1 2The elfutils library and utilities aim to be generally robust and 3reliable. However, elfutils routinely processes complex binary 4structured data. This makes the code intricate and sometimes brittle. 5While elfutils developers use a variety of static and dynamic checker 6software (valgrind, sanitizers) in testing, bugs may remain. Some of 7these bugs may have security-related implications. 8 9 10While many errors are cleanly detected at runtime, it is possible that 11vulnerabilities exist that could be exploitable. These may arise from 12crafted / fuzzed / erroneous inputs, or perhaps even from valid inputs 13with unforseen characteristics. Therefore, to minimize risks, users 14of elfutils tools and libraries should consider measures such as: 15 16- avoiding running complex elfutils analysis on untrustworthy inputs 17- avoiding running elfutils tools as privileged processes 18- applying common platform level protection mechanisms such as 19 selinux, syscall filtering, hardened compilation, etc. 20 21Since most elfutils tools are run in short-lived, local, interactive, 22development context rather than remotely "in production", we generally 23treat malfunctions as ordinary bugs rather than security vulnerabilities. 24 25 26Elfutils includes one network client/server: debuginfod. The 27debuginfod man page contains a SECURITY section outlining the general 28risks. tl;dr: many classes of server problems are delegated to 29front-end proxies and curated elf/dwarf archives of the operator; 30others to careful configuration of the debuginfod client. These are 31not generally reportable as security vulnerabilities. However, we are 32likely to accept security vulnerability reports related to: 33 34- availability: e.g., remotely exploitable server crash, but not 35 routine resource exhaustion or overload; client crash due to 36 unexpected valid traffic from trusted server 37 38- confidentiality: e.g., allowing the server to expose one client's 39 traffic to another client 40 41- integrity: e.g., causing the server to send erroneous 42 elf/dwarf/source data across the webapi; causing the client to 43 corrupt its cache to lose file integrity 44 45We welcome reports that are tangential to any of these subjects. 46 47Please report bugs via any of: 48- email to <[email protected]> 49- https://sourceware.org/bugzilla/enter_bug.cgi?product=elfutils 50 51After considering the above exclusions, please report suspected 52security vulnerabilities confidentially via any of: 53 54- email to <[email protected]> 55- email to <[email protected]> 56- email to <[email protected]> 57