This document describes the policy followed by the GNU C Library maintainers to handle bugs that may have a security impact. This includes determining if a bug has a security impact, reporting such bugs to the community and handling such bugs all the way to resolution. This policy may evolve over time, so if you're reading this from a release tarball, be sure to check the latest copy of the SECURITY.md in the repository, especially for instructions on reporting issues privately.
Most security vulnerabilities in the GNU C Library materialize only after an application uses functionality in a specific way. Therefore, it is sometimes difficult to determine if a defect in the GNU C Library constitutes a vulnerability as such. The follow guidelines can help with a decision.
nscd are generally security bugs, except if they can only
be triggered by a trusted data source (DNS is not trusted, but NIS and LDAP
probably are).security+.security+) should be flagged
security-, to avoid cluttering the reporting.In this context, service breakage means client-side privilege escalation (code execution) or server-side denial of service or privilege escalation through actual, concrete, non-synthetic applications. Or put differently, if the GNU C Library causes a security bug in an application (and the application uses the library in a standard-conforming manner or according to the manual), the GNU C Library bug should be treated as security-relevant.
It may be especially complicated to determine the security status of bugs in some subsystems in the GNU C Library. This subsection describes such subsystems and the special considerations applicable during security bug classification in them.
Regular expression processing comes in two parts, compilation (through regcomp) and execution (through regexec).
Implementing regular expressions efficiently, in a standard-conforming way, and without denial-of-service vulnerabilities is very difficult and impossible for Basic Regular Expressions. Most implementation strategies have issues dealing with certain classes of patterns.
Consequently, certain issues which can be triggered only with crafted patterns (either during compilation or execution) are treated as regular bugs and not security issues. Examples of such issues would include (but is not limited to):
Crashes, infinite loops (and not merely exponential behavior), buffer overflows and overreads, memory leaks and other bugs resulting from the regex implementation relying on undefined behavior should be treated as security vulnerabilities.
wordexp inherently has exponential memory consumption in terms of the input
size. This means that denial of service flaws from crafted patterns are not
security issues (even if they lead to other issues, such as NULL pointer
dereferences).
The GNU C Library tries to implement asynchronous I/O without kernel support, which means that several operations are not fully standard conforming. Several known races can cause crashes and resource leaks. Such bugs are only treated as security bugs if applications (as opposed to synthetic test cases) have security exposures due to these bugs.
The implementation of asynchronous cancellation is not fully standard-conforming and has races and leaks. Again, such bugs are only treated as security bugs if applications (as opposed to synthetic test cases) have security exposures due to these bugs.
The ldd tool is not expected to be used with untrusted executables.
Certain features have been added to the library only to make exploitation of security bugs (mainly for code execution) more difficult. Examples includes the stack smashing protector, function pointer obfuscation, vtable validation for stdio stream handles, and various heap consistency checks. Failure of such countermeasures to stop exploitation of a different vulnerability is not a security vulnerability in itself. By their nature, these countermeasures are based on heuristics and will never offer complete protection, so the original vulnerability needs to be fixed anyway.
The process to report security bugs is documented on the glibc security page. In general, most security bugs may be reported publicly in the glibc bugzilla, but if in doubt, please feel free to report security issues privately first.
This section is aimed at developers, not reporters.
Security-relevant bugs should be marked with security+, as per the Bugzilla
security flag
documentation,
following the guidelines above. If you set the security+ flag, you should
make sure the following information is included in the bug (usually in a bug
comment):
The following links are helpful for finding untriaged bugs:
For changes to master, the regular consensus-driven process must be followed. It makes sense to obtain consensus in private, to ensure that the patch is likely in a committable state, before disclosing an emboargoed vulnerability.
Security backports to release branches need to follow the release process.
Contact the website maintainers and have them draft a news entry for the website frontpage to direct users to the bug, the fix, or the mailing list discussions.
Security bugs flagged with security+ should have CVE
identifiers. Please reach out to the glibc
security team using the documented security
process and they work on getting a
CVE number.