@@ -62,19 +62,25 @@ What Is A Security Bug?
6262 (either from the GDB command line, a GDB configuration file, or from
6363 the GDB prompt) are considered security bugs.
6464
65- GDB will check for and load multiple configuration files. When
66- initially started GDB can load user- and system-specific
67- configuration files, this is done unconditionally as it is assumed
68- these files are under control of the user and are always safe to
69- load.
70-
71- GDB can also load per-project and per-program configuration files,
72- this is done when a program to debug is loaded into GDB. These
73- configuration files will only be loaded if the user has given GDB
74- permission to load these files. Any bug in GDB which allows
75- per-project or per-program configuration files to be loaded without
76- permission having been granted by the user is considered a security
77- bug.
65+ GDB will check for and load multiple configuration files, sometimes
66+ referred to as extension scripts or plugins. When initially started
67+ GDB can load user-specific and/or system-specific configuration files,
68+ this is done unconditionally as it is assumed these files are under
69+ control of the user and are always safe to load. All of these files
70+ are treated as trusted input, meaning GDB makes no attempt to sanitize
71+ commands and has no sandboxing or other protections against effects of
72+ commands run by any automatically loaded file. It is up to the user to
73+ audit files against documentation provided by the relevant projects to
74+ protect against malicious commands. If executing commands provided by
75+ the GDB project generates undocumented side effects, this is a bug. For
76+ that bug to be considered a security bug, it must meet other definitions
77+ of security bugs outlined in this document.
78+
79+ GDB can also load per-project and/or per-program configuration files
80+ when a program is loaded for debugging. Such files will only be loaded
81+ if the user has given GDB permission to load them. Any bug in GDB which
82+ allows per-project or per-program configuration files to be loaded without
83+ permission having been granted by the user is considered a security bug.
7884
7985 When gdbserver is started, if it is passed a program on its command
8086 line then that program will be started, but paused before executing
@@ -101,6 +107,25 @@ What Is Not A Security Bug
101107 In the context of local debugging, when GDB is used to execute a
102108 program, the program runs with the same privileges as GDB itself.
103109
110+ GDB is not meant to be offered as a service (that is, offered
111+ over an insecure connection to non-local users), and so denial of
112+ service attacks targeting GDB itself, or other bugs that target
113+ this use case, are not considered a security bug.
114+
115+ By the same token, simply triggering an internal error in GDB is not
116+ considered a security bug, since GDB has detected an issue and
117+ handled it in a non-exploitable manner. If it can be demonstrated
118+ that some bug other than the internal error happens, this other bug
119+ should be evaluated independently of the error, and may be a security
120+ bug if it fits some of the definitions in this document.
121+
122+ GDB provides 3 different turing complete languages, Guile, Python
123+ and direct access to the shell. Making use of these languages can
124+ have unknown effects, including outside of the GDB process. Such
125+ effects will only be considered security bugs if they fit some of the
126+ definitions in this document and the effect can only be reproduced
127+ when executed in the GDB environment.
128+
104129 Any issues that arise from running an untrusted program outside of a
105130 secure environment are not security bugs in GDB. Any issues that
106131 arise from running an untrusted program through GDB inside a secure
0 commit comments