mirror of
https://github.com/uutils/coreutils.git
synced 2026-06-10 15:48:22 -07:00
SECURITY.md: document threat model, scope, and GitHub reporting
This commit is contained in:
committed by
Daniel Hofstetter
parent
dab93926d2
commit
962566b194
+59
-1
@@ -8,13 +8,71 @@ If you are using a version packaged by your Linux distribution, please check wit
|
||||
|
||||
---
|
||||
|
||||
## Threat Model and Scope
|
||||
|
||||
`uutils/coreutils` is a set of **local** command-line utilities. There is no
|
||||
network-facing service, so remote vulnerabilities do not apply. When assessing
|
||||
whether a report is a security issue, we focus on whether it crosses a trust or
|
||||
privilege boundary on the local system.
|
||||
|
||||
**In scope** (treated as security issues):
|
||||
|
||||
- **Privilege-boundary violations** - bypassing a documented safety guard
|
||||
(e.g. `--preserve-root`), acting on files outside the intended scope, or
|
||||
privilege escalation in setuid/sudo contexts.
|
||||
- **Filesystem race conditions** - TOCTOU bugs, symlink following, and unsafe
|
||||
directory traversal in utilities that recurse or operate on paths
|
||||
(`cp`, `mv`, `rm`, `chown`, `chmod`, `install`, …). *TOCTOU*
|
||||
(Time-Of-Check to Time-Of-Use) is when a utility checks a file's state
|
||||
(existence, type, permissions) and then acts on it in a separate step, leaving
|
||||
a window for an attacker to swap the path in between - e.g. replacing a regular
|
||||
file with a symlink so the action lands on a different target. *Safe
|
||||
traversal* is the defense: when walking a directory tree, descend with
|
||||
symlink-aware primitives (`openat`/`O_NOFOLLOW`, file descriptors instead of
|
||||
re-resolved paths) so a symlink swapped in mid-walk cannot redirect the
|
||||
operation outside the intended tree.
|
||||
- **Unintended destructive actions** - operations that delete, overwrite, or
|
||||
signal something the user did not ask for, including security-relevant
|
||||
divergences from GNU behavior that scripts rely on (a parsing bug that "fails
|
||||
open" instead of erroring).
|
||||
- Memory-safety issues, integer overflow, or unbounded allocation reachable
|
||||
from untrusted input.
|
||||
|
||||
**Out of scope** (report as a normal bug, not a security issue):
|
||||
|
||||
- Crashes, panics, or incorrect output with no privilege or safety impact.
|
||||
- Cosmetic differences from GNU (messages, exit-code-only mismatches) that do
|
||||
not change which files or processes are affected.
|
||||
- Issues requiring an already-privileged or already-malicious local actor who
|
||||
could achieve the same effect directly.
|
||||
|
||||
### Local denial-of-service
|
||||
|
||||
Because these are local tools, resource exhaustion (hang, infinite loop,
|
||||
unbounded memory/CPU, crash on crafted input) is only a security issue when the
|
||||
triggering input **crosses a trust boundary**. A user who runs a utility on their
|
||||
own data and exhausts their own resources is harming only their own invocation -
|
||||
that is a normal bug. It is in scope when crafted, untrusted input reaches the
|
||||
utility through a boundary the victim does not control, such as a privileged
|
||||
script, a cron job, or an automated pipeline that processes attacker-influenced
|
||||
filenames or file contents and is thereby wedged, blocked, or terminated.
|
||||
|
||||
Severity reflects impact, not just whether a bug exists: a guard bypass that can
|
||||
hit the whole filesystem is critical, while a local availability issue bounded by
|
||||
the caller's existing permissions is low.
|
||||
|
||||
---
|
||||
|
||||
## Reporting a Vulnerability
|
||||
|
||||
**Do not open public GitHub issues for security vulnerabilities.**
|
||||
This prevents accidental disclosure before a fix is available.
|
||||
|
||||
Instead, please use the following method:
|
||||
Please use one of the following methods:
|
||||
|
||||
- **GitHub (preferred):** open a private report at
|
||||
<https://github.com/uutils/coreutils/security/advisories/new>
|
||||
("Report a vulnerability").
|
||||
- **Email:** [sylvestre@debian.org](mailto:Sylvestre@debian.org)
|
||||
- **Encryption (optional):** You may encrypt your report using our PGP key:
|
||||
Fingerprint: B60D B599 4D39 BEC4 D1A9 5CCF 7E65 28DA 752F 1BE1
|
||||
|
||||
Reference in New Issue
Block a user