1 Binutils Security Process
2 =========================
4 What is a binutils security bug?
5 ================================
7 A security bug is one that threatens the security of a system or
8 network, or might compromise the security of data stored on it.
9 In the context of GNU Binutils there are two ways in which such
10 bugs might occur. In the first, the programs themselves might be
11 tricked into a direct compromise of security. In the second, the
12 tools might introduce a vulnerability in the generated output that
13 was not already present in the files used as input.
15 Other than that, all other bugs will be treated as non-security
16 issues. This does not mean that they will be ignored, just that
17 they will not be given the priority that is given to security bugs.
19 This stance applies to the creation tools in the GNU Binutils (eg
20 as, ld, gold, objcopy) and the libraries that they use. Bugs in
21 inspection tools (eg readelf, nm objdump) will not be considered
22 to be security bugs, since they do not create executable output
28 None of the programs in the GNU Binutils suite need elevated
29 privileges to operate and it is recommended that users do not use
30 them from accounts where such privileges are automatically
33 The inspection tools are intended to be robust but nevertheless
34 they should be appropriately sandboxed if they are used to examine
35 malicious or potentially malicious input files.
37 Reporting private security bugs
38 ===============================
40 *All bugs reported in the Binutils Bugzilla are public.*
42 In order to report a private security bug that is not immediately
43 public, please contact one of the downstream distributions with
44 security teams. The following teams have volunteered to handle
47 Debian: security@debian.org
48 Red Hat: secalert@redhat.com
49 SUSE: security@suse.de
51 Please report the bug to just one of these teams. It will be shared
52 with other teams as necessary.
54 The team contacted will take care of details such as vulnerability
55 rating and CVE assignment (https://cve.mitre.org/about/). It is likely
56 that the team will ask to file a public bug because the issue is
57 sufficiently minor and does not warrant an embargo. An embargo is not
58 a requirement for being credited with the discovery of a security
61 Reporting public security bugs
62 ==============================
64 It is expected that critical security bugs will be rare, and that most
65 security bugs can be reported in Binutils Bugzilla system, thus making
66 them public immediately. The system can be found here:
68 https://sourceware.org/bugzilla/