mirror of
https://github.com/openharmony/third_party_libabigail.git
synced 2026-07-01 23:04:32 -04:00
a506c1d186
Signed-off-by: lizhenlin <lizhenlin2@h-partners.com>
35 lines
1.5 KiB
Plaintext
35 lines
1.5 KiB
Plaintext
The libabigail library and utilities aim to be generally robust and
|
|
reliable. However, libabigail routinely processes complex binary
|
|
structured data. This makes the code intricate and sometimes brittle.
|
|
While libabigail developers use a variety of static and dynamic checker
|
|
software (valgrind, sanitizers) in testing, bugs may remain. Some of
|
|
these bugs may have security-related implications.
|
|
|
|
|
|
While many errors are cleanly detected at runtime, it is possible that
|
|
vulnerabilities exist that could be exploitable. These may arise from
|
|
crafted / fuzzed / erroneous inputs, or perhaps even from valid inputs
|
|
with unforseen characteristics. Therefore, to minimize risks, users
|
|
of libabigail tools and libraries should consider measures such as:
|
|
|
|
- avoiding running complex libabigail analysis on untrustworthy inputs
|
|
- avoiding running libabigail tools as privileged processes
|
|
- applying common platform level protection mechanisms such as
|
|
selinux, syscall filtering, hardened compilation, etc.
|
|
|
|
Since libabigail tools are usually run in short-lived, local,
|
|
interactive, development context rather than remotely "in production",
|
|
we generally treat malfunctions as ordinary bugs rather than security
|
|
vulnerabilities.
|
|
|
|
Please report bugs via any of:
|
|
- email to <libabigail@sourceware.org>
|
|
- https://sourceware.org/bugzilla/enter_bug.cgi?product=libabigail
|
|
|
|
After considering the above exclusions, please report suspected
|
|
security vulnerabilities confidentially via any of:
|
|
|
|
- email to <dodji@seketeli.org>
|
|
- email to <fche@elastic.org>
|
|
- email to <secalert@redhat.com>
|