From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from purple.birch.relay.mailchannels.net (purple.birch.relay.mailchannels.net [23.83.209.150]) by sourceware.org (Postfix) with ESMTPS id 6D0143858D32; Thu, 13 Apr 2023 11:53:26 +0000 (GMT) DMARC-Filter: OpenDMARC Filter v1.4.2 sourceware.org 6D0143858D32 Authentication-Results: sourceware.org; dmarc=none (p=none dis=none) header.from=gotplt.org Authentication-Results: sourceware.org; spf=pass smtp.mailfrom=gotplt.org X-Sender-Id: dreamhost|x-authsender|siddhesh@gotplt.org Received: from relay.mailchannels.net (localhost [127.0.0.1]) by relay.mailchannels.net (Postfix) with ESMTP id 327F85006C6; Thu, 13 Apr 2023 11:53:25 +0000 (UTC) Received: from pdx1-sub0-mail-a305.dreamhost.com (unknown [127.0.0.6]) (Authenticated sender: dreamhost) by relay.mailchannels.net (Postfix) with ESMTPA id AE23E501EC0; Thu, 13 Apr 2023 11:53:24 +0000 (UTC) ARC-Seal: i=1; s=arc-2022; d=mailchannels.net; t=1681386804; a=rsa-sha256; cv=none; b=lLx7YDkUp0UxCWewb6WrpGk2ZqHu1MrpN970NKMlWOPgP7hQcHcZatkKP7xCt/OsyHj2Vl BCd9jhHqRqGdLJbJKe9EH3X+3VpSj8+bVRzCZNue7y7LSC6WneafiUlI2AWstYxEC60y3G N1SmMhpUivv5tzpYOYAzkDyowpZDSLIEwURBf6fWY7FcUz2/EPSKA7fqCkal9lXv/xEUrC Isz9/PaK+cmkEye8cqqW9875Sk/LDj6w+vkdt82oxBOQojEob+YOkdzxRQYJUjlIuRWLmh /aRcQ60HKG2cZLklUfmyozdAaE9pmwXN6IbBEcW1BR3lyxRFOIIPOJg0gk1hcA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=mailchannels.net; s=arc-2022; t=1681386804; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references:dkim-signature; bh=RMFp8UAbkdHrPXBlx2pD5ELTSyvlJyon4gJrwAAsy5Y=; b=dbOTb8Vh5WsopccXwEtuiWJiuG0pDIUR4nEOwsiJZDzXpFHEl3SJvennJ/r6aUAsYIm22I l4JyCOD2VBk1EioWa64jO3E+9GWiz/eznQSV9+2OumxYp3nWTIHoO1rxboSRCLNmJ+7sBA 7a656koZg8zakWKUjHrFxDR1SPvAx3xRJNvbwUs9NSlUv17yXKazoEhU6msJnRIFQU2Ojk B6nF/Mb4yMu01UyO/2wk7F+EdeBcPLcJvFMQQVs3rfMbyHcI5T8F92c4VGgpUFPd0xS6r+ UzTPCQ6RKJP0QiBY9o59wbshNFk5wQYgyMHMqFd3Nq0UoyIZ+yYMs7INpD89zw== ARC-Authentication-Results: i=1; rspamd-548d6c8f77-d8k59; auth=pass smtp.auth=dreamhost smtp.mailfrom=siddhesh@gotplt.org X-Sender-Id: dreamhost|x-authsender|siddhesh@gotplt.org X-MC-Relay: Neutral X-MailChannels-SenderId: dreamhost|x-authsender|siddhesh@gotplt.org X-MailChannels-Auth-Id: dreamhost X-Blushing-Share: 609d4f7c02e30f0e_1681386805000_343054947 X-MC-Loop-Signature: 1681386805000:3421774865 X-MC-Ingress-Time: 1681386805000 Received: from pdx1-sub0-mail-a305.dreamhost.com (pop.dreamhost.com [64.90.62.162]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384) by 100.107.49.248 (trex/6.7.2); Thu, 13 Apr 2023 11:53:24 +0000 Received: from [192.168.2.12] (bras-vprn-toroon4834w-lp130-09-174-91-45-153.dsl.bell.ca [174.91.45.153]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (No client certificate requested) (Authenticated sender: siddhesh@gotplt.org) by pdx1-sub0-mail-a305.dreamhost.com (Postfix) with ESMTPSA id 4Pxydc1NdKzHq; Thu, 13 Apr 2023 04:53:24 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gotplt.org; s=dreamhost; t=1681386804; bh=RMFp8UAbkdHrPXBlx2pD5ELTSyvlJyon4gJrwAAsy5Y=; h=Date:Subject:To:Cc:From:Content-Type:Content-Transfer-Encoding; b=OkwEkzsXIucCnEGYKb/rHaoF+mJ/pgCxtxb96n95R4TDkg+nNc/Q8XZJ9Fd68DiP5 MigqkWHzf0Z8qGvoq+rJ/1e1OOwPTI0KCD0Sv1G5mVSRH9RE0o95pADSACvjtyQykN r+IPva8XPqff3CLKt4CE7MfyCYbLaZJdwb0V3RqCmhqxUB94XWyOOVeSLM8T0a5ddj gqiLu8Q9MTYayhmWqH1DUjnct1XzyDBjuY2/JYzNP/RbwC9+fag4+du9nSkD1q2T1o Zy7XteoXEIyfpfB3qp5MJe+yk4t0kLrN+ECmxqR+TjoXvpWIWPyzne6AkODiJcUmcX HdswbaySCk0ug== Message-ID: <7b6b10f8-e480-8efa-fbb8-4fc4bf2cf356@gotplt.org> Date: Thu, 13 Apr 2023 07:53:22 -0400 MIME-Version: 1.0 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:102.0) Gecko/20100101 Thunderbird/102.9.1 Subject: Re: RFC: Adding a SECURITY.md document to the Binutils Content-Language: en-US To: Richard Earnshaw , Nick Clifton , Binutils Cc: "gdb@sourceware.org" References: <1c38b926-e003-0e21-e7f1-3d5dbec2aabf@redhat.com> <5b147005-bd28-4cf9-b9e7-479ef02cb1ad@foss.arm.com> <5d044987-39eb-a060-1b2b-9d07b1515e7d@gotplt.org> <73bc480a-a927-2773-8756-50350f76dfbf@gotplt.org> <4ed86e65-0b7f-11d4-8061-2c5d0b1e147e@foss.arm.com> From: Siddhesh Poyarekar In-Reply-To: <4ed86e65-0b7f-11d4-8061-2c5d0b1e147e@foss.arm.com> Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: 8bit X-Spam-Status: No, score=-3027.5 required=5.0 tests=BAYES_00,DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,MEDICAL_SUBJECT,NICE_REPLY_A,RCVD_IN_DNSWL_NONE,RCVD_IN_MSPIKE_H2,SPF_HELO_NONE,SPF_PASS,TXREP autolearn=no autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on server2.sourceware.org List-Id: On 2023-04-13 06:25, Richard Earnshaw wrote: > So mention of networks reminds me that you don't always need privilege > escalation to have a security compromise - simply transmitting a file to > a third party, if that wasn't intended, would be enough. None of the tools can guarantee this with untrusted input when executing as a local user; this is why the last bit of sandboxing to analyze untrusted input comes in. > So I would suggest: > > A security bug is one that threatens the security of a system or > network, or might compromise the security of data stored on it.  In the > context of GNU Binutils there are two ways in which such bugs might > occur.  In the first, the programs themselves might be tricked into a > direct compromise of security.  In the second, the tools might introduce "Direct compromise of security" is essentially what we're trying to define more strongly to prevent spurious CVE assignments. > a vulnerability in the generated output that was not already present in > the files used as input. > > Note: none of the programs in the GNU Binutils suite need elevated > system privileges (eg setuid) to operate and we recommend that users do > not use them from accounts where such privileges are automatically > available. We did have CVE-2021-20197, so it's not always setuid. Thanks, Sid