* [PATCH] SECURITY.txt: Drop "exploitable" in reference to hardening issues
@ 2023-12-18 14:35 Siddhesh Poyarekar
2024-01-09 15:12 ` Siddhesh Poyarekar
0 siblings, 1 reply; 3+ messages in thread
From: Siddhesh Poyarekar @ 2023-12-18 14:35 UTC (permalink / raw)
To: gcc Patches
The "exploitable vulnerability" may lead to a misunderstanding that
missed hardening issues are considered vulnerabilities, just that
they're not exploitable. This is not true, since while hardening bugs
may be security-relevant, the absence of hardening does not make a
program any more vulnerable to exploits than without.
Drop the "exploitable" word to make it clear that missed hardening is
not considered a vulnerability.
diff --git a/SECURITY.txt b/SECURITY.txt
index b3e2bbfda90..126603d4c22 100644
--- a/SECURITY.txt
+++ b/SECURITY.txt
@@ -155,10 +155,10 @@ Security features implemented in GCC
GCC implements a number of security features that reduce the impact
of security issues in applications, such as -fstack-protector,
-fstack-clash-protection, _FORTIFY_SOURCE and so on. A failure of
- these features to function perfectly in all situations is not an
- exploitable vulnerability in itself since it does not affect the
- correctness of programs. Further, they're dependent on heuristics
- and may not always have full coverage for protection.
+ these features to function perfectly in all situations is not a
+ vulnerability in itself since it does not affect the correctness of
+ programs. Further, they're dependent on heuristics and may not
+ always have full coverage for protection.
Similarly, GCC may transform code in a way that the correctness of
the expressed algorithm is preserved, but supplementary properties
^ permalink raw reply [flat|nested] 3+ messages in thread
* Re: [PATCH] SECURITY.txt: Drop "exploitable" in reference to hardening issues
2023-12-18 14:35 [PATCH] SECURITY.txt: Drop "exploitable" in reference to hardening issues Siddhesh Poyarekar
@ 2024-01-09 15:12 ` Siddhesh Poyarekar
2024-01-09 15:32 ` Richard Biener
0 siblings, 1 reply; 3+ messages in thread
From: Siddhesh Poyarekar @ 2024-01-09 15:12 UTC (permalink / raw)
To: gcc Patches
On 2023-12-18 09:35, Siddhesh Poyarekar wrote:
> The "exploitable vulnerability" may lead to a misunderstanding that
> missed hardening issues are considered vulnerabilities, just that
> they're not exploitable. This is not true, since while hardening bugs
> may be security-relevant, the absence of hardening does not make a
> program any more vulnerable to exploits than without.
>
> Drop the "exploitable" word to make it clear that missed hardening is
> not considered a vulnerability.
Ping, may I commit this if there are no objections?
Thanks,
Sid
>
> diff --git a/SECURITY.txt b/SECURITY.txt
> index b3e2bbfda90..126603d4c22 100644
> --- a/SECURITY.txt
> +++ b/SECURITY.txt
> @@ -155,10 +155,10 @@ Security features implemented in GCC
> GCC implements a number of security features that reduce the impact
> of security issues in applications, such as -fstack-protector,
> -fstack-clash-protection, _FORTIFY_SOURCE and so on. A failure of
> - these features to function perfectly in all situations is not an
> - exploitable vulnerability in itself since it does not affect the
> - correctness of programs. Further, they're dependent on heuristics
> - and may not always have full coverage for protection.
> + these features to function perfectly in all situations is not a
> + vulnerability in itself since it does not affect the correctness of
> + programs. Further, they're dependent on heuristics and may not
> + always have full coverage for protection.
>
> Similarly, GCC may transform code in a way that the correctness of
> the expressed algorithm is preserved, but supplementary properties
>
^ permalink raw reply [flat|nested] 3+ messages in thread
* Re: [PATCH] SECURITY.txt: Drop "exploitable" in reference to hardening issues
2024-01-09 15:12 ` Siddhesh Poyarekar
@ 2024-01-09 15:32 ` Richard Biener
0 siblings, 0 replies; 3+ messages in thread
From: Richard Biener @ 2024-01-09 15:32 UTC (permalink / raw)
To: Siddhesh Poyarekar; +Cc: gcc Patches
> Am 09.01.2024 um 16:13 schrieb Siddhesh Poyarekar <siddhesh@gotplt.org>:
>
> On 2023-12-18 09:35, Siddhesh Poyarekar wrote:
>> The "exploitable vulnerability" may lead to a misunderstanding that missed hardening issues are considered vulnerabilities, just that they're not exploitable. This is not true, since while hardening bugs may be security-relevant, the absence of hardening does not make a program any more vulnerable to exploits than without.
>> Drop the "exploitable" word to make it clear that missed hardening is not considered a vulnerability.
>
> Ping, may I commit this if there are no objections?
Go ahead.
Richard
> Thanks,
> Sid
>
>> diff --git a/SECURITY.txt b/SECURITY.txt
>> index b3e2bbfda90..126603d4c22 100644
>> --- a/SECURITY.txt
>> +++ b/SECURITY.txt
>> @@ -155,10 +155,10 @@ Security features implemented in GCC
>> GCC implements a number of security features that reduce the impact
>> of security issues in applications, such as -fstack-protector,
>> -fstack-clash-protection, _FORTIFY_SOURCE and so on. A failure of
>> - these features to function perfectly in all situations is not an
>> - exploitable vulnerability in itself since it does not affect the
>> - correctness of programs. Further, they're dependent on heuristics
>> - and may not always have full coverage for protection.
>> + these features to function perfectly in all situations is not a
>> + vulnerability in itself since it does not affect the correctness of
>> + programs. Further, they're dependent on heuristics and may not
>> + always have full coverage for protection.
>> Similarly, GCC may transform code in a way that the correctness of
>> the expressed algorithm is preserved, but supplementary properties
^ permalink raw reply [flat|nested] 3+ messages in thread
end of thread, other threads:[~2024-01-09 15:33 UTC | newest]
Thread overview: 3+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2023-12-18 14:35 [PATCH] SECURITY.txt: Drop "exploitable" in reference to hardening issues Siddhesh Poyarekar
2024-01-09 15:12 ` Siddhesh Poyarekar
2024-01-09 15:32 ` Richard Biener
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).