From 1e3f1f91b6e39d3daa4d3b86f15235bdda83b58b Mon Sep 17 00:00:00 2001 From: "Frank Ch. Eigler" Date: Mon, 3 Jul 2023 10:19:23 -0400 Subject: [PATCH] SECURITY: new file Policy drafted in April 2023. https://inbox.sourceware.org/elfutils-devel/20230407005600.GB10746@redhat.com/ Added links to README, and mentioned in configury/spec files for installation. Signed-off-by: Frank Ch. Eigler --- Makefile.am | 2 +- README | 2 ++ SECURITY | 56 +++++++++++++++++++++++++++++++++++++++++ config/elfutils.spec.in | 2 +- 4 files changed, 60 insertions(+), 2 deletions(-) create mode 100644 SECURITY diff --git a/Makefile.am b/Makefile.am index e92e05c20..41badfd74 100644 --- a/Makefile.am +++ b/Makefile.am @@ -29,7 +29,7 @@ pkginclude_HEADERS = version.h SUBDIRS = config lib libelf libcpu backends libebl libdwelf libdwfl libdw \ libasm debuginfod src po doc tests -EXTRA_DIST = elfutils.spec GPG-KEY NOTES CONTRIBUTING \ +EXTRA_DIST = elfutils.spec GPG-KEY NOTES CONTRIBUTING SECURITY \ COPYING COPYING-GPLV2 COPYING-LGPLV3 # Make sure the test install uses lib64 when $LIB will yield lib64. diff --git a/README b/README index 06a9fcd0d..690febdf5 100644 --- a/README +++ b/README @@ -29,3 +29,5 @@ Or use the form at https://sourceware.org/mailman/listinfo/elfutils-devel See the CONTRIBUTING file for how to propose patches to the code. See the NOTES files for some design decisions and notes. + +See the SECURITY file for defining and handling security-sensitive bugs. diff --git a/SECURITY b/SECURITY new file mode 100644 index 000000000..677802c6b --- /dev/null +++ b/SECURITY @@ -0,0 +1,56 @@ + +The elfutils library and utilities aim to be generally robust and +reliable. However, elfutils routinely processes complex binary +structured data. This makes the code intricate and sometimes brittle. +While elfutils developers use a variety of static and dynamic checker +software (valgrind, sanitizers) in testing, bugs may remain. Some of +these bugs may have security-related implications. + + +While many errors are cleanly detected at runtime, it is possible that +vulnerabilities exist that could be exploitable. These may arise from +crafted / fuzzed / erroneous inputs, or perhaps even from valid inputs +with unforseen characteristics. Therefore, to minimize risks, users +of elfutils tools and libraries should consider measures such as: + +- avoiding running complex elfutils analysis on untrustworthy inputs +- avoiding running elfutils tools as privileged processes +- applying common platform level protection mechanisms such as + selinux, syscall filtering, hardened compilation, etc. + +Since most elfutils tools are run in short-lived, local, interactive, +development context rather than remotely "in production", we generally +treat malfunctions as ordinary bugs rather than security vulnerabilities. + + +Elfutils includes one network client/server: debuginfod. The +debuginfod man page contains a SECURITY section outlining the general +risks. tl;dr: many classes of server problems are delegated to +front-end proxies and curated elf/dwarf archives of the operator; +others to careful configuration of the debuginfod client. These are +not generally reportable as security vulnerabilities. However, we are +likely to accept security vulnerability reports related to: + +- availability: e.g., remotely exploitable server crash, but not + routine resource exhaustion or overload; client crash due to + unexpected valid traffic from trusted server + +- confidentiality: e.g., allowing the server to expose one client's + traffic to another client + +- integrity: e.g., causing the server to send erroneous + elf/dwarf/source data across the webapi; causing the client to + corrupt its cache to lose file integrity + +We welcome reports that are tangential to any of these subjects. + +Please report bugs via any of: +- email to +- https://sourceware.org/bugzilla/enter_bug.cgi?product=elfutils + +After considering the above exclusions, please report suspected +security vulnerabilities confidentially via any of: + +- email to +- email to +- email to diff --git a/config/elfutils.spec.in b/config/elfutils.spec.in index 5d56dfca9..9277c08f7 100644 --- a/config/elfutils.spec.in +++ b/config/elfutils.spec.in @@ -233,7 +233,7 @@ fi %files %license COPYING COPYING-GPLV2 COPYING-LGPLV3 doc/COPYING-GFDL -%doc README TODO CONTRIBUTING +%doc README TODO CONTRIBUTING SECURITY %{_bindir}/eu-addr2line %{_bindir}/eu-ar %{_bindir}/eu-elfclassify -- 2.39.5