| Message ID | 610f86be-79bb-451f-a9c1-6fcbdc78a2c9@gotplt.org |
|---|---|
| State | Not Applicable |
| Headers |
Return-Path: <gcc-patches-bounces+ouuuleilei=gmail.com@gcc.gnu.org>
Delivered-To: ouuuleilei@gmail.com
Received: by 2002:a05:7300:24d3:b0:fb:cd0c:d3e with SMTP id r19csp1284744dyi;
Mon, 18 Dec 2023 06:35:54 -0800 (PST)
X-Google-Smtp-Source:
AGHT+IE7vqqYAb/fHgQwwKmQBbhsZ5sQ8+f+7RJYjMLfZ38GYlFqeUjgXJYPGKlXWEbGD1OQDqg0
X-Received: by 2002:a9d:7a94:0:b0:6d9:d7d8:ab4f with SMTP id
l20-20020a9d7a94000000b006d9d7d8ab4fmr12454322otn.34.1702910154284;
Mon, 18 Dec 2023 06:35:54 -0800 (PST)
ARC-Seal: i=3; a=rsa-sha256; t=1702910154; cv=pass;
d=google.com; s=arc-20160816;
b=zW4l8pSeySJLDtoG37ZQk5Q/WZnZeww2XcRlT2Th+dUHsRVPv3/lCu+uW6ESxEfSav
4NW+N+OR4nDEtdk68bdbkY5B4HNrUpYDnSEXnVc0PfND1tK8ACpNdhI8mmmiViZJEndo
j8N7WgPB1qYGqCgbjVE2b7hUicyvtPQ3ntsIKK/UkGVbYpI5jAjs2bb5y/iQL9QsGm6T
zZqOI76l43HowQZ9/iLrR2rNn8SUbxO3izehaOlx7Bb6PimiWNy49qx7qDKBHNWt/hKr
YSQAdq32vuF1vpEe0K03enrq6ZsFZ4nY3rPFt74euXyJlmS9MpZ+rZ9EfjA1UCo8nNxH
dd1w==
ARC-Message-Signature: i=3; a=rsa-sha256; c=relaxed/relaxed; d=google.com;
s=arc-20160816;
h=errors-to:list-subscribe:list-help:list-post:list-archive
:list-unsubscribe:list-id:precedence:content-transfer-encoding:to
:subject:from:content-language:user-agent:mime-version:date
:message-id:dkim-signature:arc-filter:dmarc-filter:delivered-to;
bh=dDN3z092yfvmpTyk66yjXQIUBCPeECubfp/Uxel8dhc=;
fh=WqOho7TzY+17qbDKL99s515HzcmOo8Nf6kdWj5BsCP4=;
b=gGnL5GEtLXB+lGwjZKebsqmcEFjrAAXo6RR+u6STi3/CAQuzrIXRP4LMV46afIENhk
H6Whnx7ED/A+nQR+huKN5ULiXn6onIzk1NsYCKhdiTayR/guZ7wcvdGvi+P3FzBfHJle
kCIPkjpcEXAyf3S/PIY3RBNk4ZiOacnMy5mguafF7BpbmDZwpMQziUqYoUlJk4BaHIeg
dx4Ftq1hsQviqB49Y9Rq96URJH6oWGWkHULJqwS6nDmUFD6eD1z82gdjIQSc5or7fL80
Cwm/3o+C+HlKhnaPYJ6AIcxEk0X3dxKFm8p2452rFzrT+iqDEcMkZ98Dbfhey+dyyN8f
sO0A==
ARC-Authentication-Results: i=3; mx.google.com;
dkim=pass header.i=@gotplt.org header.s=dreamhost header.b=l8W8SlS8;
arc=pass (i=2);
spf=pass (google.com: domain of
gcc-patches-bounces+ouuuleilei=gmail.com@gcc.gnu.org designates 8.43.85.97 as
permitted sender)
smtp.mailfrom="gcc-patches-bounces+ouuuleilei=gmail.com@gcc.gnu.org"
Received: from server2.sourceware.org (server2.sourceware.org. [8.43.85.97])
by mx.google.com with ESMTPS id
c1-20020ab06941000000b007cb5492de72si2379078uas.113.2023.12.18.06.35.54
for <ouuuleilei@gmail.com>
(version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
Mon, 18 Dec 2023 06:35:54 -0800 (PST)
Received-SPF: pass (google.com: domain of
gcc-patches-bounces+ouuuleilei=gmail.com@gcc.gnu.org designates 8.43.85.97 as
permitted sender) client-ip=8.43.85.97;
Authentication-Results: mx.google.com;
dkim=pass header.i=@gotplt.org header.s=dreamhost header.b=l8W8SlS8;
arc=pass (i=2);
spf=pass (google.com: domain of
gcc-patches-bounces+ouuuleilei=gmail.com@gcc.gnu.org designates 8.43.85.97 as
permitted sender)
smtp.mailfrom="gcc-patches-bounces+ouuuleilei=gmail.com@gcc.gnu.org"
Received: from server2.sourceware.org (localhost [IPv6:::1])
by sourceware.org (Postfix) with ESMTP id E68AC3857C4B
for <ouuuleilei@gmail.com>; Mon, 18 Dec 2023 14:35:53 +0000 (GMT)
X-Original-To: gcc-patches@gcc.gnu.org
Delivered-To: gcc-patches@gcc.gnu.org
Received: from dog.birch.relay.mailchannels.net
(dog.birch.relay.mailchannels.net [23.83.209.48])
by sourceware.org (Postfix) with ESMTPS id D3B5F385828F
for <gcc-patches@gcc.gnu.org>; Mon, 18 Dec 2023 14:35:20 +0000 (GMT)
DMARC-Filter: OpenDMARC Filter v1.4.2 sourceware.org D3B5F385828F
Authentication-Results: sourceware.org;
dmarc=none (p=none dis=none) header.from=gotplt.org
Authentication-Results: sourceware.org; spf=pass smtp.mailfrom=gotplt.org
ARC-Filter: OpenARC Filter v1.0.0 sourceware.org D3B5F385828F
Authentication-Results: server2.sourceware.org;
arc=pass smtp.remote-ip=23.83.209.48
ARC-Seal: i=2; a=rsa-sha256; d=sourceware.org; s=key; t=1702910132; cv=pass;
b=WggaCKh0Uaa8rsYF1flGMthYCyXUq7mSy4+yUDDzhto/y3m0tUxbb2Ese0lOrRTb9sPjPhUA+5LFPxLJYd3fBhiMGlsV1Nh7CIrLBsq82EcPtCY5wSOIca1QZUCU6jQM8Z+aw/sJiP3MkOEcdfi+fNMo+QI9rHZFNu53PiDhFeU=
ARC-Message-Signature: i=2; a=rsa-sha256; d=sourceware.org; s=key;
t=1702910132; c=relaxed/simple;
bh=imcAWlBBmDFY58OgAQmIX0Cy00eV1xVf5pdm3YSCmTg=;
h=DKIM-Signature:Message-ID:Date:MIME-Version:From:Subject:To;
b=llzB8nseHhpDoOwukDm+a2RoUtFrqCTizbiMPeD9vR/bPevGVWG4uH2RtmAE6bzpqGalqs+l0fYZ5h5oSWRpe6Ra94Tea0aoZUbbROgX7exC6IUzBaje4xE1bhy8Xep/FLjRcJNS1j9QQVW7Xx+6jQHwy3SMs9JDV8YqWMK3RZA=
ARC-Authentication-Results: i=2; server2.sourceware.org
X-Sender-Id: dreamhost|x-authsender|siddhesh@gotplt.org
Received: from relay.mailchannels.net (localhost [127.0.0.1])
by relay.mailchannels.net (Postfix) with ESMTP id 4F246903A40
for <gcc-patches@gcc.gnu.org>; Mon, 18 Dec 2023 14:35:18 +0000 (UTC)
Received: from pdx1-sub0-mail-a266.dreamhost.com (unknown [127.0.0.6])
(Authenticated sender: dreamhost)
by relay.mailchannels.net (Postfix) with ESMTPA id D6507903966
for <gcc-patches@gcc.gnu.org>; Mon, 18 Dec 2023 14:35:17 +0000 (UTC)
ARC-Seal: i=1; s=arc-2022; d=mailchannels.net; t=1702910117; a=rsa-sha256;
cv=none;
b=rYJmh0XCwtr891ehc7ppK+SnZSsZtImHIT7RNV3y8CwLeyzQaNsnKA+HjO6X05KMJcRoKw
R/+R53GPYZDOBD2Mn/MEyn0lcOKmmkSe9d254sd5J0PxgUeQxnzUS/1S0PUTTEQH7LeyGF
YQH+F7f8cy+827LnE2ZNoD8Abc3qYKJ3vkqLgxkA4Xg2ttNw0magQMMX9iWW/Dk9GFglVA
tbEkWsMSdUh0S+n0Uz92vUV1HDjcevFRTkGAtX4Sah/aMS9+O5RVG9MdkbyVwTY6TouQYF
TIHtKId4hzgWi/Hx3YZM3P0OFmxT9RnhU19VGTLPZ/MdPCnT6/ydqAU6Ri5ZKA==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed;
d=mailchannels.net; s=arc-2022; t=1702910117;
h=from:from:reply-to:subject:subject:date:date:message-id:message-id:
to:to:cc:mime-version:mime-version:content-type:content-type:
content-transfer-encoding:content-transfer-encoding:dkim-signature;
bh=dDN3z092yfvmpTyk66yjXQIUBCPeECubfp/Uxel8dhc=;
b=rkzcDBtbg/uoPEoiigEg4qwXWc2EtnIeCALsj4xT2QIWcefe+K1Jne9l1pDg6V7OaT0u0M
owS1wYbEOEFq0o8B0bFVuLXkwvXQwSd9aLVIFuxPiXC8AzGXIMWclKHj6E4GMswk8FjBWK
wV0akTy5pJh3ctt6NMBeCpzOil2l0CociesemGqwVEWC93bYMFfQTG2dTAFavjyDDOR6LI
MwitApPpmrXKN+ZheiIRSCJWeMjmCdRf8QBlwT9xCfvYvIDEIn65dfCTUruNBh3a7wo9L5
B+/DM0Ds6E8NKjcXxTYGc5qbywKY9IpCATrFUs+Z2fFq0b5m75cD1M0mzbfH+Q==
ARC-Authentication-Results: i=1; rspamd-659dcc87c8-q2gpp;
auth=pass smtp.auth=dreamhost smtp.mailfrom=siddhesh@gotplt.org
X-Sender-Id: dreamhost|x-authsender|siddhesh@gotplt.org
X-MC-Relay: Neutral
X-MailChannels-SenderId: dreamhost|x-authsender|siddhesh@gotplt.org
X-MailChannels-Auth-Id: dreamhost
X-Soft-Relation: 163981aa466ab2d3_1702910118136_733348350
X-MC-Loop-Signature: 1702910118136:646784462
X-MC-Ingress-Time: 1702910118136
Received: from pdx1-sub0-mail-a266.dreamhost.com (pop.dreamhost.com
[64.90.62.162]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384)
by 100.96.174.32 (trex/6.9.2); Mon, 18 Dec 2023 14:35:18 +0000
Received: from [192.168.0.182] (unknown [142.113.138.136])
(using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits)
key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest
SHA256)
(No client certificate requested)
(Authenticated sender: siddhesh@gotplt.org)
by pdx1-sub0-mail-a266.dreamhost.com (Postfix) with ESMTPSA id 4Sv2RT47xWz84
for <gcc-patches@gcc.gnu.org>; Mon, 18 Dec 2023 06:35:17 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gotplt.org;
s=dreamhost; t=1702910117;
bh=dDN3z092yfvmpTyk66yjXQIUBCPeECubfp/Uxel8dhc=;
h=Date:From:Subject:To:Content-Type:Content-Transfer-Encoding;
b=l8W8SlS8FAxVKSONLMDJivzLnqWUlAK4D0PX/+V6pyYMlGnR7IaNWzW/F5j985206
DP7i2WFqyBMtSVg8ladlQ+OzHXHWaKRkuawcphtToPwVpJr+FNbDxMyqdbzsS0t25I
lgOIEE0bK3KBEggPm5GKE3EWdLb1ntp4/iT37+S1z/VN2zdqscMwuZ2S3zwKxkIW4s
pHOPsxGrsHvSwG1vLZSnDH0xeGL4aEk0ODuoPmv3yHILdMuFpUgEyI4kSP/jwi+kve
2G2nu4vWBAuynhemy+8un7ZgK79S2eYKTF+BZBLc8PyIJM7/RNrwQf8QSdy3pFfTCv
hru47k/kSZXBQ==
Message-ID: <610f86be-79bb-451f-a9c1-6fcbdc78a2c9@gotplt.org>
Date: Mon, 18 Dec 2023 09:35:06 -0500
MIME-Version: 1.0
User-Agent: Mozilla Thunderbird
Content-Language: en-US
From: Siddhesh Poyarekar <siddhesh@gotplt.org>
Subject: [PATCH] SECURITY.txt: Drop "exploitable" in reference to hardening
issues
To: gcc Patches <gcc-patches@gcc.gnu.org>
Content-Type: text/plain; charset=UTF-8; format=flowed
Content-Transfer-Encoding: 7bit
X-Spam-Status: No, score=-3036.1 required=5.0 tests=BAYES_00, DKIM_SIGNED,
DKIM_VALID, DKIM_VALID_AU, DKIM_VALID_EF, GIT_PATCH_0, RCVD_IN_DNSWL_NONE,
RCVD_IN_MSPIKE_H2, SPF_HELO_NONE, SPF_PASS, TXREP,
T_SCC_BODY_TEXT_LINE autolearn=ham autolearn_force=no version=3.4.6
X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on
server2.sourceware.org
X-BeenThere: gcc-patches@gcc.gnu.org
X-Mailman-Version: 2.1.30
Precedence: list
List-Id: Gcc-patches mailing list <gcc-patches.gcc.gnu.org>
List-Unsubscribe: <https://gcc.gnu.org/mailman/options/gcc-patches>,
<mailto:gcc-patches-request@gcc.gnu.org?subject=unsubscribe>
List-Archive: <https://gcc.gnu.org/pipermail/gcc-patches/>
List-Post: <mailto:gcc-patches@gcc.gnu.org>
List-Help: <mailto:gcc-patches-request@gcc.gnu.org?subject=help>
List-Subscribe: <https://gcc.gnu.org/mailman/listinfo/gcc-patches>,
<mailto:gcc-patches-request@gcc.gnu.org?subject=subscribe>
Errors-To: gcc-patches-bounces+ouuuleilei=gmail.com@gcc.gnu.org
X-getmail-retrieved-from-mailbox: INBOX
X-GMAIL-THRID: 1785630717936241618
X-GMAIL-MSGID: 1785630717936241618
|
| Series |
SECURITY.txt: Drop "exploitable" in reference to hardening issues
|
|
Checks
| Context | Check | Description |
|---|---|---|
| snail/gcc-patch-check | fail | Git am fail log |
Commit Message
Siddhesh Poyarekar
Dec. 18, 2023, 2:35 p.m. UTC
The "exploitable vulnerability" may lead to a misunderstanding that missed hardening issues are considered vulnerabilities, just that they're not exploitable. This is not true, since while hardening bugs may be security-relevant, the absence of hardening does not make a program any more vulnerable to exploits than without. Drop the "exploitable" word to make it clear that missed hardening is not considered a vulnerability.
Comments
On 2023-12-18 09:35, Siddhesh Poyarekar wrote: > The "exploitable vulnerability" may lead to a misunderstanding that > missed hardening issues are considered vulnerabilities, just that > they're not exploitable. This is not true, since while hardening bugs > may be security-relevant, the absence of hardening does not make a > program any more vulnerable to exploits than without. > > Drop the "exploitable" word to make it clear that missed hardening is > not considered a vulnerability. Ping, may I commit this if there are no objections? Thanks, Sid > > diff --git a/SECURITY.txt b/SECURITY.txt > index b3e2bbfda90..126603d4c22 100644 > --- a/SECURITY.txt > +++ b/SECURITY.txt > @@ -155,10 +155,10 @@ Security features implemented in GCC > GCC implements a number of security features that reduce the impact > of security issues in applications, such as -fstack-protector, > -fstack-clash-protection, _FORTIFY_SOURCE and so on. A failure of > - these features to function perfectly in all situations is not an > - exploitable vulnerability in itself since it does not affect the > - correctness of programs. Further, they're dependent on heuristics > - and may not always have full coverage for protection. > + these features to function perfectly in all situations is not a > + vulnerability in itself since it does not affect the correctness of > + programs. Further, they're dependent on heuristics and may not > + always have full coverage for protection. > > Similarly, GCC may transform code in a way that the correctness of > the expressed algorithm is preserved, but supplementary properties >
> Am 09.01.2024 um 16:13 schrieb Siddhesh Poyarekar <siddhesh@gotplt.org>: > > On 2023-12-18 09:35, Siddhesh Poyarekar wrote: >> The "exploitable vulnerability" may lead to a misunderstanding that missed hardening issues are considered vulnerabilities, just that they're not exploitable. This is not true, since while hardening bugs may be security-relevant, the absence of hardening does not make a program any more vulnerable to exploits than without. >> Drop the "exploitable" word to make it clear that missed hardening is not considered a vulnerability. > > Ping, may I commit this if there are no objections? Go ahead. Richard > Thanks, > Sid > >> diff --git a/SECURITY.txt b/SECURITY.txt >> index b3e2bbfda90..126603d4c22 100644 >> --- a/SECURITY.txt >> +++ b/SECURITY.txt >> @@ -155,10 +155,10 @@ Security features implemented in GCC >> GCC implements a number of security features that reduce the impact >> of security issues in applications, such as -fstack-protector, >> -fstack-clash-protection, _FORTIFY_SOURCE and so on. A failure of >> - these features to function perfectly in all situations is not an >> - exploitable vulnerability in itself since it does not affect the >> - correctness of programs. Further, they're dependent on heuristics >> - and may not always have full coverage for protection. >> + these features to function perfectly in all situations is not a >> + vulnerability in itself since it does not affect the correctness of >> + programs. Further, they're dependent on heuristics and may not >> + always have full coverage for protection. >> Similarly, GCC may transform code in a way that the correctness of >> the expressed algorithm is preserved, but supplementary properties
diff --git a/SECURITY.txt b/SECURITY.txt index b3e2bbfda90..126603d4c22 100644 --- a/SECURITY.txt +++ b/SECURITY.txt @@ -155,10 +155,10 @@ Security features implemented in GCC GCC implements a number of security features that reduce the impact of security issues in applications, such as -fstack-protector, -fstack-clash-protection, _FORTIFY_SOURCE and so on. A failure of - these features to function perfectly in all situations is not an - exploitable vulnerability in itself since it does not affect the - correctness of programs. Further, they're dependent on heuristics - and may not always have full coverage for protection. + these features to function perfectly in all situations is not a + vulnerability in itself since it does not affect the correctness of + programs. Further, they're dependent on heuristics and may not + always have full coverage for protection. Similarly, GCC may transform code in a way that the correctness of the expressed algorithm is preserved, but supplementary properties