This is the mail archive of the binutils@sourceware.org mailing list for the binutils project.

Index Nav: [Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav: [Date Prev] [Date Next] [Thread Prev] [Thread Next]
Other format: [Raw text]

Re: Reporting of potential security issues in binutils ?

On Fri, 8 Nov 2019, Tim Rühsen wrote:

> Hi,
> 
> what is the preferred way (or policy) to report security related issues
> like buffer overflows ? The bug tracker seems to have no 'confidential'
> flag. I just don't want to accidentally disclose such an issue.

binutils is not normally used in contexts that cross privilege boundaries, 
and I think anyone using it for e.g. malware analysis will already know 
that they need to sandbox the use of binutils programs for hostile inputs.  
Thus, any security issue requiring hostile input files to exploit it seems 
perfectly appropriate to report in public in Bugzilla.  (I also think 
allocating CVEs is fairly unhelpful for such issues, given the niche 
nature of circumstances in which they are security problems and the likely 
presence of very many similar issues that don't have CVEs.)

In the event of a security issue that doesn't need hostile input - e.g. a 
linker bug that introduces security vulnerabilities in binaries linked 
from realistic trusted inputs - more care might be needed.

-- 
Joseph S. Myers
joseph@codesourcery.com
Index Nav: [Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav: [Date Prev] [Date Next] [Thread Prev] [Thread Next]