From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from simark.ca by simark.ca with LMTP id DHTXIisKMWQ0HSYAWB0awg (envelope-from ) for ; Sat, 08 Apr 2023 02:31:07 -0400 Received: by simark.ca (Postfix, from userid 112) id 777851E221; Sat, 8 Apr 2023 02:31:07 -0400 (EDT) Authentication-Results: simark.ca; dkim=pass (1024-bit key; secure) header.d=sourceware.org header.i=@sourceware.org header.a=rsa-sha256 header.s=default header.b=QZ/GWB0Y; dkim-atps=neutral X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on simark.ca X-Spam-Level: X-Spam-Status: No, score=-9.0 required=5.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,MAILING_LIST_MULTI,NICE_REPLY_A, RCVD_IN_DNSWL_HI,URIBL_BLOCKED autolearn=ham autolearn_force=no version=3.4.6 Received: from sourceware.org (server2.sourceware.org [8.43.85.97]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by simark.ca (Postfix) with ESMTPS id 098E31E0D2 for ; Sat, 8 Apr 2023 02:31:04 -0400 (EDT) Received: from server2.sourceware.org (localhost [IPv6:::1]) by sourceware.org (Postfix) with ESMTP id D54863857704 for ; Sat, 8 Apr 2023 06:31:02 +0000 (GMT) DKIM-Filter: OpenDKIM Filter v2.11.0 sourceware.org D54863857704 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=sourceware.org; s=default; t=1680935462; bh=68aB2hTo/ZFp5EqZ30XmirebLOrWBd9hYoTdrrG5yYY=; h=Date:Subject:To:Cc:References:In-Reply-To:List-Id: List-Unsubscribe:List-Archive:List-Post:List-Help:List-Subscribe: From:Reply-To:From; b=QZ/GWB0Y5ZcZhpCTa/UehObIu/cukOHT7f6viR6I0yvVAihe9p/yHCF0VNDX4uRz9 ZZ9sj4mR267n3MTbKSE3ORIUeAdSG/W9OS9TolvSQawf+W20+vhhgShp7F/qOf1Jqi YPB2cb3e8T/GiKRXymLnVdzNT4aWXgsmTM9SwcfQ= Received: from EUR03-DBA-obe.outbound.protection.outlook.com (mail-dbaeur03on20604.outbound.protection.outlook.com [IPv6:2a01:111:f400:fe1a::604]) by sourceware.org (Postfix) with ESMTPS id 4EFDF3858D1E; Sat, 8 Apr 2023 06:30:34 +0000 (GMT) DMARC-Filter: OpenDMARC Filter v1.4.2 sourceware.org 4EFDF3858D1E ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=mXNjnCv3SPIJy0wyVKo35gqAi/7xi9gw1KYcCldlsSCjnNl2aDqPYzgmcFvOwOPHgVJByjG3eAPiX7/WVeAW/4tUBlKtzrBjnT+C0/o8XowSYNMSWbs7bzm4G70YJBY0EnroeT/jsRbgTTMBqVezHYebmLL15EWmEzHiv46MFPuRbLGhIUDijGsPeN2mOYSKArwmKUyQKqAm0rx5JilI8SydhmreRYTUo/chpHN/PC1ylSlUbHMtP65Te7eGu1Bz+KKEVCQf6Hu5cEjjfvbOhrWIkkKu58cGHsE9FQTyny/Z4Dx3HcmTePgww6M/TlB/xCHaqM5CGCv4CpDIxqU+iQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=68aB2hTo/ZFp5EqZ30XmirebLOrWBd9hYoTdrrG5yYY=; b=C3xl2Xy7YV9hsDbScBQfNpDRvqog076r56MRoZD0IZbygs4nIrTchFJhRK8mUIzuSIxnZNsNnQTAH4xkDUVLLxxXNYo7AeeLu/XdLGJZuTUmamBSfBVUv8VRoDmBQNRZM91hSoaK2RpMqLGvA+JeXiWK5iBpl88sU3Vnz7vtPc+vQuOlPezbmu4yKGvibkWbJuy6oYrahAok6MlkuNuWFCjqeFiS3xYr9z868h/IT0i4CIiXNjCzAzwWlr9Pe9xaKgyhpRAe7eHwf+lI7Vtj5tx/eyML+LG8s8nJUPdwSHqDfhwLvhrTMmiJbiPHK+0It6CTPf52HmvAS+1+7AjxgA== ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=suse.com; dmarc=pass action=none header.from=suse.com; dkim=pass header.d=suse.com; arc=none Received: from VE1PR04MB6560.eurprd04.prod.outlook.com (2603:10a6:803:122::25) by PA4PR04MB9223.eurprd04.prod.outlook.com (2603:10a6:102:2a2::15) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.6254.35; Sat, 8 Apr 2023 06:30:29 +0000 Received: from VE1PR04MB6560.eurprd04.prod.outlook.com ([fe80::52b2:f58:e19:56ae]) by VE1PR04MB6560.eurprd04.prod.outlook.com ([fe80::52b2:f58:e19:56ae%2]) with mapi id 15.20.6277.035; Sat, 8 Apr 2023 06:30:29 +0000 Message-ID: <68586aaa-f669-0045-d2b9-28f673362b66@suse.com> Date: Sat, 8 Apr 2023 08:30:27 +0200 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:102.0) Gecko/20100101 Thunderbird/102.9.1 Subject: Re: RFC: Adding a SECURITY.md document to the Binutils To: Nick Clifton Cc: siddhesh@gotplt.org, "gdb@sourceware.org" , Binutils References: <1c38b926-e003-0e21-e7f1-3d5dbec2aabf@redhat.com> Content-Language: en-US In-Reply-To: <1c38b926-e003-0e21-e7f1-3d5dbec2aabf@redhat.com> Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit X-ClientProxiedBy: AM3PR07CA0142.eurprd07.prod.outlook.com (2603:10a6:207:8::28) To VE1PR04MB6560.eurprd04.prod.outlook.com (2603:10a6:803:122::25) MIME-Version: 1.0 X-MS-PublicTrafficType: Email X-MS-TrafficTypeDiagnostic: VE1PR04MB6560:EE_|PA4PR04MB9223:EE_ X-MS-Office365-Filtering-Correlation-Id: 72626190-f0af-44d8-ff09-08db37fabf27 X-MS-Exchange-SenderADCheck: 1 X-MS-Exchange-AntiSpam-Relay: 0 X-Microsoft-Antispam: BCL:0; X-Microsoft-Antispam-Message-Info: blLT20YOtklpcVCetzTkuIDwJ0CTM+byBtkrP7AQ5z59KCY/agN6BrdsPZtosDodojOeX2A1HT903DJSpHhFz5kZYXxA1VG91nQAoph963vykz9BwTgjFQacFLs8Pkb5R+F4Mlm1TaoThY1VarhQd2VzQMJzCVaIOo8pb2CdrmqcyvW9ejc+jqAflQFEfL/uaQG8m334Jrls9zVdzoNqAYgFAQlH1ifEZ2ykCjvxMPCQBCyc6yKrch8tK1X2deYgGFJm3S9j+6c7jLx0VWZwXbZJlYryUQ+ewA2Z1g0eyb6NwA8e84/5weA3eH+G5JWA2QBIIugk8clM6kJXug4y2GHmXoXigQbTSoYp4gunl7sH2wXC6Y+aucWTHbmOl1pN2IYfkIiGZhuewpEhCl1/28zS8N7nqzxlS1Ur/7AAWORCvsvLNoBWYOT/eH235hcrU8Fet78suCAjUc+5CJhWASA//8szdZ7CLKJZLV2hTAMBLkHRHA3d31+bV9M8HkAk+sL10t463yx2M8XjkNsHICNXjjhsghpLCX9I9vagIoYlsTGap8SZU0PJetDk8lhJKR/gEfferb/6OIer0EBoZM5O9YzGqRfTrOz9YcA0Gwf905Vbw4gF5amL7C9Y8J9k/xRhD+HK5SR8mE8IGyjLrzaqwpq/dPuTVWjRNGobM7fC+S97beSBtDr2sEJ5AjVE X-Forefront-Antispam-Report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:VE1PR04MB6560.eurprd04.prod.outlook.com; PTR:; CAT:NONE; SFS:(13230028)(396003)(346002)(366004)(376002)(39860400002)(136003)(451199021)(31686004)(66899021)(966005)(15650500001)(36756003)(66946007)(66556008)(38100700002)(66476007)(8676002)(5660300002)(8936002)(31696002)(41300700001)(54906003)(86362001)(6916009)(4326008)(186003)(53546011)(83380400001)(2616005)(6506007)(6512007)(6486002)(478600001)(2906002)(316002)(45980500001)(43740500002); DIR:OUT; SFP:1101; X-MS-Exchange-AntiSpam-MessageData-ChunkCount: 1 X-MS-Exchange-AntiSpam-MessageData-0: =?utf-8?B?Q3pFSnpONFJqaVoyZnovSituV3FoMGxKQWNZa3A0Z3prQ0NrQzRlcm5IVHMr?= =?utf-8?B?MTIycUMzUjdxalIzcmNLUGxaMGhoQTM2WkN0M0cvME1aUjRsbGpVcFF4ZEFY?= =?utf-8?B?eUd4YklNaUNQKzN6K1VpVkhmU0hHK3puY0ZlL0tMRWtSWmtOQ0hSNTVwTGZZ?= =?utf-8?B?Q0hMbXV5VzFSMzI5U0VpV0R6Uy9qTittcUtqdU1QY0kzbzZ6TXovTFc4WlRI?= =?utf-8?B?OXg5cEl5Q2pQekl6M1pXQWtYMXpHYWUrRCs2S2lBYTdOclR4RndscmZiTVVy?= =?utf-8?B?aVU0RkJvTWNOWFkzSFBvUjZuYk9zTVNaejNRUGNtblZuSEtENEw3UDJCU2w5?= =?utf-8?B?VktacEowdGNBTWpDRkNjTzk0UVJqN2p1eElZN3N3UXhVMWV6RUdWSDRkUkVj?= =?utf-8?B?aWdHZ2dnekU1QTJXL01sNzFUVEJ1ZlY1M0EyeDlmbjhlbDFxZUUxYnE3MUt6?= =?utf-8?B?VGt5czZtbWpXYUt6QmhucHZsWkFYdlZrOWdva2tEVVhXQ1dCYzJRRUZlMlhK?= =?utf-8?B?L0RIbWdHSWNwemRjU0JBZUZ4WkRjNlNlMEtZdldvY3MwUEFMLzZ3Wm1oWTdW?= =?utf-8?B?UDl6RkNBYXVlQW5TK3JNamJjOFJOUlpDS0Mvai9DNVNyYnppMGdNWTFUbmo0?= =?utf-8?B?Vy9PU2wveEtsQ0ZMQUlmeWRGZE9HVzZoSEpwV1lYaHZ0TUZNWVNTSUkzZE5x?= =?utf-8?B?ZzZJczhQd0ZhdnEwRDRndEdKWkM3QkhlSGJPNkQxTEQ1ZWxsU244UVRtMnRo?= =?utf-8?B?ek9RV2xxL3dtbHJnbXVxUGhUWlRISElXTVVZRUlGRnJFdlU1R1ZGM2QwUnBx?= =?utf-8?B?aWREYXVYMGgrWHhHYWovbmRrOWdRbE9LeW1vYnpiVStMcXBUY3liQldsYUtB?= =?utf-8?B?dHk1TDk0OG9IZXQxMVpCYXZiaHBIc2ViM1FxS2VsK0FIdEszMCtXL0xmeUhv?= =?utf-8?B?cnFYMUFvWTB6YzdhVWVUZFhYS1BxWFFQeVRyeXRiRkVQRHkyemRRTEw1YVhB?= =?utf-8?B?Qllwb1doRmZBdmtYUnBCcUZncDNQZ1grUlc4UlVTWEtqc2IyRzVrenVVMFBN?= =?utf-8?B?aHhTQVR0OFRhTDZqcVJCeEhGTnRhN3pBczJlTnVpeTRIRlFQSk1jUUlycHZh?= =?utf-8?B?S2FJaVIweXZrT0thZ2thRkFEelpjenVIRkpTMmhrU0pVaHJ4OFVOSERUMVY2?= =?utf-8?B?emhBYlNvUG9CbVl0NjNWbCsrY0N6VENwQ1pRaHF5TXVMWUJmdzNnSWttS2Vz?= =?utf-8?B?UVVBK01FNjdFdHR5MmtmVTAyRjZ4N294STl2U2FWczJWSWNPbGtxbEkvMGNB?= =?utf-8?B?TGpyMkplMUd1c2c1UER6TVgwS05mMDYzbDY4dmRiMU1WaTNUdGtkY0ZkSTg0?= =?utf-8?B?aGlTTG16Rm1QSTE5U0tqOHMrVkZGYmdLSTk4ZXZRZlVJTnQvUUc0cGFkc3N3?= =?utf-8?B?UXlQRzhkZjRrMU9IVDJNNGdKbzhaNm82Qm05NU1qbWRUWHNTMXk3bWxVcGIr?= =?utf-8?B?MkIyUERxZFh0SnVkU3dnNG9CakgwT1pjNHcvRXZRYlY2Q2VzdWxSdElzUWhx?= =?utf-8?B?ZU9EcU9MZXp6ZHNZeDJabWt5WkZhVk1hV2lYNEVwRC8xSktXZGt2Q2V3N3l2?= =?utf-8?B?WkNTTWdUb0RpZG13UmNLdnRoQXl4bzNtdHBZNkxwNnVZbm9JMUNHeEswaXJs?= =?utf-8?B?ajUvNWZsbUtaNFYyZ0s2ZVY4RnVPRUtIWjZWSEpjblhPNDdUMCszbTE3ZC9M?= =?utf-8?B?THEwRGpaaTU4bG9wUzBCT21oNDlxb3MxNHl4SlNlV2wrZ2FvZ0JldDRFWktD?= =?utf-8?B?ZWh0YkNsTGwwL2VpQUtab1pJYmhEcXlaSXU2cmp0cDM1c1VEQ3h6QVZZenM0?= =?utf-8?B?NThrM3YveGVvdVI4TXhUUHpmZmcwdjFMVzdHL0VIOWFmQjhaOHJ5Y0txeTRu?= =?utf-8?B?eTBWMHVvS2RkVXlxM2tFQzdXd3RUMVQ2eXZXL0IvbnVPeUttUm5lU1h3cHNE?= =?utf-8?B?MzVxL3Z5THlvZnJ2N01QZ1NaQzlhQVZBb2E4aEsxa1U4ck1aTy9ZUGdnTjh6?= =?utf-8?B?bWp3RWx3S0NkbzNCRGFEYUtHbmFJVEgwSWZ1bUpKNmQ5VmkyN0VXcDRkcDBW?= =?utf-8?B?Rlg4YmtyLzI1SGUyeHZUNnRXcFpSQTF6eEV2MmN2TG9jbGl4ZWc5SWwvWWV6?= =?utf-8?Q?sRkpvXzPY0itVBB9BkJW54mPBk+oO+eNTaAk7eEAjUzh?= X-OriginatorOrg: suse.com X-MS-Exchange-CrossTenant-Network-Message-Id: 72626190-f0af-44d8-ff09-08db37fabf27 X-MS-Exchange-CrossTenant-AuthSource: VE1PR04MB6560.eurprd04.prod.outlook.com X-MS-Exchange-CrossTenant-AuthAs: Internal X-MS-Exchange-CrossTenant-OriginalArrivalTime: 08 Apr 2023 06:30:29.3846 (UTC) X-MS-Exchange-CrossTenant-FromEntityHeader: Hosted X-MS-Exchange-CrossTenant-Id: f7a17af6-1c5c-4a36-aa8b-f5be247aa4ba X-MS-Exchange-CrossTenant-MailboxType: HOSTED X-MS-Exchange-CrossTenant-UserPrincipalName: bkh46YUAfOgnpy1KWe4BXCdO23dO4gfjIFynxz2vTME/kmHwIzpG2MY34W4wvgugJBJxTpLtg4ZWhcbJKxhC+A== X-MS-Exchange-Transport-CrossTenantHeadersStamped: PA4PR04MB9223 X-BeenThere: gdb@sourceware.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: Gdb mailing list List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , From: Jan Beulich via Gdb Reply-To: Jan Beulich Errors-To: gdb-bounces+public-inbox=simark.ca@sourceware.org Sender: "Gdb" On 07.04.2023 10:42, Nick Clifton via Binutils wrote: > Hi Guys, > >   Many open source projects have a SECURITY.md file which explains >   their stance on security related bugs.  So I thought that it would >   be a good idea if we had one too.  The top level file would actually >   just be a placeholder, like this: > > ------------- ./SECURITY.md ------------------------------------------ > For details on the Binutils security process please see > the SECURITY.md file in the binutils sub-directory. > > For details on the GDB security process please see > the SECURITY.md file in the gdb sub-directory. > -------------------------------------------------------------------- > >   So this email is mostly about the wording for the Binutils specific >   version.  Here is my current proposal: > > ---------------- binutils/SECURITY.md ------------------------------ > Binutils Security Process > ========================= > > What is a binutils security bug? > ================================ > >    A security bug is one that threatens the security of a system or >    network.  In the context of the GNU Binutils this means a bug that >    relates to the creation of corrupt output files from valid, trusted >    inputs.  Even then the bug would only have a security impact if the >    the code invokes undefined behaviour or results in a privilege >    boundary being crossed. > >    Other than that, all other bugs will be treated as non-security >    issues.  This does not mean that they will be ignored, just that >    they will not be given the priority that is given to security bugs. > >    This stance applies to the creation tools in the GNU Binutils (eg >    as, ld, gold, objcopy) and the libraries that they use.  Bugs in >    inspection tools (eg readelf, nm objdump) will not be considered >    to be security bugs, since they do not create executable output >    files.  When used on untrusted inputs, these inspection tools >    should be appropriately sandboxed to mitigate potential damage >    due to any malicious input files. > > Reporting private security bugs > =============================== > >   *All bugs reported in the Binutils Bugzilla are public.* > >   In order to report a private security bug that is not immediately >   public, please contact one of the downstream distributions with >   security teams.  The follow teams have volunteered to handle such >   bugs: > >      Debian:  security@debian.org >      Red Hat: secalert@redhat.com >      SUSE:    security@suse.de > >   Please report the bug to just one of these teams.  It will be shared >   with other teams as necessary. > >   The team contacted will take care of details such as vulnerability >   rating and CVE assignment (http://cve.mitre.org/about/).  It is likely >   that the team will ask to file a public bug because the issue is >   sufficiently minor and does not warrant an embargo.  An embargo is not >   a requirement for being credited with the discovery of a security >   vulnerability. > > Reporting public security bugs > ============================== > >   It is expected that critical security bugs will be rare, and that most >   security bugs can be reported in Binutils Bugzilla system, thus making >   them public immediately.  The system can be found here: > >      https://sourceware.org/bugzilla/ > > ---------------------------------------------------------------------- > >   Thoughts ?  Comments ? Making aspects like this explicit (and easily findable) is certainly a good thing imo. Jan