summaryrefslogtreecommitdiff
path: root/SECURITY.md
blob: 66d512febc408059f978df7a86ad4e3a1fb7bb13 (plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
# Security overview

## General

libgphoto2 is a software library to allow accessing USB devices (cameras,
media players), allowing file system operations (list, download,
upload, delete), and control operations (get and set settings, and
remote control).

It consists of a core library, and drivers for both "port" protocols
like USB, serial, IP and devices (camera drivers).

libgphoto2 only processes images to provide standard formats. For JPEG
images the libexif library is used for extraction of EXIF data.

Callers of the library can be assumed trusted, also input coming into
the library via API calls is considered trusted.

Data coming from port drivers (USB, serial, IP, etc) is considered untrusted.

Historically the primary development goals was "make it work", without
security in mind.

## Attack Surface

The primary attack scenario is a kiosk style photo access computer, where people
can plug in USB devices in an unattended fashion.

Attack impacts are achieving control over this computer, or blocking its use.

## Bugs considered security issues

(Mostly for CVE assigments rules.)

In scope of a security attack are the autodetecting protocols support,
like USB.

Also IP (TCP and UDP) based drivers are considered in scope, with
malicious target devices or man in the middle attacks.

Current day camera drivers are in scope (e.g. all drivers not marked as "outdated").

Triggering memory corruption is considered in scope.
Triggering endless loops is considered in scope. (would block kiosk style operation)

## Bugs not considered security issues

Serial cameras are not in scope, as they cannot be autodetected and need
special configuration which makes other attack vectors likely.

Outdated drivers... We have classified a number of older drivers as
"outdated", and do not recommend to build them by default anymore.

Denial of service attacks of class "crash" or "resource consumption
(disk)" are not in scope.

- Frontends should auto-recover (restart) after crashes.
- Resource consumption in terms of diskspace is not in scope, as the
  library is meant to download large amounts of data (Gigabytes) in
  regular operation.

Information disclosure is not a relevant attack scenario.

## Bugreports

Bugreports can be filed as github issues.

If you want to report an embargoed security bug report, reach out to marcus@jet.franken.de