libjxl

vuln_playbook.md (12010B)

---

 # Security Vulnerabilities Playbook
 
 ## Reporting security bugs
 
 Report security bugs by emailing libjxl-security@google.com.
 
 Don't open a GitHub issue, don't discuss it public forums like Discord and don't
 send a Pull Request if you think you have found a security bug.
 
 ## Overview
 
 This document outlines the guidelines followed by the project when handling
 security bugs, their fixes, disclosure and coordination with security
 researchers. For more context about this guide, read the [coordinated
 vulnerability disclosure
 guidelines](https://github.com/google/oss-vulnerability-guide/blob/main/guide.md)
 from Google Open Source Programs Office.
 
 The main target audience of this guide is the coordinator from the libjxl
 Vulnerability Management Team (VMT) handling the requests, however it is useful
 for other people to understand what to expect from this process.
 
 Members of the VMT monitor the reports received by email and will coordinate
 for these to be addressed. This doesn't mean that said member would fix the bug,
 but their responsibility is to make sure it is handled properly according to
 this guide.
 
 ## Life of security bug
 
 The Coordinator from VMT will make sure that the following steps are taken.
 
 1. Acknowledge the bug report.
 
 Our policy mandates a maximum of **3 business days** to respond to bug reports
 in the given email, but you should respond as soon as possible and keep a fluid
 communication with the reporter, who has spent some time looking at the issue.
 
 2. Determine if the bug is a security bug covered by our policy.
 
 Not all bugs are security bugs, and not all security bugs are covered by this
 vulnerability disclosure policy. See the [What's a Security bug] section below.
 
 3. Determine the affected versions.
 
 Often new bugs on stable projects are found on new features or because of those
 new features, so only the most recent versions are affected. It is important to
 determine both what older versions are affected, so users running those older
 versions can patch or update the software, and also what older versions are
 *not* affected. It is possible that stable distributions ship older versions
 that didn't contain the bug and therefore don't need to patch the code. Often
 maintainers of package distributions need to patch older versions instead of
 updating due to incompatibilities with newer ones and they need to understand
 what's the vulnerable code.
 
 Security bugs that have already been fixed in `main` or in already released code
 but not disclosed as a vulnerability, for example if fixed as a result of a
 refactor, should be treated like any other security bug in this policy and
 disclosed indicating the range of older affected versions (expect for versions
 before 0.5, see below). In such case a new release would likely not be needed if
 one already exists, but stable distributions may be still using those version
 and need to be aware of the issue and fix.
 
 If no released version is affected by the bug, for example because it was only
 introduced in the `main` branch but not yet released, then no vulnerability
 disclosure is needed.
 
 Note: Versions before 0.5 are not covered by the security policy. Those versions
 have multiple security issues and should not be used anyway.
 
 4. Communicate with the reporter
 
 Communicate the decision to the reporter.
 
 If the bug was not considered a security bug or not covered by this policy,
 explain why and direct the reporter to open a public [issue in
 GitHub](https://github.com/libjxl/libjxl/issues) or open one on their behalf.
 You don't need to follow the rest of the guide in this case.
 
 If the bug *is* a covered security bug then follow the rest of this guide.
 
 Ask the reporter how they want to be credited in the disclosure: name and
 company affiliation if any. Security researchers often value this recognition
 and helps them dedicate their time to finding security bugs in our project.
 
 There's no bug bounty (monetary compensation for security bugs) available for
 libjxl.
 
 5. Create a Security Advisory draft in GitHub
 
 At this point it was established that the bug is a security issue that requires
 a vulnerability disclosure. Start by creating a Security Advisory draft in the
 [Security Advisories](https://github.com/libjxl/libjxl/security/advisories) page
 in GitHub.
 
 Add a short description of the bug explaining what's the issue and what's the
 impact of the issue. Being 'hard' or 'complex' to exploit is not a reason to
 discard the potential impact. You can update this description later, save it as
 a draft in GitHub.
 
 Add the reporter to the security advisory draft if they have a GitHub account,
 and add the project members that will be working on a fix for the bug.
 
 Establish the severity of the issue according to the impact and tag the
 appropriate Common Weakness Enumeration (CWE) values. This helps classify the
 security issues according to their nature.
 
 6. Work on a fix in a private branch
 
 Coordinators can work on the fix themselves, use a proposed fix from the
 reporter if there is one, or work with other project members to create one.
 
 Work on a fix for the bug in *private*. Don't publish a Pull Request with the
 fix like you normally do, and don't upload the fix to your libjxl fork. If you
 ask another project member to work on it, explain them that they should follow
 this guide.
 
 7. Request a CVE number
 
 The Common Vulnerabilities and Exposures (CVE) is the system used to disclose
 vulnerabilities in software. A CVE number, like CVE-2021-NNNNNN, is a unique
 identifier for a given vulnerability. These numbers are assigned by a CVE
 Numbering Authority (CNA) with scope on the given project that has the
 vulnerability. For libjxl, we use Google's Generic CNA.
 
 For VMT coordinators at Google, file a bug at
 [go/cve-request](https://goto.google.com/cve-request) to request a CVE. See
 go/vcp-cna for context.
 
 When requesting the CVE include:
 
  * A description of the problem (example: bug when parsing this field)
  * A description of the impact of the bug (example: OOB read, remote code
    execution, etc)
  * The proposed CWE id(s) determined earlier.
  * List of affected versions.
  * Reporter of the bug and their preferred name/company to include in the
    disclosure.
  * Links to the issues/fixes (if already public), these can be added later, even
    after the CVE is public.
  * The CPE prefix of the affected project (`cpe:2.3:a:libjxl_project:libjxl`)
 
 When in doubt, you can discuss these with the security team while requesting it.
 
 8. File a Security bug in Chromium (if affected).
 
 libjxl project is in charge of updating and maintaining Chromium's libjxl
 integration code, this includes updating the libjxl library when needed. While
 the regular CVE disclosure process will eventually create a bug to update
 Chromium, filing one at this stage speeds up the process.
 
 [go/crbug](https://goto.google.com/crbug), select the "Security Bug" template
 and complete the details. This bug will be used to keep track of what versions
 of Chromium need backporting. The new bug in Chromium will not be public
 initially, but will be made public some time after the issue is fixed.
 
 9. Test the fixes on the intended releases
 
 When disclosing a vulnerability normally two ways to fix it are offered:
 
  * A patch or set of patches that fix the issue on `main` branch, and
  * A new release that contains the security fix for the user to update to.
 
 New releases that fix the vulnerability should be PATCH releases, that is, a
 previous release (like 1.2.3) plus the patches that fix the vulnerability,
 becoming a new version (like 1.2.4). See the [release process](release.md) for
 details. At least the latest MINOR release branch should have a PATCH release
 with the fix, however it might make sense to also backport the fix to older
 minor branch releases, depending on long-term support schedule for certain
 releases. For example, if many users are still using a particular older version
 of the library and updating to a new version requires significant changes (due
 to a redesigned API or new unavailable dependencies) it is helpful to provide a
 PATCH release there too.
 
 In either case, make sure that you test the fix in all the branches that you
 intend to release it to.
 
 The Continuous Integration pipelines don't work on the private forks created by
 the Security Advisory, so manual testing of the fix is needed there before
 making it public. Don't upload it to your public fork for testing.
 
 10. Coordinate a date for release of the vulnerability disclosure.
 
 Agree with the reporter and security folks from the CNA on a release date. There
 is a maximum of 90 day disclosure timeline from the day the bug was reported.
 
 On the disclosure date publish the fixes and tag the new PATCH release with the
 fix. You can prepare private drafts of the release for review beforehand to
 reduce the workload.
 
 Update Chromium to the new release version (if affected) and work with Chrome
 engineers on the required backports.
 
 ## What's a Security bug
 
 A security bug is a bug that can potentially be exploited to let an attacker
 gain unauthorized access or privileges. For example, gaining code execution in
 libjxl decoder by decoding a malicious .jxl file is a security but hitting a
 `JXL_ASSERT()` is not necessarily one.
 
 The supported use cases to consider in the context of security bugs that require
 a vulnerability disclosure are "release" builds. The disclosure is intended for
 users of the project, to let them know that there is a security issue and that
 they should update or patch it.
 
 Unreleased versions are not relevant in this context. A bug introduced in the
 `main` branch that is not yet in any release is not covered by this guide even
 if the bug allows a remote code execution. CVEs should have a non-empty list of
 affected released versions.
 
 "Developer only" code is also not covered by this policy. In particular, tools
 that are not installed by the build, or not installed when packaging `libjxl`
 are not covered. For example, a bug in `tone_map` would not affect users since
 is a developer-only tool. The rationale behind this is that users of the
 released software will not have the developer code. This developer code is in
 the same libjxl repository for convenience.
 
 When considering the impact of a bug, "release" mode should be assumed. In
 release mode `JXL_ASSERT()` and `JXL_CHECK()` are enabled, but `JXL_DASSERT()`
 are not. This means that if a `JXL_DASSERT()` protects an out-of-bounds (OOB)
 write, then the impact of a bug hitting the `JXL_DASSERT()` is at least an
 OOB write. On the other hand, if a bug ends up hitting a `JXL_CHECK()` instead
 of continuing, the only impact is the process abort instead of whatever else is
 possible after the `JXL_CHECK()`.
 
 Asserts in `libjxl` *tools* cause the tool process to abort, but don't affect
 the caller. Either crashing or returning an error (non-zero exit code) would
 have the same effect, so `JXL_ASSERT()` failures in the tools have no security
 or functional impact.
 
 Asserts in `libjxl` libraries, meant to be linked into other processes, cause
 the caller process to abort, potentially causing a Denial of Service, however,
 Denial of Service issues are *not* considered security bugs by this policy.
 These are still issues and should be fixed, but they are not security issues.
 
 Out-of-bounds (OOB) reads in process memory are considered security
 vulnerabilities. OOB reads may allow an attacker to read other buffers from the
 same process that it shouldn't have access to, even a small OOB read can
 allow the attacker to read an address in the stack or in the heap, defeating
 address space randomization techniques. In combination with other bugs these
 can enable or simplify attacks to the process using libjxl. OOB reads don't need
 to require a segmentation fault to be a problem, leaking process information in
 decoded RGB pixels could be used as part of an exploit in some scenarios.
 
 OOB writes and remote code execution (RCE) are security bugs of at least high
 security impact.