From 8e7785b4bd4fccaafad5c64a30342345e8cc6801 Mon Sep 17 00:00:00 2001 From: Nick Clifton Date: Thu, 20 Apr 2023 16:52:11 +0100 Subject: Add a SECURITY.txt file describing the GNU Binutils' project's stance on security related bugs. --- ChangeLog | 5 ++++ SECURITY.txt | 6 +++++ binutils/ChangeLog | 4 +++ binutils/SECURITY.txt | 68 +++++++++++++++++++++++++++++++++++++++++++++++++++ src-release.sh | 2 +- 5 files changed, 84 insertions(+), 1 deletion(-) create mode 100644 SECURITY.txt create mode 100644 binutils/SECURITY.txt diff --git a/ChangeLog b/ChangeLog index f81f559..bf4996d 100644 --- a/ChangeLog +++ b/ChangeLog @@ -1,3 +1,8 @@ +2023-04-20 Nick Clifton + + * SECURITY.txt: New file. + * src-release.sh (DEVO_SUPPORT): Add SECURITY.txt. + 2022-12-31 Nick Clifton * 2.40 binutils branch created. diff --git a/SECURITY.txt b/SECURITY.txt new file mode 100644 index 0000000..a0879e3 --- /dev/null +++ b/SECURITY.txt @@ -0,0 +1,6 @@ + +For details on the Binutils security process please see +the SECURITY.txt file in the binutils sub-directory. + +For details on the GDB security process please see +the SECURITY.txt file in the gdb sub-directory. diff --git a/binutils/ChangeLog b/binutils/ChangeLog index 22ca79c..d2b862a 100644 --- a/binutils/ChangeLog +++ b/binutils/ChangeLog @@ -1,3 +1,7 @@ +2023-04-20 Nick Clifton + + * SECURITY.txt: New file. + 2023-04-19 Nick Clifton PR 30355 diff --git a/binutils/SECURITY.txt b/binutils/SECURITY.txt new file mode 100644 index 0000000..d954234 --- /dev/null +++ b/binutils/SECURITY.txt @@ -0,0 +1,68 @@ +Binutils Security Process +========================= + +What is a binutils security bug? +================================ + + A security bug is one that threatens the security of a system or + network, or might compromise the security of data stored on it. + In the context of GNU Binutils there are two ways in which such + bugs might occur. In the first, the programs themselves might be + tricked into a direct compromise of security. In the second, the + tools might introduce a vulnerability in the generated output that + was not already present in the files used as input. + + Other than that, all other bugs will be treated as non-security + issues. This does not mean that they will be ignored, just that + they will not be given the priority that is given to security bugs. + + This stance applies to the creation tools in the GNU Binutils (eg + as, ld, gold, objcopy) and the libraries that they use. Bugs in + inspection tools (eg readelf, nm objdump) will not be considered + to be security bugs, since they do not create executable output + files. + +Notes: +====== + + None of the programs in the GNU Binutils suite need elevated + privileges to operate and it is recommended that users do not use + them from accounts where such privileges are automatically + available. + + The inspection tools are intended to be robust but nevertheless + they should be appropriately sandboxed if they are used to examine + malicious or potentially malicious input files. + +Reporting private security bugs +=============================== + + *All bugs reported in the Binutils Bugzilla are public.* + + In order to report a private security bug that is not immediately + public, please contact one of the downstream distributions with + security teams. The following teams have volunteered to handle + such bugs: + + Debian: security@debian.org + Red Hat: secalert@redhat.com + SUSE: security@suse.de + + Please report the bug to just one of these teams. It will be shared + with other teams as necessary. + + The team contacted will take care of details such as vulnerability + rating and CVE assignment (http://cve.mitre.org/about/). It is likely + that the team will ask to file a public bug because the issue is + sufficiently minor and does not warrant an embargo. An embargo is not + a requirement for being credited with the discovery of a security + vulnerability. + +Reporting public security bugs +============================== + + It is expected that critical security bugs will be rare, and that most + security bugs can be reported in Binutils Bugzilla system, thus making + them public immediately. The system can be found here: + + https://sourceware.org/bugzilla/ diff --git a/src-release.sh b/src-release.sh index ec28f86..c974ea0 100755 --- a/src-release.sh +++ b/src-release.sh @@ -45,7 +45,7 @@ DEVO_SUPPORT="ar-lib ChangeLog compile config config-ml.in config.guess \ ltmain.sh ltoptions.m4 ltsugar.m4 ltversion.m4 lt~obsolete.m4 \ MAINTAINERS Makefile.def Makefile.in Makefile.tpl missing mkdep \ mkinstalldirs move-if-change README README-maintainer-mode \ - src-release.sh symlink-tree test-driver ylwrap" + SECURITY.txt src-release.sh symlink-tree test-driver ylwrap" # Files in devo/etc used in any net release. ETC_SUPPORT="Makefile.in configure configure.in standards.texi \ -- cgit v1.1