Reporting of potential security issues in binutils ?
Joseph Myers
joseph@codesourcery.com
Fri Nov 8 21:01:00 GMT 2019
On Fri, 8 Nov 2019, Tim Rühsen wrote:
> Hi,
>
> what is the preferred way (or policy) to report security related issues
> like buffer overflows ? The bug tracker seems to have no 'confidential'
> flag. I just don't want to accidentally disclose such an issue.
binutils is not normally used in contexts that cross privilege boundaries,
and I think anyone using it for e.g. malware analysis will already know
that they need to sandbox the use of binutils programs for hostile inputs.
Thus, any security issue requiring hostile input files to exploit it seems
perfectly appropriate to report in public in Bugzilla. (I also think
allocating CVEs is fairly unhelpful for such issues, given the niche
nature of circumstances in which they are security problems and the likely
presence of very many similar issues that don't have CVEs.)
In the event of a security issue that doesn't need hostile input - e.g. a
linker bug that introduces security vulnerabilities in binaries linked
from realistic trusted inputs - more care might be needed.
--
Joseph S. Myers
joseph@codesourcery.com
More information about the Binutils
mailing list