source-git / libexif

Clone
Source Code
GIT

Blame SECURITY.md

c8 c8s master
  1.   c8
  2.   SECURITY.md
Blob History Raw
Packit Service 271c72 
# Security overview
Packit Service 271c72
Packit Service 271c72 
## General
Packit Service 271c72
Packit Service 271c72 
libexif is a software library to process EXIF datablobs, which are usually
Packit Service 271c72 
embedded in JPEG files.
Packit Service 271c72
Packit Service 271c72 
It allows reading, writing, changing, and extraction (binary and textual versions)
Packit Service 271c72 
of this data.
Packit Service 271c72
Packit Service 271c72
Packit Service 271c72 
## Attack Surface
Packit Service 271c72
Packit Service 271c72 
Any data blob put into the library should be assumed untrusted and
Packit Service 271c72 
potentially malicious.
Packit Service 271c72
Packit Service 271c72 
ABI parameters can be considered trusted.
Packit Service 271c72
Packit Service 271c72 
The primary attack scenario is processing of files for EXIF content
Packit Service 271c72 
extraction (displaying) via unattended services, up to and including
Packit Service 271c72 
webservices where files can be uploaded by potential attackers.
Packit Service 271c72
Packit Service 271c72 
## Bugs considered security issues
Packit Service 271c72
Packit Service 271c72 
(Mostly for CVE assigments rules.)
Packit Service 271c72
Packit Service 271c72 
Triggering memory corruption of any form is considered in scope.
Packit Service 271c72 
Triggering endless loops is considered in scope. (would block services)
Packit Service 271c72 
Triggering unintentional aborts is considered in scope.
Packit Service 271c72
Packit Service 271c72 
Common library usage patterns are in scope.
Packit Service 271c72
Packit Service 271c72 
Crashes during writing out of data as EXIF could be in scope.
Packit Service 271c72
Packit Service 271c72 
## Bugs not considered security issues
Packit Service 271c72
Packit Service 271c72 
Crashes caused by debugging functionality are not in scope.
Packit Service 271c72
Packit Service 271c72 
## Bugreports
Packit Service 271c72
Packit Service 271c72 
Bugreports can be filed as github issues.
Packit Service 271c72
Packit Service 271c72 
If you want to report an embargoed security bug report, reach out to dan@coneharvesters.com.

Powered by Pagure 5.14.1

SSH Hostkey/Fingerprint | Documentation