mirror of
https://github.com/uutils/coreutils.git
synced 2026-06-10 15:48:22 -07:00
SECURITY.md: document threat model, scope, and GitHub reporting
This commit is contained in:
committed by
Daniel Hofstetter
parent
dab93926d2
commit
962566b194
+59
-1
@@ -8,13 +8,71 @@ If you are using a version packaged by your Linux distribution, please check wit
|
|||||||
|
|
||||||
---
|
---
|
||||||
|
|
||||||
|
## Threat Model and Scope
|
||||||
|
|
||||||
|
`uutils/coreutils` is a set of **local** command-line utilities. There is no
|
||||||
|
network-facing service, so remote vulnerabilities do not apply. When assessing
|
||||||
|
whether a report is a security issue, we focus on whether it crosses a trust or
|
||||||
|
privilege boundary on the local system.
|
||||||
|
|
||||||
|
**In scope** (treated as security issues):
|
||||||
|
|
||||||
|
- **Privilege-boundary violations** - bypassing a documented safety guard
|
||||||
|
(e.g. `--preserve-root`), acting on files outside the intended scope, or
|
||||||
|
privilege escalation in setuid/sudo contexts.
|
||||||
|
- **Filesystem race conditions** - TOCTOU bugs, symlink following, and unsafe
|
||||||
|
directory traversal in utilities that recurse or operate on paths
|
||||||
|
(`cp`, `mv`, `rm`, `chown`, `chmod`, `install`, …). *TOCTOU*
|
||||||
|
(Time-Of-Check to Time-Of-Use) is when a utility checks a file's state
|
||||||
|
(existence, type, permissions) and then acts on it in a separate step, leaving
|
||||||
|
a window for an attacker to swap the path in between - e.g. replacing a regular
|
||||||
|
file with a symlink so the action lands on a different target. *Safe
|
||||||
|
traversal* is the defense: when walking a directory tree, descend with
|
||||||
|
symlink-aware primitives (`openat`/`O_NOFOLLOW`, file descriptors instead of
|
||||||
|
re-resolved paths) so a symlink swapped in mid-walk cannot redirect the
|
||||||
|
operation outside the intended tree.
|
||||||
|
- **Unintended destructive actions** - operations that delete, overwrite, or
|
||||||
|
signal something the user did not ask for, including security-relevant
|
||||||
|
divergences from GNU behavior that scripts rely on (a parsing bug that "fails
|
||||||
|
open" instead of erroring).
|
||||||
|
- Memory-safety issues, integer overflow, or unbounded allocation reachable
|
||||||
|
from untrusted input.
|
||||||
|
|
||||||
|
**Out of scope** (report as a normal bug, not a security issue):
|
||||||
|
|
||||||
|
- Crashes, panics, or incorrect output with no privilege or safety impact.
|
||||||
|
- Cosmetic differences from GNU (messages, exit-code-only mismatches) that do
|
||||||
|
not change which files or processes are affected.
|
||||||
|
- Issues requiring an already-privileged or already-malicious local actor who
|
||||||
|
could achieve the same effect directly.
|
||||||
|
|
||||||
|
### Local denial-of-service
|
||||||
|
|
||||||
|
Because these are local tools, resource exhaustion (hang, infinite loop,
|
||||||
|
unbounded memory/CPU, crash on crafted input) is only a security issue when the
|
||||||
|
triggering input **crosses a trust boundary**. A user who runs a utility on their
|
||||||
|
own data and exhausts their own resources is harming only their own invocation -
|
||||||
|
that is a normal bug. It is in scope when crafted, untrusted input reaches the
|
||||||
|
utility through a boundary the victim does not control, such as a privileged
|
||||||
|
script, a cron job, or an automated pipeline that processes attacker-influenced
|
||||||
|
filenames or file contents and is thereby wedged, blocked, or terminated.
|
||||||
|
|
||||||
|
Severity reflects impact, not just whether a bug exists: a guard bypass that can
|
||||||
|
hit the whole filesystem is critical, while a local availability issue bounded by
|
||||||
|
the caller's existing permissions is low.
|
||||||
|
|
||||||
|
---
|
||||||
|
|
||||||
## Reporting a Vulnerability
|
## Reporting a Vulnerability
|
||||||
|
|
||||||
**Do not open public GitHub issues for security vulnerabilities.**
|
**Do not open public GitHub issues for security vulnerabilities.**
|
||||||
This prevents accidental disclosure before a fix is available.
|
This prevents accidental disclosure before a fix is available.
|
||||||
|
|
||||||
Instead, please use the following method:
|
Please use one of the following methods:
|
||||||
|
|
||||||
|
- **GitHub (preferred):** open a private report at
|
||||||
|
<https://github.com/uutils/coreutils/security/advisories/new>
|
||||||
|
("Report a vulnerability").
|
||||||
- **Email:** [sylvestre@debian.org](mailto:Sylvestre@debian.org)
|
- **Email:** [sylvestre@debian.org](mailto:Sylvestre@debian.org)
|
||||||
- **Encryption (optional):** You may encrypt your report using our PGP key:
|
- **Encryption (optional):** You may encrypt your report using our PGP key:
|
||||||
Fingerprint: B60D B599 4D39 BEC4 D1A9 5CCF 7E65 28DA 752F 1BE1
|
Fingerprint: B60D B599 4D39 BEC4 D1A9 5CCF 7E65 28DA 752F 1BE1
|
||||||
|
|||||||
Reference in New Issue
Block a user