binutils/SECURITY.txt - third_party/binutils-gdb - Git at Google

 Binutils Security Process
 =========================

 What is a binutils security bug?
 ================================

     A security bug is one that threatens the security of a system or
     network, or might compromise the security of data stored on it.
     In the context of GNU Binutils there are two ways in which such
     bugs might occur.  In the first, the programs themselves might be
     tricked into a direct compromise of security.  In the second, the
     tools might introduce a vulnerability in the generated output that
     was not already present in the files used as input.

     Other than that, all other bugs will be treated as non-security
     issues.  This does not mean that they will be ignored, just that
     they will not be given the priority that is given to security bugs.

     This stance applies to the creation tools in the GNU Binutils (eg
     as, ld, gold, objcopy) and the libraries that they use.  Bugs in
     inspection tools (eg readelf, nm objdump) will not be considered
     to be security bugs, since they do not create executable output
     files.

 Notes:
 ======

     None of the programs in the GNU Binutils suite need elevated
     privileges to operate and it is recommended that users do not use
     them from accounts where such privileges are automatically
     available.

     The inspection tools are intended to be robust but nevertheless
     they should be appropriately sandboxed if they are used to examine
     malicious or potentially malicious input files.

 Reporting private security bugs
 ===============================

    *All bugs reported in the Binutils Bugzilla are public.*

    In order to report a private security bug that is not immediately
    public, please contact one of the downstream distributions with
    security teams.  The following teams have volunteered to handle
    such bugs:

       Debian:  security@debian.org
       Red Hat: secalert@redhat.com
       SUSE:    security@suse.de

    Please report the bug to just one of these teams.  It will be shared
    with other teams as necessary.

    The team contacted will take care of details such as vulnerability
    rating and CVE assignment (https://cve.mitre.org/about/).  It is likely
    that the team will ask to file a public bug because the issue is
    sufficiently minor and does not warrant an embargo.  An embargo is not
    a requirement for being credited with the discovery of a security
    vulnerability.

 Reporting public security bugs
 ==============================

    It is expected that critical security bugs will be rare, and that most
    security bugs can be reported in Binutils Bugzilla system, thus making
    them public immediately.  The system can be found here:

       https://sourceware.org/bugzilla/
	Binutils Security Process
	=========================

	What is a binutils security bug?
	================================

	A security bug is one that threatens the security of a system or
	network, or might compromise the security of data stored on it.
	In the context of GNU Binutils there are two ways in which such
	bugs might occur. In the first, the programs themselves might be
	tricked into a direct compromise of security. In the second, the
	tools might introduce a vulnerability in the generated output that
	was not already present in the files used as input.

	Other than that, all other bugs will be treated as non-security
	issues. This does not mean that they will be ignored, just that
	they will not be given the priority that is given to security bugs.

	This stance applies to the creation tools in the GNU Binutils (eg
	as, ld, gold, objcopy) and the libraries that they use. Bugs in
	inspection tools (eg readelf, nm objdump) will not be considered
	to be security bugs, since they do not create executable output
	files.

	Notes:
	======

	None of the programs in the GNU Binutils suite need elevated
	privileges to operate and it is recommended that users do not use
	them from accounts where such privileges are automatically
	available.

	The inspection tools are intended to be robust but nevertheless
	they should be appropriately sandboxed if they are used to examine
	malicious or potentially malicious input files.

	Reporting private security bugs
	===============================

	All bugs reported in the Binutils Bugzilla are public.

	In order to report a private security bug that is not immediately
	public, please contact one of the downstream distributions with
	security teams. The following teams have volunteered to handle
	such bugs:

	Debian: security@debian.org
	Red Hat: secalert@redhat.com
	SUSE: security@suse.de

	Please report the bug to just one of these teams. It will be shared
	with other teams as necessary.

	The team contacted will take care of details such as vulnerability
	rating and CVE assignment (https://cve.mitre.org/about/). It is likely
	that the team will ask to file a public bug because the issue is
	sufficiently minor and does not warrant an embargo. An embargo is not
	a requirement for being credited with the discovery of a security
	vulnerability.

	Reporting public security bugs
	==============================

	It is expected that critical security bugs will be rare, and that most
	security bugs can be reported in Binutils Bugzilla system, thus making
	them public immediately. The system can be found here:

	https://sourceware.org/bugzilla/