[thirdparty/binutils-gdb.git] / binutils / SECURITY.txt

Binutils Security Process
=========================

What is a binutils security bug?
================================

    A security bug is one that threatens the security of a system or
    network, or might compromise the security of data stored on it.
    In the context of GNU Binutils there are two ways in which such
    bugs might occur.  In the first, the programs themselves might be
    tricked into a direct compromise of security.  In the second, the
    tools might introduce a vulnerability in the generated output that
    was not already present in the files used as input.

    Other than that, all other bugs will be treated as non-security
    issues.  This does not mean that they will be ignored, just that
    they will not be given the priority that is given to security bugs.

    This stance applies to the creation tools in the GNU Binutils (eg
    as, ld, gold, objcopy) and the libraries that they use.  Bugs in
    inspection tools (eg readelf, nm objdump) will not be considered
    to be security bugs, since they do not create executable output
    files.

Notes:
======

    None of the programs in the GNU Binutils suite need elevated
    privileges to operate and it is recommended that users do not use
    them from accounts where such privileges are automatically
    available.

    The inspection tools are intended to be robust but nevertheless
    they should be appropriately sandboxed if they are used to examine
    malicious or potentially malicious input files.

Reporting private security bugs
===============================

   *All bugs reported in the Binutils Bugzilla are public.*

   In order to report a private security bug that is not immediately
   public, please contact one of the downstream distributions with
   security teams.  The following teams have volunteered to handle
   such bugs:

      Debian:  security@debian.org
      Red Hat: secalert@redhat.com
      SUSE:    security@suse.de

   Please report the bug to just one of these teams.  It will be shared
   with other teams as necessary.

   The team contacted will take care of details such as vulnerability
   rating and CVE assignment (https://cve.mitre.org/about/).  It is likely
   that the team will ask to file a public bug because the issue is
   sufficiently minor and does not warrant an embargo.  An embargo is not
   a requirement for being credited with the discovery of a security
   vulnerability.

Reporting public security bugs
==============================

   It is expected that critical security bugs will be rare, and that most
   security bugs can be reported in Binutils Bugzilla system, thus making
   them public immediately.  The system can be found here:

      https://sourceware.org/bugzilla/
Commit	Line	Data
8e7785b4 NC	1	Binutils Security Process
	2	=========================
	3
	4	What is a binutils security bug?
	5	================================
	6
	7	A security bug is one that threatens the security of a system or
	8	network, or might compromise the security of data stored on it.
	9	In the context of GNU Binutils there are two ways in which such
	10	bugs might occur. In the first, the programs themselves might be
	11	tricked into a direct compromise of security. In the second, the
	12	tools might introduce a vulnerability in the generated output that
ca86dbbd	13	was not already present in the files used as input.
8e7785b4 NC	14
	15	Other than that, all other bugs will be treated as non-security
	16	issues. This does not mean that they will be ignored, just that
	17	they will not be given the priority that is given to security bugs.
	18
	19	This stance applies to the creation tools in the GNU Binutils (eg
	20	as, ld, gold, objcopy) and the libraries that they use. Bugs in
	21	inspection tools (eg readelf, nm objdump) will not be considered
	22	to be security bugs, since they do not create executable output
	23	files.
	24
	25	Notes:
	26	======
	27
	28	None of the programs in the GNU Binutils suite need elevated
	29	privileges to operate and it is recommended that users do not use
	30	them from accounts where such privileges are automatically
	31	available.
	32
	33	The inspection tools are intended to be robust but nevertheless
	34	they should be appropriately sandboxed if they are used to examine
	35	malicious or potentially malicious input files.
	36
	37	Reporting private security bugs
	38	===============================
	39
	40	All bugs reported in the Binutils Bugzilla are public.
	41
	42	In order to report a private security bug that is not immediately
	43	public, please contact one of the downstream distributions with
	44	security teams. The following teams have volunteered to handle
	45	such bugs:
	46
	47	Debian: security@debian.org
	48	Red Hat: secalert@redhat.com
	49	SUSE: security@suse.de
	50
	51	Please report the bug to just one of these teams. It will be shared
	52	with other teams as necessary.
	53
	54	The team contacted will take care of details such as vulnerability
ca86dbbd	55	rating and CVE assignment (https://cve.mitre.org/about/). It is likely
8e7785b4 NC	56	that the team will ask to file a public bug because the issue is
	57	sufficiently minor and does not warrant an embargo. An embargo is not
	58	a requirement for being credited with the discovery of a security
	59	vulnerability.
	60
	61	Reporting public security bugs
	62	==============================
	63
	64	It is expected that critical security bugs will be rare, and that most
	65	security bugs can be reported in Binutils Bugzilla system, thus making
	66	them public immediately. The system can be found here:
	67
	68	https://sourceware.org/bugzilla/