From: Nick Clifton <nickc@sourceware.org>
To: bfd-cvs@sourceware.org, gdb-cvs@sourceware.org
Subject: [binutils-gdb] Add a SECURITY.txt file describing the GNU Binutils' project's stance on security related bugs.
Date: Thu, 20 Apr 2023 15:52:41 +0000 (GMT) [thread overview]
Message-ID: <20230420155241.7BD903857705@sourceware.org> (raw)
https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=8e7785b4bd4fccaafad5c64a30342345e8cc6801
commit 8e7785b4bd4fccaafad5c64a30342345e8cc6801
Author: Nick Clifton <nickc@redhat.com>
Date: Thu Apr 20 16:52:11 2023 +0100
Add a SECURITY.txt file describing the GNU Binutils' project's stance on security related bugs.
Diff:
---
ChangeLog | 5 ++++
SECURITY.txt | 6 +++++
binutils/ChangeLog | 4 +++
binutils/SECURITY.txt | 68 +++++++++++++++++++++++++++++++++++++++++++++++++++
src-release.sh | 2 +-
5 files changed, 84 insertions(+), 1 deletion(-)
diff --git a/ChangeLog b/ChangeLog
index f81f5597dfe..bf4996d3f1b 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,3 +1,8 @@
+2023-04-20 Nick Clifton <nickc@redhat.com>
+
+ * SECURITY.txt: New file.
+ * src-release.sh (DEVO_SUPPORT): Add SECURITY.txt.
+
2022-12-31 Nick Clifton <nickc@redhat.com>
* 2.40 binutils branch created.
diff --git a/SECURITY.txt b/SECURITY.txt
new file mode 100644
index 00000000000..a0879e3c3e2
--- /dev/null
+++ b/SECURITY.txt
@@ -0,0 +1,6 @@
+
+For details on the Binutils security process please see
+the SECURITY.txt file in the binutils sub-directory.
+
+For details on the GDB security process please see
+the SECURITY.txt file in the gdb sub-directory.
diff --git a/binutils/ChangeLog b/binutils/ChangeLog
index 22ca79cfb96..d2b862aedef 100644
--- a/binutils/ChangeLog
+++ b/binutils/ChangeLog
@@ -1,3 +1,7 @@
+2023-04-20 Nick Clifton <nickc@redhat.com>
+
+ * SECURITY.txt: New file.
+
2023-04-19 Nick Clifton <nickc@redhat.com>
PR 30355
diff --git a/binutils/SECURITY.txt b/binutils/SECURITY.txt
new file mode 100644
index 00000000000..d9542342b38
--- /dev/null
+++ b/binutils/SECURITY.txt
@@ -0,0 +1,68 @@
+Binutils Security Process
+=========================
+
+What is a binutils security bug?
+================================
+
+ A security bug is one that threatens the security of a system or
+ network, or might compromise the security of data stored on it.
+ In the context of GNU Binutils there are two ways in which such
+ bugs might occur. In the first, the programs themselves might be
+ tricked into a direct compromise of security. In the second, the
+ tools might introduce a vulnerability in the generated output that
+ was not already present in the files used as input.
+
+ Other than that, all other bugs will be treated as non-security
+ issues. This does not mean that they will be ignored, just that
+ they will not be given the priority that is given to security bugs.
+
+ This stance applies to the creation tools in the GNU Binutils (eg
+ as, ld, gold, objcopy) and the libraries that they use. Bugs in
+ inspection tools (eg readelf, nm objdump) will not be considered
+ to be security bugs, since they do not create executable output
+ files.
+
+Notes:
+======
+
+ None of the programs in the GNU Binutils suite need elevated
+ privileges to operate and it is recommended that users do not use
+ them from accounts where such privileges are automatically
+ available.
+
+ The inspection tools are intended to be robust but nevertheless
+ they should be appropriately sandboxed if they are used to examine
+ malicious or potentially malicious input files.
+
+Reporting private security bugs
+===============================
+
+ *All bugs reported in the Binutils Bugzilla are public.*
+
+ In order to report a private security bug that is not immediately
+ public, please contact one of the downstream distributions with
+ security teams. The following teams have volunteered to handle
+ such bugs:
+
+ Debian: security@debian.org
+ Red Hat: secalert@redhat.com
+ SUSE: security@suse.de
+
+ Please report the bug to just one of these teams. It will be shared
+ with other teams as necessary.
+
+ The team contacted will take care of details such as vulnerability
+ rating and CVE assignment (http://cve.mitre.org/about/). It is likely
+ that the team will ask to file a public bug because the issue is
+ sufficiently minor and does not warrant an embargo. An embargo is not
+ a requirement for being credited with the discovery of a security
+ vulnerability.
+
+Reporting public security bugs
+==============================
+
+ It is expected that critical security bugs will be rare, and that most
+ security bugs can be reported in Binutils Bugzilla system, thus making
+ them public immediately. The system can be found here:
+
+ https://sourceware.org/bugzilla/
diff --git a/src-release.sh b/src-release.sh
index ec28f8691c7..c974ea05473 100755
--- a/src-release.sh
+++ b/src-release.sh
@@ -45,7 +45,7 @@ DEVO_SUPPORT="ar-lib ChangeLog compile config config-ml.in config.guess \
ltmain.sh ltoptions.m4 ltsugar.m4 ltversion.m4 lt~obsolete.m4 \
MAINTAINERS Makefile.def Makefile.in Makefile.tpl missing mkdep \
mkinstalldirs move-if-change README README-maintainer-mode \
- src-release.sh symlink-tree test-driver ylwrap"
+ SECURITY.txt src-release.sh symlink-tree test-driver ylwrap"
# Files in devo/etc used in any net release.
ETC_SUPPORT="Makefile.in configure configure.in standards.texi \
reply other threads:[~2023-04-20 15:52 UTC|newest]
Thread overview: [no followups] expand[flat|nested] mbox.gz Atom feed
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20230420155241.7BD903857705@sourceware.org \
--to=nickc@sourceware.org \
--cc=bfd-cvs@sourceware.org \
--cc=gdb-cvs@sourceware.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).