From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from us-smtp-delivery-124.mimecast.com (us-smtp-delivery-124.mimecast.com [170.10.129.124]) by sourceware.org (Postfix) with ESMTPS id 8A1983858D32 for ; Fri, 7 Apr 2023 08:42:30 +0000 (GMT) DMARC-Filter: OpenDMARC Filter v1.4.2 sourceware.org 8A1983858D32 Authentication-Results: sourceware.org; dmarc=pass (p=none dis=none) header.from=redhat.com Authentication-Results: sourceware.org; spf=pass smtp.mailfrom=redhat.com DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com; s=mimecast20190719; t=1680856950; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=J6HkM9MCY2Nhacnh+l5TMimfqXKMqP1HSB0PI04PgfQ=; b=AMLlqbT0+yz2r5I2eJrzB2DMuyYPxLfbWSe//9Wr8krHfiU1vL8ZNn0WOZyGHaNLfArDeQ gDwfAWdzoAo7kS4nLqa9SJFptA4rnlpmzh6JOr+G2eiB0s3eDwUUtFxpjXfAfcELUGSyff JOmwarCX7aMEDvCSbf9/rpQbOFC502Y= Received: from mail-wm1-f70.google.com (mail-wm1-f70.google.com [209.85.128.70]) by relay.mimecast.com with ESMTP with STARTTLS (version=TLSv1.3, cipher=TLS_AES_256_GCM_SHA384) id us-mta-145-DpABcpicPcCIJYC20lHosQ-1; Fri, 07 Apr 2023 04:42:29 -0400 X-MC-Unique: DpABcpicPcCIJYC20lHosQ-1 Received: by mail-wm1-f70.google.com with SMTP id o1-20020a05600c4fc100b003edecc610abso527611wmq.7 for ; Fri, 07 Apr 2023 01:42:28 -0700 (PDT) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; t=1680856947; x=1683448947; h=content-transfer-encoding:subject:from:cc:to:content-language :user-agent:mime-version:date:message-id:x-gm-message-state:from:to :cc:subject:date:message-id:reply-to; bh=J6HkM9MCY2Nhacnh+l5TMimfqXKMqP1HSB0PI04PgfQ=; b=8BEbY3Tu5jTzFVUFdDkkvLQki/81oYSmfb4kOJUQhic7MJUEqmnUcvbKdMIKDAxQfL VGNDjPnXf8p3zbSHKF/XYDnMGA/RBsdVV7rZH71qW1XF2D378ZRSdsdZPcF3CI670wAO 8DajNXM0uzpieH7qtO+JffsvOU10UxYbj2PHBuv2pMCHESeiu4ImKMyJQtBspIw6DG0D otmH/R+YfLw22dpazCRFUQSwsjfcgXTZ3jbKU1CVFgXLRGDu0X4B12bsNUDmppxa/LD2 4a/whmNO+sGNHAYSsRA5ghzAEc5CiVHw+Qugk7xTQ0e2/XqB0qeDgFPjDky+1sEDCs3g qXUA== X-Gm-Message-State: AAQBX9f5gREUPXm/s0RkseYs9lCkmYT8dqnnwVVj97cn+Dtj7NHP+CNp pTummPQ8vlYYuEw9NNG+nS4szzxYiufNpP2b+USjxT2HCRhcH3v9P0oQc/XLtYW6emhkyznkS7y YO9vJL5qGAQ6r3brSEkc= X-Received: by 2002:a7b:c4da:0:b0:3f0:310c:e3ce with SMTP id g26-20020a7bc4da000000b003f0310ce3cemr750031wmk.17.1680856947001; Fri, 07 Apr 2023 01:42:27 -0700 (PDT) X-Google-Smtp-Source: AKy350YJBoIXurG5v9FXtlPA7wG9vapkr+jASN2x4lHYVDZeZszdMHKgc/Sprcs9r8dXBGYsYNl0RQ== X-Received: by 2002:a7b:c4da:0:b0:3f0:310c:e3ce with SMTP id g26-20020a7bc4da000000b003f0310ce3cemr750023wmk.17.1680856946701; Fri, 07 Apr 2023 01:42:26 -0700 (PDT) Received: from [192.168.1.7] ([79.123.86.193]) by smtp.gmail.com with ESMTPSA id fj12-20020a05600c0c8c00b003ef67848a21sm7629731wmb.13.2023.04.07.01.42.26 (version=TLS1_3 cipher=TLS_AES_128_GCM_SHA256 bits=128/128); Fri, 07 Apr 2023 01:42:26 -0700 (PDT) Message-ID: <1c38b926-e003-0e21-e7f1-3d5dbec2aabf@redhat.com> Date: Fri, 7 Apr 2023 09:42:25 +0100 MIME-Version: 1.0 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:102.0) Gecko/20100101 Thunderbird/102.8.0 To: Binutils Cc: siddhesh@gotplt.org, "gdb@sourceware.org" From: Nick Clifton Subject: RFC: Adding a SECURITY.md document to the Binutils X-Mimecast-Spam-Score: 0 X-Mimecast-Originator: redhat.com Content-Language: en-GB Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: 7bit X-Spam-Status: No, score=0.6 required=5.0 tests=BAYES_00,DKIMWL_WL_HIGH,DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,KAM_ASCII_DIVIDERS,MEDICAL_SUBJECT,RCVD_IN_DNSWL_NONE,RCVD_IN_MSPIKE_H2,SPF_HELO_NONE,SPF_NONE,TXREP autolearn=no autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on server2.sourceware.org List-Id: Hi Guys, Many open source projects have a SECURITY.md file which explains their stance on security related bugs. So I thought that it would be a good idea if we had one too. The top level file would actually just be a placeholder, like this: ------------- ./SECURITY.md ------------------------------------------ For details on the Binutils security process please see the SECURITY.md file in the binutils sub-directory. For details on the GDB security process please see the SECURITY.md file in the gdb sub-directory. -------------------------------------------------------------------- So this email is mostly about the wording for the Binutils specific version. Here is my current proposal: ---------------- binutils/SECURITY.md ------------------------------ Binutils Security Process ========================= What is a binutils security bug? ================================ A security bug is one that threatens the security of a system or network. In the context of the GNU Binutils this means a bug that relates to the creation of corrupt output files from valid, trusted inputs. Even then the bug would only have a security impact if the the code invokes undefined behaviour or results in a privilege boundary being crossed. Other than that, all other bugs will be treated as non-security issues. This does not mean that they will be ignored, just that they will not be given the priority that is given to security bugs. This stance applies to the creation tools in the GNU Binutils (eg as, ld, gold, objcopy) and the libraries that they use. Bugs in inspection tools (eg readelf, nm objdump) will not be considered to be security bugs, since they do not create executable output files. When used on untrusted inputs, these inspection tools should be appropriately sandboxed to mitigate potential damage due to any malicious input files. Reporting private security bugs =============================== *All bugs reported in the Binutils Bugzilla are public.* In order to report a private security bug that is not immediately public, please contact one of the downstream distributions with security teams. The follow teams have volunteered to handle such bugs: Debian: security@debian.org Red Hat: secalert@redhat.com SUSE: security@suse.de Please report the bug to just one of these teams. It will be shared with other teams as necessary. The team contacted will take care of details such as vulnerability rating and CVE assignment (http://cve.mitre.org/about/). It is likely that the team will ask to file a public bug because the issue is sufficiently minor and does not warrant an embargo. An embargo is not a requirement for being credited with the discovery of a security vulnerability. Reporting public security bugs ============================== It is expected that critical security bugs will be rare, and that most security bugs can be reported in Binutils Bugzilla system, thus making them public immediately. The system can be found here: https://sourceware.org/bugzilla/ ---------------------------------------------------------------------- Thoughts ? Comments ? Cheers Nick