xymp
/
exiv2
3
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Update security policy

Browse Source
main
Kevin Backhouse 1 year ago
parent 28fa956ea9
commit f2de729719
No known key found for this signature in database
GPG Key ID: 9DD01852EE40366E
1 changed files with 16 additions and 12 deletions
Show Stats Download Patch File Download Diff File

18
SECURITY.md
Unescape Escape View File

@ -4,12 +4,17 @@
| Exiv2 Version | Date | Tag | Branch | _Dot/Security_ Release | Date | Tag |
|:-- |:-- |:- |:-- |:-- |:- |:- |
| v0.28 | 2023-05-08 | v0.28.0 | 0.28.x | None | 2023-05-08 | v0.28.0 |
| v0.27 | 2018-12-20 | 0.27 | 0.27-maintenance | v0.27.1 | 2019-04-18 | 0.27.1 |
| v0.28 | 2023-05-08 | v0.28.0 | 0.28.x | v0.28.0 | 2023-05-08 | v0.28.0 |
| | | | | v0.28.1 | 2023-11-06 | v0.28.1 |
| | | | | v0.28.2 | 2024-02-13 | v0.28.2 |
| v0.27 | 2018-12-20 | 0.27 | 0.27-maintenance | v0.27.0 | 2018-12-20 | v0.27.0 |
| | | | | v0.27.1 | 2019-04-18 | v0.27.1 |
| | | | | v0.27.2 | 2019-07-29 | v0.27.2 |
| | | | | v0.27.3 | 2020-06-30 | v0.27.3 |
| | | | | v0.27.4 | 2021-06-15 | v0.27.4 |
| | | | | v0.27.5 | 2021-09-30 | v0.27.5 |
| | | | | v0.27.6 | 2023-01-18 | v0.27.6 |
| | | | | v0.27.7 | 2023-05-14 | v0.27.7 |
| v0.26 | 2017-04-28 | v0.26 | 0.26 | None | | |
| v0.25 | 2015-06-21 | _None_ | 0.25 | None | | |
@ -17,19 +22,18 @@
If you have found a security vulnerability in Exiv2, please follow these steps:
* Send an email to our security contact person: [Kevin Backhouse](https://github.com/kevinbackhouse) (kevinbackhouse@github.com).
* We will create a draft [security advisory](https://github.com/Exiv2/exiv2/security/advisories) and invite you as a collaborator.
* Add a comment to the draft security advisory with a detailed description of the vulnerability. (Please don't use the "Description" field, because we'll use the "Description" field to write a short summary later.)
* Click [this link](https://github.com/Exiv2/exiv2/security/advisories/new) to create a draft security advisory.
* Write a detailed description of the vulnerability in the draft advisory.
* Include all of the following details in your description of the vulnerability:
* Exact version of Exiv2 that you tested. _For example: commit [194bb65ac568a5435874c9d9d73b1c8a68e4edec](https://github.com/Exiv2/exiv2/commit/194bb65ac568a5435874c9d9d73b1c8a68e4edec)_
* Platform used. _For example: Ubuntu 20.04.2 LTS (x86\_64)_
* Platform used. _For example: Ubuntu 22.04.3 LTS (x86\_64)_
* Exact command used to build Exiv2. _For example: `mkdir build; cd build; cmake ..; make`_
* Attach a copy of the image file that triggers the bug. _For example: `poc.jpg`_
* Exact command line arguments that trigger the bug. _For example: `./bin/exiv2 poc.jpg`_
* Crash output (stdout + stderr).
* The source location of the bug and/or any other information that you are able to provide about what the cause of the bug is.
The draft security advisory is private until we publish it, so it is a good place to discuss the details of the vulnerability privately. For the initial email, just a summary of the issue is sufficient.
The draft security advisory is private until we publish it, so it is a good place to discuss the details of the vulnerability privately.
To qualify as a security issue, the bug **must** be reproducible on an official release of Exiv2, via a realistic attack vector. As a general rule, that means it should be possible to trigger the bug by running the `exiv2` command-line application on a malicious input file. Please note that the applications in the `samples` sub-directory are demo applications that are not intended for production use, so we usually do not consider bugs in those applications to be security vulnerabilities. However, if one of the sample applications reveals a legitimate bug in the exiv2 library then we will still consider it as a potential security issue.

Write Preview
Loading…
Cancel
Save