From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from us-smtp-delivery-124.mimecast.com (us-smtp-delivery-124.mimecast.com [170.10.129.124]) by sourceware.org (Postfix) with ESMTPS id 8CAD13858D37 for ; Thu, 20 Apr 2023 15:56:12 +0000 (GMT) DMARC-Filter: OpenDMARC Filter v1.4.2 sourceware.org 8CAD13858D37 Authentication-Results: sourceware.org; dmarc=pass (p=none dis=none) header.from=redhat.com Authentication-Results: sourceware.org; spf=pass smtp.mailfrom=redhat.com DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com; s=mimecast20190719; t=1682006172; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=fzwaWVXc9JSASyOpIpnDHGPRYFESfBTgiuj+VQJuzhw=; b=XCDBTgIpZ9XUBWK1PglnIMPQ5fTpMt/2WOp15JOuRNA3vdjh9VpS/RJkZHO/3W0BmYLNnF knq5OSIXOjmoD7zzYW4Gb1AJWWys9brg3vjOIaL3VZT+2xcK/yEEPw4AUgXPGeE1O/GAAA Cbc/JbA/BGN56QDyhY7pI/yUeyL1y2o= Received: from mail-wm1-f69.google.com (mail-wm1-f69.google.com [209.85.128.69]) by relay.mimecast.com with ESMTP with STARTTLS (version=TLSv1.3, cipher=TLS_AES_256_GCM_SHA384) id us-mta-411-zW87VEi3MxuAJIeUjC1SzQ-1; Thu, 20 Apr 2023 11:56:11 -0400 X-MC-Unique: zW87VEi3MxuAJIeUjC1SzQ-1 Received: by mail-wm1-f69.google.com with SMTP id ay3-20020a05600c1e0300b003f1728ce786so2157033wmb.7 for ; Thu, 20 Apr 2023 08:56:10 -0700 (PDT) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20221208; t=1682006170; x=1684598170; h=content-transfer-encoding:in-reply-to:from:references:cc:to :content-language:subject:user-agent:mime-version:date:message-id :x-gm-message-state:from:to:cc:subject:date:message-id:reply-to; bh=fzwaWVXc9JSASyOpIpnDHGPRYFESfBTgiuj+VQJuzhw=; b=KbuvI4bcHBqTnaIM5I60DVkUKm20JaxziBlK2nOOJl+XDi45dOwTDJ6p592McOtukd IjgIhv85kyCLnOKgd7r9iklMhK48ut47xKVy8gl1j0wCDeWWgiHJ4PnB+jl+m0xPBaAA 0xOAwLAx8AaiueRVyKq8YubcmM073nOqzgtZ+lfpG1Xl1WOiDycJuyNabUGrpluJ278H 6C5CgOHkgcNIB+doFAujVp8wr/UsifTiKhWy8AbImuvhL0kwWRkTDmn57GoWTPfDoI7h qnSk4n5TheQxLz+enHcV0v9k5WI9UzMH62vx4uYadItSfP6un10jFsEELd/RQIhZtfxy UXnQ== X-Gm-Message-State: AAQBX9eHg2psF9kc6YtGUncOW6bhEl7Y9P/UX9jI0KfKp92pgWrDrzvM LG8FEhdZ8sXQts+48bAOa+Ohbw4dOf4aglbdvrP2cBovCt5VAe9BJ5MFp5iwXOZh6ASklsRjDa3 DbLFP2Mx4hCc= X-Received: by 2002:a7b:cc07:0:b0:3f1:7331:38b1 with SMTP id f7-20020a7bcc07000000b003f1733138b1mr1810232wmh.14.1682006169921; Thu, 20 Apr 2023 08:56:09 -0700 (PDT) X-Google-Smtp-Source: AKy350ZH/2HeeLNonTkUDCQe8+24Rqq5v0w1IwDkvMNXm//NAiR3r+Nqtw9o3h0gcL1FTx51slCYnA== X-Received: by 2002:a7b:cc07:0:b0:3f1:7331:38b1 with SMTP id f7-20020a7bcc07000000b003f1733138b1mr1810215wmh.14.1682006169472; Thu, 20 Apr 2023 08:56:09 -0700 (PDT) Received: from [192.168.1.7] ([79.123.86.193]) by smtp.gmail.com with ESMTPSA id v9-20020a05600c444900b003f173be2ccfsm7966320wmn.2.2023.04.20.08.56.08 (version=TLS1_3 cipher=TLS_AES_128_GCM_SHA256 bits=128/128); Thu, 20 Apr 2023 08:56:09 -0700 (PDT) Message-ID: Date: Thu, 20 Apr 2023 16:56:08 +0100 MIME-Version: 1.0 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:102.0) Gecko/20100101 Thunderbird/102.9.1 Subject: Re: RFC: Adding a SECURITY.md document to the Binutils To: Binutils Cc: siddhesh@gotplt.org, "gdb@sourceware.org" References: <1c38b926-e003-0e21-e7f1-3d5dbec2aabf@redhat.com> <32b08080-f174-4a22-802a-a6b94fdd7b0d@FreeBSD.org> From: Nick Clifton In-Reply-To: <32b08080-f174-4a22-802a-a6b94fdd7b0d@FreeBSD.org> X-Mimecast-Spam-Score: 0 X-Mimecast-Originator: redhat.com Content-Language: en-GB Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: 7bit X-Spam-Status: No, score=-0.2 required=5.0 tests=BAYES_00,DKIMWL_WL_HIGH,DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,KAM_ASCII_DIVIDERS,MEDICAL_SUBJECT,NICE_REPLY_A,RCVD_IN_DNSWL_NONE,RCVD_IN_MSPIKE_H2,SPF_HELO_NONE,SPF_NONE,TXREP,T_SCC_BODY_TEXT_LINE autolearn=no autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on server2.sourceware.org List-Id: Hi Guys, Right, I have gone ahead and applied a patch to add the SECURITY.txt files to the sources. I realise that we may not have reached a final agreement on the exact wording, but I wanted to get the files in place now so that there is at least something there for others to see. Cheers Nick PS. The text of the binutils/SECURITY.txt file that I checked in looks like this: Binutils Security Process ========================= What is a binutils security bug? ================================ A security bug is one that threatens the security of a system or network, or might compromise the security of data stored on it. In the context of GNU Binutils there are two ways in which such bugs might occur. In the first, the programs themselves might be tricked into a direct compromise of security. In the second, the tools might introduce a vulnerability in the generated output that was not already present in the files used as input. Other than that, all other bugs will be treated as non-security issues. This does not mean that they will be ignored, just that they will not be given the priority that is given to security bugs. This stance applies to the creation tools in the GNU Binutils (eg as, ld, gold, objcopy) and the libraries that they use. Bugs in inspection tools (eg readelf, nm objdump) will not be considered to be security bugs, since they do not create executable output files. Notes: ====== None of the programs in the GNU Binutils suite need elevated privileges to operate and it is recommended that users do not use them from accounts where such privileges are automatically available. The inspection tools are intended to be robust but nevertheless they should be appropriately sandboxed if they are used to examine malicious or potentially malicious input files. Reporting private security bugs =============================== *All bugs reported in the Binutils Bugzilla are public.* In order to report a private security bug that is not immediately public, please contact one of the downstream distributions with security teams. The following teams have volunteered to handle such bugs: Debian: security@debian.org Red Hat: secalert@redhat.com SUSE: security@suse.de Please report the bug to just one of these teams. It will be shared with other teams as necessary. The team contacted will take care of details such as vulnerability rating and CVE assignment (http://cve.mitre.org/about/). It is likely that the team will ask to file a public bug because the issue is sufficiently minor and does not warrant an embargo. An embargo is not a requirement for being credited with the discovery of a security vulnerability. Reporting public security bugs ============================== It is expected that critical security bugs will be rare, and that most security bugs can be reported in Binutils Bugzilla system, thus making them public immediately. The system can be found here: https://sourceware.org/bugzilla/