Gentoo Linux Vulnerability Treatment Policy

Thierry Carrez  Author
Sune Kloppenborg Jeppesen  Author
Matthias Geerdsen  Author
Robert Buchholz  Author
Alex Legler  Author

Page updated February 2, 2012

1.  Scope

Supported architectures

Gentoo Linux is offered on many different architectures. Some of these architectures have more developers than others and, as such, are able to respond to new security vulnerabilities more quickly. While the ultimate goal of the Gentoo Security project is to ensure that all architectures receive security fixes at the same time, we must also balance that against releasing security fixes and GLSAs as quickly as possible so that the majority of our users are informed and protected.

For this reason, the Security Team separates Gentoo architectures into two groups, supported and unsupported:

Here is the list of currently supported architectures:

Supported architectures (in alphabetical order)
alpha
amd64
hppa
ppc
ppc64
sparc
x86

All architectures are welcome and encouraged to become a supported architecture. There are two straightforward criteria that need to be met in order to be officially supported by the Gentoo Security project:

Kernels

Kernels are not covered by the GLSA release process. Vulnerabilities must still be reported and will be fixed, but no GLSA will be issued when everything is solved.

Note: The kernel-check utility is being developed to provide Kernel security information. This policy should be updated accordingly when it is ready.

Non-stable packages

Sometimes a vulnerability is found in a package that is not part of the stable trees. This is the case when the vulnerability is a security regression in a newer (~ARCH) ebuild, but the older (stable) packages are not affected, or when the package has never had any stable ebuilds in the tree. In this case the vulnerability must still be reported and will be fixed, but no GLSA will be issued when everything is solved.

Note: This policy might be changed when our tools support more complex upgrade paths and if a sufficient number of GLSA coordinators join the Security Team.

2.  Vulnerability feed

Published vulnerabilities

Each vulnerability should initially be entered as a Bugzilla entry with product "Gentoo Security" and component "Vulnerabilities" (assigned to security@gentoo.org). Major security lists should have official scouts assigned to them which should ensure that all vulnerabilities announced on these lists get a security Bugzilla entry.

Confidential vulnerabilities

Confidential vulnerabilities (for example coming from developer's direct communication or restricted lists) must follow a specific procedure. They should not appear as a public bugzilla entry, but only in security-restricted media like a private bugzilla section or the GLSAMaker tool. They should get corrected using private communication channels between the GLSA coordinator and the package maintainer.

Note: Communication for confidential vulnerabilities should be properly encrypted. They should be sent to specific Security Team members and encrypted with their GPG key. The list of the Security Team members is available at security.gentoo.org, their key IDs can be looked up on the Gentoo Linux Developers List and their keys can be retrieved from the subkeys.pgp.net keyserver. The use of IRC and other unencrypted messaging methods is discouraged.

3.  Dispatch

Severity level

In order to seed the appropriate reaction times and escalation procedures, we need to assign a severity level to each vulnerability. This severity level must be based on how widespread the affected software is amongst Gentoo users and depth of the vulnerability.

You can use the following two tables to help you assign the severity level:

How widespread the package is Configurations affected
System package Default or specific A
Common package (supposed present on at least 1/20 Gentoo installs) Default A
Specific B
Marginal software (supposed present on less than 1/20 Gentoo installs) Default B
Specific C
Package that never had an affected version stable Default or Specific ~
Evaluate the vulnerability type Corresponding GLSA severity
Complete remote system compromise: remote execution of arbitrary code with root privileges 0 high
Remote active compromise: direct remote execution of arbitrary code with reduced or user rights on a server 1 high
Local privilege escalation: flaw allowing root compromise when you have local access 1 high
Remote passive compromise: remote execution of arbitrary code by enticing a user to visit a malicious server or using malicious data 2 normal
Global service compromise: Denial of Service, passwords, full database leaks, data loss (symlink attacks) 3 normal
Others: Cross-Site Scripting, information leak... 4 low

Here is the table of the resulting severity levels. They should be set to the Bugzilla severity level of the same name:

Severity level Corresponding evaluations Target delay GLSA
Blocker A0, B0 1 day yes
Critical A1, C0 3 days yes
Major A2, B1, C1 5 days yes
Normal A3, B2, C2 10 days yes
Minor A4, B3, B4, C3 20 days ?
Trivial C4, ~0, ~1, ~2, ~3, ~4 40 days no

Note: The delay indicated in this table is what we want to be the maximum time between the release of a fix by the upstream package developer and the release of a stable ebuild and corresponding GLSA.

Security Bug Wrangler role

Someone should assume the responsibility of security bug wrangler and do the following tasks as soon as a new vulnerability enters Bugzilla:

During this phase it may be necessary to ask the reporter for details. The bug remains with status UNCONFIRMED or CONFIRMED as long as necessary. When (if) the bug passes these sanity tests, it should be marked as IN_PROGRESS and the bug wrangler should do the following:

Warning: You should not change bug severity once it has been assigned. If you want to increase developer awareness that a bug needs care, use the Priority field instead.

Timeframe and backup procedures

This dispatch has to be done quickly after bug creation in order to seed short delays for major vulnerabilities and to show appreciation to the bug reporter. The target delay is 12 hours. The security bug wrangler has to maintain a list of possible GLSA coordinators with availabilities and preferred areas of expertise. In order to ensure permanent dispatch, the security bug wrangler job should have appropriate back-ups.

4.  Bug correction and GLSA draft

GLSA Coordinator role

The GLSA coordinator has responsibility for the following tasks:

Note: If the bug makes progress and the assigned GLSA coordinator does not react, the other members of the Security Team can help keeping the bug rolling by updating its status.

Timeframe and escalation procedures

In order to meet the target delay for vulnerability resolution, a number of escalation procedures have been defined. These include:

Good practices for security bugs

Security bugs differ from other bugs, in that an easy and simple upgrade path must be presented to users through the GLSA. Therefore package maintainers and GLSA coordinators should follow these good practices:

Temporary GLSAs

Note: This is no longer common practice.

If a blocker or critical or major vulnerability cannot totally be corrected in the target delay, an early warning GLSA should be written with workaround information. This GLSA will be replaced by the final GLSA when the definitive correction is available.

If a common (type A or B) package is masked for security reasons, a temporary GLSA should be issued to explain why the package is currently unavailable and/or why people should uninstall the current version. This GLSA will be replaced by the final GLSA when the fix becomes available and the package is unmasked.

5.  GLSA publication process

Peer review

Once ready, a GLSA should be submitted to peer review. At least two members of the Security Team must approve the draft GLSA. Once the draft passes the peer review process, it should be assigned an official GLSA number.

GLSA release

Once the GLSA passes the peer review process (and after making sure the ebuild has made its way into the stable tree), the GLSA coordinator should commit the GLSA XML in the Gentoo CVS repository. Once this is done, the GLSA will automatically appear on the official GLSA index page and RDF feed.

GLSA publication

The GLSA text version must be published by the GLSA coordinator to the following media:

Gentoo Linux official announcement mailing-list gentoo-announce@lists.gentoo.org
Gentoo Linux announcement forum http://forums.gentoo.org/viewforum.php?f=16

There should be one single email sent, with the following rules:

Note: Developer key IDs can be found on the Gentoo Linux Developer list. All the Security Team GPG keys are published on public key servers, including (but not limited to) subkeys.pgp.net.

Note: To minimize errors in the publication process, the forum publication step is handled by an automatic poster when it receives the announcement.

Note: Starting Feb 2, 2012, we have decied to no longer CC any third parties. The gentoo-announce mailing list has little other traffic, so that they should be subscribed there. General security mailing lists such as full- disclosure or bugtraq are not our target audience, and having various distributions send notices about the same issues is not of any use to most readers there, they too should be on gentoo-announce.

When the GLSA has been published the corresponding bugzilla bug should be resolved as FIXED, with the GLSA number referenced in the comments section of the bug. GLSAMaker 2 offers this option after releasing the advisory.

GLSA errata

Sometimes an error will slip through the peer-review process and an incorrect GLSA will be published to the world. Depending on the severity of the error(s), the following policy for erratum should be applied:

GLSA error type Erratum action
Typos: presentation, grammar or syntax errors Do nothing
Error in title: title is about another package or does not describe the vulnerability correctly An erratum GLSA should be published, replacing the erroneous one
Error in description: the problem is not described correctly The GLSA XML should be corrected, no publication
Omission: GLSA is correct but incomplete, you also need to update another package to get protection from that vulnerability A separate GLSA should be issued on the other vulnerable package
Error in affected/unaffected versions number, but people using stable packages and applying GLSA instructions are protected anyway The GLSA XML should be corrected, no publication
Error in affected/unaffected versions number, people applying GLSA instructions are not at all protected An erratum GLSA should be published, replacing the erroneous one