]>
Commit | Line | Data |
---|---|---|
8e7785b4 NC |
1 | Binutils Security Process |
2 | ========================= | |
3 | ||
4 | What is a binutils security bug? | |
5 | ================================ | |
6 | ||
7 | A security bug is one that threatens the security of a system or | |
8 | network, or might compromise the security of data stored on it. | |
9 | In the context of GNU Binutils there are two ways in which such | |
10 | bugs might occur. In the first, the programs themselves might be | |
11 | tricked into a direct compromise of security. In the second, the | |
12 | tools might introduce a vulnerability in the generated output that | |
ca86dbbd | 13 | was not already present in the files used as input. |
8e7785b4 NC |
14 | |
15 | Other than that, all other bugs will be treated as non-security | |
16 | issues. This does not mean that they will be ignored, just that | |
17 | they will not be given the priority that is given to security bugs. | |
18 | ||
19 | This stance applies to the creation tools in the GNU Binutils (eg | |
20 | as, ld, gold, objcopy) and the libraries that they use. Bugs in | |
21 | inspection tools (eg readelf, nm objdump) will not be considered | |
22 | to be security bugs, since they do not create executable output | |
23 | files. | |
24 | ||
25 | Notes: | |
26 | ====== | |
27 | ||
28 | None of the programs in the GNU Binutils suite need elevated | |
29 | privileges to operate and it is recommended that users do not use | |
30 | them from accounts where such privileges are automatically | |
31 | available. | |
32 | ||
33 | The inspection tools are intended to be robust but nevertheless | |
34 | they should be appropriately sandboxed if they are used to examine | |
35 | malicious or potentially malicious input files. | |
36 | ||
37 | Reporting private security bugs | |
38 | =============================== | |
39 | ||
40 | *All bugs reported in the Binutils Bugzilla are public.* | |
41 | ||
42 | In order to report a private security bug that is not immediately | |
43 | public, please contact one of the downstream distributions with | |
44 | security teams. The following teams have volunteered to handle | |
45 | such bugs: | |
46 | ||
47 | Debian: security@debian.org | |
48 | Red Hat: secalert@redhat.com | |
49 | SUSE: security@suse.de | |
50 | ||
51 | Please report the bug to just one of these teams. It will be shared | |
52 | with other teams as necessary. | |
53 | ||
54 | The team contacted will take care of details such as vulnerability | |
ca86dbbd | 55 | rating and CVE assignment (https://cve.mitre.org/about/). It is likely |
8e7785b4 NC |
56 | that the team will ask to file a public bug because the issue is |
57 | sufficiently minor and does not warrant an embargo. An embargo is not | |
58 | a requirement for being credited with the discovery of a security | |
59 | vulnerability. | |
60 | ||
61 | Reporting public security bugs | |
62 | ============================== | |
63 | ||
64 | It is expected that critical security bugs will be rare, and that most | |
65 | security bugs can be reported in Binutils Bugzilla system, thus making | |
66 | them public immediately. The system can be found here: | |
67 | ||
68 | https://sourceware.org/bugzilla/ |