RFC: Adding a SECURITY.md document to the Binutils

Ian Lance Taylor iant@google.com
Mon Apr 17 19:55:16 GMT 2023


On Mon, Apr 17, 2023 at 8:31 AM Michael Matz <matz@suse.de> wrote:
>
> On Fri, 14 Apr 2023, Ian Lance Taylor via Binutils wrote:
>
> > And, honestly, these are not standards that are unusually difficult to
> > meet.  Don't dump core, don't use up all of memory, don't have buffer
> > overflows.  Treat failures of this sort as security bugs to be fixed
> > ASAP in minor releases.  These are achievable goals.
>
> These are all noble goals to reach for.  But the fact is that all the crap
> CVE entries from script-kiddies with their fuzzers are mainly fixed by
> Alan with his seemingly endless patience.  Downstream they are the cause
> of endless worries (as customers blindly _demand_ that all CVEs be fixed
> by checking tickmarks on an endless list of entries they've downloaded
> last week from mitre; just by virtue of the entry having a CVE number and
> hence "be a serious security problem").  All of these are bugs to be fixed
> eventually.  Literally _none_ of them are in any way a serious bug
> demanding an immediate fix.  Next release is completely fine for that.

That is definitely a fair point.  My argument here may be too strong.
I certainly agree that a CVE is not appropriate for a program crash.

Ian


More information about the Gdb mailing list