an untrusted program through GDB inside a secure