Skip to content

Commit b765658

Browse files
cary-ilmmeshula
andcommitted
Document security expectations (#1623)
* Document security expectations Signed-off-by: Cary Phillips <[email protected]> * Menion Imath as a dependency Signed-off-by: Cary Phillips <[email protected]> * Update SECURITY.md Co-authored-by: Nick Porcino <[email protected]> Signed-off-by: Cary Phillips <[email protected]> * change 'Threat Model' to 'Potential Vulnerabilties' Signed-off-by: Cary Phillips <[email protected]> * Mention GitHub issue as fallback security contact Signed-off-by: Cary Phillips <[email protected]> * github security advisory Signed-off-by: Cary Phillips <[email protected]> * mention exrcheck Signed-off-by: Cary Phillips <[email protected]> --------- Signed-off-by: Cary Phillips <[email protected]> Co-authored-by: Nick Porcino <[email protected]>
1 parent 74f3a2d commit b765658

File tree

1 file changed

+114
-11
lines changed

1 file changed

+114
-11
lines changed

SECURITY.md

Lines changed: 114 additions & 11 deletions
Original file line numberDiff line numberDiff line change
@@ -6,17 +6,15 @@
66
## Reporting a Vulnerability
77

88
If you think you've found a potential vulnerability in OpenEXR, please
9-
report it by emailing [email protected]. Only Technical Steering
10-
Committee members and Academy Software Foundation project management
11-
have access to these messages. Include detailed steps to reproduce the
12-
issue, and any other information that could aid an investigation. Our
13-
policy is to respond to vulnerability reports within 14 days.
14-
15-
Our policy is to address critical security vulnerabilities rapidly and
16-
post patches as quickly as possible. If you do not get a response to a
17-
message sent to [email protected] within 48 hours, contact the
18-
project maintainers via a GitHub
19-
[Issue](https://github.com/AcademySoftwareFoundation/openexr/issues).
9+
report it by filing a GitHub [security
10+
advisory](https://github.com/AcademySoftwareFoundation/openexr/security/advisories/new). Alternatively,
11+
email [email protected] and provide your contact info for further
12+
private/secure discussion. If your email does not receive a prompt
13+
acknowledgement, your address may be blocked.
14+
15+
Our policy is to acknowledge the receipt of vulnerability reports
16+
within 48 hours. Our policy is to address critical security vulnerabilities
17+
rapidly and post patches within 14 days if possible.
2018

2119
## Known Vulnerabilities
2220

@@ -61,3 +59,108 @@ These vulnerabilities are present in the given versions:
6159

6260
See the [release notes](CHANGES.md) for more information.
6361

62+
## Supported Versions
63+
64+
This gives guidance about which branches are supported with patches to
65+
security vulnerabilities.
66+
67+
| Version / branch | Supported |
68+
| --------- | ---------------------------------------------------- |
69+
| main | :white_check_mark: :construction: ALL fixes immediately, but this is a branch under development with a frequently unstable ABI and occasionally unstable API. |
70+
| 3.2.x | :white_check_mark: All fixes that can be backported without breaking ABI compatibility. |
71+
| 3.1.x | :warning: Only the most critical fixes, only if they can be easily backported. |
72+
| 3.0.x | :warning: Only the most critical fixes, only if they can be easily backported. |
73+
| 2.5.x | :warning: Only the most critical fixes, only if they can be easily backported. |
74+
| <= 1.x | :x: No longer receiving patches of any kind. |
75+
76+
## Security Expectations
77+
78+
### Software Features
79+
80+
- The OpenEXR project implements the EXR image file format, used
81+
throughout the motion picture industry and beyond, on Linux, macOS,
82+
and Windows.
83+
84+
- The project consists of a software run-time library, implemented in
85+
C/C++ and built via cmake, that reads and writes image data
86+
files. The project also distributes python wrappings for the C/C++
87+
I/O API.
88+
89+
- The library reads and writes binary image data and text-based
90+
metadata, treated as blind data, none of which is executable code.
91+
92+
- Other than the website and online technical documentation, the
93+
project implements no web/online services or network communication
94+
protocols. The library never requests any security or
95+
authentication credentials or login information from users.
96+
97+
The website implements no interactive features and requires no login
98+
credentials.
99+
100+
- The library reads and writes only to file paths specificly requested
101+
via the C/C++ API. The runtime library uses no system configuration
102+
files or sidecar data files. Access to data files uses only standard
103+
file I/O system calls.
104+
105+
- The library compresses/decompresses data via standard compression
106+
algorithms but uses no cryptographic or confidentiality protocols.
107+
108+
### Software Dependencies
109+
110+
OpenEXR depends on
111+
[Imath](https://github.com/AcademySoftwareFoundation/Imath), a library
112+
of basic math operations also maintained and distributed by the
113+
OpenEXR project. Imath follows the same security conventions
114+
documented here for OpenEXR itself. The core Imath library has no
115+
external dependencies. The Imath python bindings depend on python and
116+
boost.
117+
118+
The only
119+
external library dependency of OpenEXR is
120+
[libdeflate](https://github.com/ebiggers/libdeflate), which implements
121+
standard deflate/zlib/gzip compression and decompression.
122+
123+
The project uses
124+
[Snyk](https://github.com/AcademySoftwareFoundation/openexr/blob/main/.github/workflows/snyk-scan-pr.yml)
125+
to scan for dependency vulnerability.
126+
127+
### Potential Vulnerabilities
128+
129+
Potential entry points are images being loaded using the
130+
library. Malformed images could caused issues such as heap buffer
131+
overflows, out-of-memory faults, or segmentation faults that could be
132+
exploitable as denial-of-service attacks.
133+
134+
### Hardening
135+
136+
#### Testing
137+
138+
The OpenEXR project implements a comprehensive suite of validation
139+
tests, including fuzz testing to harden against malicious input
140+
data. Note that fuzz testing hardens only against *small* input data
141+
files and is not a comprehensive test against all potential input.
142+
143+
Note that the
144+
[exrcheck](https://github.com/AcademySoftwareFoundation/openexr/tree/main/src/bin/exrcheck)
145+
utility is intended to be used by testers to demonstrate a particular
146+
proof-of-concept input file exposes a vulnerability, and it is very
147+
helpful to let us know if a vulnerability can be reproduced using that
148+
tool.
149+
150+
The project also uses the [OSS
151+
Fuzz](https://bugs.chromium.org/p/oss-fuzz) service for continuous
152+
fuzz testing.
153+
154+
#### Development Cycle and Distribution
155+
156+
OpenEXR is downloadable and buildable by C/C++ source via GitHub. Only
157+
members of the project's Technical Steering Committee, all veteran
158+
software engineers at major motion picture studios or vendors, have
159+
write permissions on the source code repository. All critical software
160+
changes are reviewed by multiple TSC members.
161+
162+
The library is distributed in binary form via many common package
163+
managers across all platforms.
164+
165+
166+

0 commit comments

Comments
 (0)