1*7304104dSAndroid Build Coastguard Worker 2*7304104dSAndroid Build Coastguard WorkerThe elfutils library and utilities aim to be generally robust and 3*7304104dSAndroid Build Coastguard Workerreliable. However, elfutils routinely processes complex binary 4*7304104dSAndroid Build Coastguard Workerstructured data. This makes the code intricate and sometimes brittle. 5*7304104dSAndroid Build Coastguard WorkerWhile elfutils developers use a variety of static and dynamic checker 6*7304104dSAndroid Build Coastguard Workersoftware (valgrind, sanitizers) in testing, bugs may remain. Some of 7*7304104dSAndroid Build Coastguard Workerthese bugs may have security-related implications. 8*7304104dSAndroid Build Coastguard Worker 9*7304104dSAndroid Build Coastguard Worker 10*7304104dSAndroid Build Coastguard WorkerWhile many errors are cleanly detected at runtime, it is possible that 11*7304104dSAndroid Build Coastguard Workervulnerabilities exist that could be exploitable. These may arise from 12*7304104dSAndroid Build Coastguard Workercrafted / fuzzed / erroneous inputs, or perhaps even from valid inputs 13*7304104dSAndroid Build Coastguard Workerwith unforseen characteristics. Therefore, to minimize risks, users 14*7304104dSAndroid Build Coastguard Workerof elfutils tools and libraries should consider measures such as: 15*7304104dSAndroid Build Coastguard Worker 16*7304104dSAndroid Build Coastguard Worker- avoiding running complex elfutils analysis on untrustworthy inputs 17*7304104dSAndroid Build Coastguard Worker- avoiding running elfutils tools as privileged processes 18*7304104dSAndroid Build Coastguard Worker- applying common platform level protection mechanisms such as 19*7304104dSAndroid Build Coastguard Worker selinux, syscall filtering, hardened compilation, etc. 20*7304104dSAndroid Build Coastguard Worker 21*7304104dSAndroid Build Coastguard WorkerSince most elfutils tools are run in short-lived, local, interactive, 22*7304104dSAndroid Build Coastguard Workerdevelopment context rather than remotely "in production", we generally 23*7304104dSAndroid Build Coastguard Workertreat malfunctions as ordinary bugs rather than security vulnerabilities. 24*7304104dSAndroid Build Coastguard Worker 25*7304104dSAndroid Build Coastguard Worker 26*7304104dSAndroid Build Coastguard WorkerElfutils includes one network client/server: debuginfod. The 27*7304104dSAndroid Build Coastguard Workerdebuginfod man page contains a SECURITY section outlining the general 28*7304104dSAndroid Build Coastguard Workerrisks. tl;dr: many classes of server problems are delegated to 29*7304104dSAndroid Build Coastguard Workerfront-end proxies and curated elf/dwarf archives of the operator; 30*7304104dSAndroid Build Coastguard Workerothers to careful configuration of the debuginfod client. These are 31*7304104dSAndroid Build Coastguard Workernot generally reportable as security vulnerabilities. However, we are 32*7304104dSAndroid Build Coastguard Workerlikely to accept security vulnerability reports related to: 33*7304104dSAndroid Build Coastguard Worker 34*7304104dSAndroid Build Coastguard Worker- availability: e.g., remotely exploitable server crash, but not 35*7304104dSAndroid Build Coastguard Worker routine resource exhaustion or overload; client crash due to 36*7304104dSAndroid Build Coastguard Worker unexpected valid traffic from trusted server 37*7304104dSAndroid Build Coastguard Worker 38*7304104dSAndroid Build Coastguard Worker- confidentiality: e.g., allowing the server to expose one client's 39*7304104dSAndroid Build Coastguard Worker traffic to another client 40*7304104dSAndroid Build Coastguard Worker 41*7304104dSAndroid Build Coastguard Worker- integrity: e.g., causing the server to send erroneous 42*7304104dSAndroid Build Coastguard Worker elf/dwarf/source data across the webapi; causing the client to 43*7304104dSAndroid Build Coastguard Worker corrupt its cache to lose file integrity 44*7304104dSAndroid Build Coastguard Worker 45*7304104dSAndroid Build Coastguard WorkerWe welcome reports that are tangential to any of these subjects. 46*7304104dSAndroid Build Coastguard Worker 47*7304104dSAndroid Build Coastguard WorkerPlease report bugs via any of: 48*7304104dSAndroid Build Coastguard Worker- email to <[email protected]> 49*7304104dSAndroid Build Coastguard Worker- https://sourceware.org/bugzilla/enter_bug.cgi?product=elfutils 50*7304104dSAndroid Build Coastguard Worker 51*7304104dSAndroid Build Coastguard WorkerAfter considering the above exclusions, please report suspected 52*7304104dSAndroid Build Coastguard Workersecurity vulnerabilities confidentially via any of: 53*7304104dSAndroid Build Coastguard Worker 54*7304104dSAndroid Build Coastguard Worker- email to <[email protected]> 55*7304104dSAndroid Build Coastguard Worker- email to <[email protected]> 56*7304104dSAndroid Build Coastguard Worker- email to <[email protected]> 57