-
Notifications
You must be signed in to change notification settings - Fork 620
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Document security expectations (#1623)
* Document security expectations Signed-off-by: Cary Phillips <[email protected]> * Menion Imath as a dependency Signed-off-by: Cary Phillips <[email protected]> * Update SECURITY.md Co-authored-by: Nick Porcino <[email protected]> Signed-off-by: Cary Phillips <[email protected]> * change 'Threat Model' to 'Potential Vulnerabilties' Signed-off-by: Cary Phillips <[email protected]> * Mention GitHub issue as fallback security contact Signed-off-by: Cary Phillips <[email protected]> * github security advisory Signed-off-by: Cary Phillips <[email protected]> * mention exrcheck Signed-off-by: Cary Phillips <[email protected]> --------- Signed-off-by: Cary Phillips <[email protected]> Co-authored-by: Nick Porcino <[email protected]>
- Loading branch information
Showing
1 changed file
with
113 additions
and
7 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
|
|
@@ -6,14 +6,15 @@ | |
| ## Reporting a Vulnerability | ||
|
|
||
| If you think you've found a potential vulnerability in OpenEXR, please | ||
| report it by emailing [email protected]. Only Technical Steering | ||
| Committee members and Academy Software Foundation project management | ||
| have access to these messages. Include detailed steps to reproduce the | ||
| issue, and any other information that could aid an investigation. Our | ||
| policy is to respond to vulnerability reports within 14 days. | ||
| report it by filing a GitHub [security | ||
| advisory](https://github.com/AcademySoftwareFoundation/openexr/security/advisories/new). Alternatively, | ||
| email [email protected] and provide your contact info for further | ||
| private/secure discussion. If your email does not receive a prompt | ||
| acknowledgement, your address may be blocked. | ||
|
|
||
| Our policy is to address critical security vulnerabilities rapidly and | ||
| post patches as quickly as possible. | ||
| Our policy is to acknowledge the receipt of vulnerability reports | ||
| within 48 hours. Our policy is to address critical security vulnerabilities | ||
| rapidly and post patches within 14 days if possible. | ||
|
|
||
| ## Known Vulnerabilities | ||
|
|
||
|
|
@@ -57,3 +58,108 @@ These vulnerabilities are present in the given versions: | |
|
|
||
| See the [release notes](CHANGES.md) for more information. | ||
|
|
||
| ## Supported Versions | ||
|
|
||
| This gives guidance about which branches are supported with patches to | ||
| security vulnerabilities. | ||
|
|
||
| | Version / branch | Supported | | ||
| | --------- | ---------------------------------------------------- | | ||
| | main | :white_check_mark: :construction: ALL fixes immediately, but this is a branch under development with a frequently unstable ABI and occasionally unstable API. | | ||
| | 3.2.x | :white_check_mark: All fixes that can be backported without breaking ABI compatibility. | | ||
| | 3.1.x | :warning: Only the most critical fixes, only if they can be easily backported. | | ||
| | 3.0.x | :warning: Only the most critical fixes, only if they can be easily backported. | | ||
| | 2.5.x | :warning: Only the most critical fixes, only if they can be easily backported. | | ||
| | <= 1.x | :x: No longer receiving patches of any kind. | | ||
|
|
||
| ## Security Expectations | ||
|
|
||
| ### Software Features | ||
|
|
||
| - The OpenEXR project implements the EXR image file format, used | ||
| throughout the motion picture industry and beyond, on Linux, macOS, | ||
| and Windows. | ||
|
|
||
| - The project consists of a software run-time library, implemented in | ||
| C/C++ and built via cmake, that reads and writes image data | ||
| files. The project also distributes python wrappings for the C/C++ | ||
| I/O API. | ||
|
|
||
| - The library reads and writes binary image data and text-based | ||
| metadata, treated as blind data, none of which is executable code. | ||
|
|
||
| - Other than the website and online technical documentation, the | ||
| project implements no web/online services or network communication | ||
| protocols. The library never requests any security or | ||
| authentication credentials or login information from users. | ||
|
|
||
| The website implements no interactive features and requires no login | ||
| credentials. | ||
|
|
||
| - The library reads and writes only to file paths specificly requested | ||
| via the C/C++ API. The runtime library uses no system configuration | ||
| files or sidecar data files. Access to data files uses only standard | ||
| file I/O system calls. | ||
|
|
||
| - The library compresses/decompresses data via standard compression | ||
| algorithms but uses no cryptographic or confidentiality protocols. | ||
|
|
||
| ### Software Dependencies | ||
|
|
||
| OpenEXR depends on | ||
| [Imath](https://github.com/AcademySoftwareFoundation/Imath), a library | ||
| of basic math operations also maintained and distributed by the | ||
| OpenEXR project. Imath follows the same security conventions | ||
| documented here for OpenEXR itself. The core Imath library has no | ||
| external dependencies. The Imath python bindings depend on python and | ||
| boost. | ||
|
|
||
| The only | ||
| external library dependency of OpenEXR is | ||
| [libdeflate](https://github.com/ebiggers/libdeflate), which implements | ||
| standard deflate/zlib/gzip compression and decompression. | ||
|
|
||
| The project uses | ||
| [Snyk](https://github.com/AcademySoftwareFoundation/openexr/blob/main/.github/workflows/snyk-scan-pr.yml) | ||
| to scan for dependency vulnerability. | ||
|
|
||
| ### Potential Vulnerabilities | ||
|
|
||
| Potential entry points are images being loaded using the | ||
| library. Malformed images could caused issues such as heap buffer | ||
| overflows, out-of-memory faults, or segmentation faults that could be | ||
| exploitable as denial-of-service attacks. | ||
|
|
||
| ### Hardening | ||
|
|
||
| #### Testing | ||
|
|
||
| The OpenEXR project implements a comprehensive suite of validation | ||
| tests, including fuzz testing to harden against malicious input | ||
| data. Note that fuzz testing hardens only against *small* input data | ||
| files and is not a comprehensive test against all potential input. | ||
|
|
||
| Note that the | ||
| [exrcheck](https://github.com/AcademySoftwareFoundation/openexr/tree/main/src/bin/exrcheck) | ||
| utility is intended to be used by testers to demonstrate a particular | ||
| proof-of-concept input file exposes a vulnerability, and it is very | ||
| helpful to let us know if a vulnerability can be reproduced using that | ||
| tool. | ||
|
|
||
| The project also uses the [OSS | ||
| Fuzz](https://bugs.chromium.org/p/oss-fuzz) service for continuous | ||
| fuzz testing. | ||
|
|
||
| #### Development Cycle and Distribution | ||
|
|
||
| OpenEXR is downloadable and buildable by C/C++ source via GitHub. Only | ||
| members of the project's Technical Steering Committee, all veteran | ||
| software engineers at major motion picture studios or vendors, have | ||
| write permissions on the source code repository. All critical software | ||
| changes are reviewed by multiple TSC members. | ||
|
|
||
| The library is distributed in binary form via many common package | ||
| managers across all platforms. | ||
|
|
||
|
|
||
|
|
||