mirror of
https://sourceware.org/git/binutils-gdb.git
synced 2024-11-23 01:53:38 +08:00
Add a SECURITY.txt file describing the GNU Binutils' project's stance on security related bugs.
This commit is contained in:
parent
b6b746e6b8
commit
8e7785b4bd
@ -1,3 +1,8 @@
|
||||
2023-04-20 Nick Clifton <nickc@redhat.com>
|
||||
|
||||
* SECURITY.txt: New file.
|
||||
* src-release.sh (DEVO_SUPPORT): Add SECURITY.txt.
|
||||
|
||||
2022-12-31 Nick Clifton <nickc@redhat.com>
|
||||
|
||||
* 2.40 binutils branch created.
|
||||
|
6
SECURITY.txt
Normal file
6
SECURITY.txt
Normal file
@ -0,0 +1,6 @@
|
||||
|
||||
For details on the Binutils security process please see
|
||||
the SECURITY.txt file in the binutils sub-directory.
|
||||
|
||||
For details on the GDB security process please see
|
||||
the SECURITY.txt file in the gdb sub-directory.
|
@ -1,3 +1,7 @@
|
||||
2023-04-20 Nick Clifton <nickc@redhat.com>
|
||||
|
||||
* SECURITY.txt: New file.
|
||||
|
||||
2023-04-19 Nick Clifton <nickc@redhat.com>
|
||||
|
||||
PR 30355
|
||||
|
68
binutils/SECURITY.txt
Normal file
68
binutils/SECURITY.txt
Normal file
@ -0,0 +1,68 @@
|
||||
Binutils Security Process
|
||||
=========================
|
||||
|
||||
What is a binutils security bug?
|
||||
================================
|
||||
|
||||
A security bug is one that threatens the security of a system or
|
||||
network, or might compromise the security of data stored on it.
|
||||
In the context of GNU Binutils there are two ways in which such
|
||||
bugs might occur. In the first, the programs themselves might be
|
||||
tricked into a direct compromise of security. In the second, the
|
||||
tools might introduce a vulnerability in the generated output that
|
||||
was not already present in the files used as input.
|
||||
|
||||
Other than that, all other bugs will be treated as non-security
|
||||
issues. This does not mean that they will be ignored, just that
|
||||
they will not be given the priority that is given to security bugs.
|
||||
|
||||
This stance applies to the creation tools in the GNU Binutils (eg
|
||||
as, ld, gold, objcopy) and the libraries that they use. Bugs in
|
||||
inspection tools (eg readelf, nm objdump) will not be considered
|
||||
to be security bugs, since they do not create executable output
|
||||
files.
|
||||
|
||||
Notes:
|
||||
======
|
||||
|
||||
None of the programs in the GNU Binutils suite need elevated
|
||||
privileges to operate and it is recommended that users do not use
|
||||
them from accounts where such privileges are automatically
|
||||
available.
|
||||
|
||||
The inspection tools are intended to be robust but nevertheless
|
||||
they should be appropriately sandboxed if they are used to examine
|
||||
malicious or potentially malicious input files.
|
||||
|
||||
Reporting private security bugs
|
||||
===============================
|
||||
|
||||
*All bugs reported in the Binutils Bugzilla are public.*
|
||||
|
||||
In order to report a private security bug that is not immediately
|
||||
public, please contact one of the downstream distributions with
|
||||
security teams. The following teams have volunteered to handle
|
||||
such bugs:
|
||||
|
||||
Debian: security@debian.org
|
||||
Red Hat: secalert@redhat.com
|
||||
SUSE: security@suse.de
|
||||
|
||||
Please report the bug to just one of these teams. It will be shared
|
||||
with other teams as necessary.
|
||||
|
||||
The team contacted will take care of details such as vulnerability
|
||||
rating and CVE assignment (http://cve.mitre.org/about/). It is likely
|
||||
that the team will ask to file a public bug because the issue is
|
||||
sufficiently minor and does not warrant an embargo. An embargo is not
|
||||
a requirement for being credited with the discovery of a security
|
||||
vulnerability.
|
||||
|
||||
Reporting public security bugs
|
||||
==============================
|
||||
|
||||
It is expected that critical security bugs will be rare, and that most
|
||||
security bugs can be reported in Binutils Bugzilla system, thus making
|
||||
them public immediately. The system can be found here:
|
||||
|
||||
https://sourceware.org/bugzilla/
|
@ -45,7 +45,7 @@ DEVO_SUPPORT="ar-lib ChangeLog compile config config-ml.in config.guess \
|
||||
ltmain.sh ltoptions.m4 ltsugar.m4 ltversion.m4 lt~obsolete.m4 \
|
||||
MAINTAINERS Makefile.def Makefile.in Makefile.tpl missing mkdep \
|
||||
mkinstalldirs move-if-change README README-maintainer-mode \
|
||||
src-release.sh symlink-tree test-driver ylwrap"
|
||||
SECURITY.txt src-release.sh symlink-tree test-driver ylwrap"
|
||||
|
||||
# Files in devo/etc used in any net release.
|
||||
ETC_SUPPORT="Makefile.in configure configure.in standards.texi \
|
||||
|
Loading…
Reference in New Issue
Block a user