From nobody Fri May 17 05:50:14 2024 Delivered-To: importer@patchew.org Authentication-Results: mx.zohomail.com; dkim=fail; spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org; dmarc=fail(p=none dis=none) header.from=redhat.com ARC-Seal: i=1; a=rsa-sha256; t=1607007396; cv=none; d=zohomail.com; s=zohoarc; b=nDErjc3XUNdpO4GmxOGKoB7DjyxaJic+WqlP5TziZdn6eJCaAO2GWqc+SBuGchvunRIZubhyPo6wWaDmxk3niJvuxcKjZwhlP3jaVF3PZnR2L+tfZ9nXqyGIqT9tTmrxJ/YNXAnXnaPePpn1HkcxpNk49nDHa6UA9jmBI5luTRo= ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com; s=zohoarc; t=1607007396; h=Content-Type:Content-Transfer-Encoding:Cc:Date:From:In-Reply-To:List-Subscribe:List-Post:List-Id:List-Archive:List-Help:List-Unsubscribe:MIME-Version:Message-ID:References:Sender:Subject:To; bh=4bxVztI4btuqED8eafW5Py1hF4Uop/YYHVGy1kOAZy4=; b=KWXy836YVKjCTaNSqQ3ZmUFEIT8orzw+A2ZTUyM4qVsYc7qdayaa0GZ4OvW47B/UvR6de0QBjvgHvaw/2jFh2MRrMzRTU6763hXblY3bVgaVF0CIEnABSsRdgVp9qkZKpShGa4skZKaV/lyFnkAhvkL1Vo4B/PPEUkZr1RjldaU= ARC-Authentication-Results: i=1; mx.zohomail.com; dkim=fail; spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org; dmarc=fail header.from= (p=none dis=none) header.from= Return-Path: Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) by mx.zohomail.com with SMTPS id 160700739607044.20654875050161; Thu, 3 Dec 2020 06:56:36 -0800 (PST) Received: from localhost ([::1]:49140 helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1kkpga-00036z-8c for importer@patchew.org; Thu, 03 Dec 2020 09:34:20 -0500 Received: from eggs.gnu.org ([2001:470:142:3::10]:39446) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1kkpdx-0001mP-Lt for qemu-devel@nongnu.org; Thu, 03 Dec 2020 09:31:37 -0500 Received: from us-smtp-delivery-124.mimecast.com ([63.128.21.124]:50802) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_CBC_SHA1:256) (Exim 4.90_1) (envelope-from ) id 1kkpdt-0008F6-Vd for qemu-devel@nongnu.org; Thu, 03 Dec 2020 09:31:36 -0500 Received: from mimecast-mx01.redhat.com (mimecast-mx01.redhat.com [209.132.183.4]) (Using TLS) by relay.mimecast.com with ESMTP id us-mta-504-l9P6xnHsNxCuSRF16GqcrQ-1; Thu, 03 Dec 2020 09:31:18 -0500 Received: from smtp.corp.redhat.com (int-mx03.intmail.prod.int.phx2.redhat.com [10.5.11.13]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mimecast-mx01.redhat.com (Postfix) with ESMTPS id DF28A1922960; Thu, 3 Dec 2020 14:31:16 +0000 (UTC) Received: from localhost.localdomain (unknown [10.74.9.11]) by smtp.corp.redhat.com (Postfix) with ESMTPS id 8B4AB60854; Thu, 3 Dec 2020 14:31:11 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com; s=mimecast20190719; t=1607005892; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=4bxVztI4btuqED8eafW5Py1hF4Uop/YYHVGy1kOAZy4=; b=bOYkqO57g8byM3OmLH7bthIOQnsNVj2tguf7mRICqx4EZOi05dNWOrJtZmUaXCKNLauiwz T3aZ3zkekV8eo7IcFN/6d7yC7WhLQDa+a9ayHx7n0g++tEJg6lcDfvRKxgpLYdNMpilBHP VwZ85+pc+bAZ69prJpqgLsohqjexq+A= X-MC-Unique: l9P6xnHsNxCuSRF16GqcrQ-1 From: P J P To: Stefan Hajnoczi Subject: [PATCH v2 1/1] security-process: update process information Date: Thu, 3 Dec 2020 19:59:02 +0530 Message-Id: <20201203142902.474883-2-ppandit@redhat.com> In-Reply-To: <20201203142902.474883-1-ppandit@redhat.com> References: <20201203142902.474883-1-ppandit@redhat.com> MIME-Version: 1.0 X-Scanned-By: MIMEDefang 2.79 on 10.5.11.13 Authentication-Results: relay.mimecast.com; auth=pass smtp.auth=CUSA124A263 smtp.mailfrom=ppandit@redhat.com X-Mimecast-Spam-Score: 0 X-Mimecast-Originator: redhat.com Content-Transfer-Encoding: quoted-printable Received-SPF: pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) client-ip=209.51.188.17; envelope-from=qemu-devel-bounces+importer=patchew.org@nongnu.org; helo=lists.gnu.org; Received-SPF: pass client-ip=63.128.21.124; envelope-from=ppandit@redhat.com; helo=us-smtp-delivery-124.mimecast.com X-Spam_score_int: -15 X-Spam_score: -1.6 X-Spam_bar: - X-Spam_report: (-1.6 / 5.0 requ) BAYES_00=-1.9, DKIMWL_WL_HIGH=-1.495, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_MSPIKE_H4=0.001, RCVD_IN_MSPIKE_WL=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URI_DOTEDU=1.999 autolearn=no autolearn_force=no X-Spam_action: no action X-BeenThere: qemu-devel@nongnu.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: peter.maydell@linaro.org, Stefano Stabellini , Petr Matousek , Prasad J Pandit , "Michael S . Tsirkin" , Michael Roth , Konrad Rzeszutek Wilk , QEMU Developers , Darren Kenny , =?UTF-8?q?Daniel=20P=20=2E=20Berrang=C3=A9?= Errors-To: qemu-devel-bounces+importer=patchew.org@nongnu.org Sender: "Qemu-devel" X-ZohoMail-DKIM: fail (Header signature does not verify) Content-Type: text/plain; charset="utf-8" From: Prasad J Pandit We are about to introduce a qemu-security mailing list to report and triage QEMU security issues. Update the security process web page with new mailing list address and triage details. Signed-off-by: Prasad J Pandit Acked-by: Stefano Stabellini Reviewed-by: Daniel P. Berrang=C3=A9 Reviewed-by: Darren Kenny Reviewed-by: Konrad Rzeszutek Wilk Reviewed-by: Petr Matousek --- contribute/security-process.md | 154 ++++++++++++++++++++------------- 1 file changed, 95 insertions(+), 59 deletions(-) Update v2: incorporate inputs from upstream reviews -> https://lists.nongnu.org/archive/html/qemu-devel/2020-12/msg00568.html -> https://lists.nongnu.org/archive/html/qemu-devel/2020-12/msg00584.html diff --git a/contribute/security-process.md b/contribute/security-process.md index 1239967..13b6b97 100644 --- a/contribute/security-process.md +++ b/contribute/security-process.md @@ -3,72 +3,110 @@ title: Security Process permalink: /contribute/security-process/ --- =20 -QEMU takes security very seriously, and we aim to take immediate action to -address serious security-related problems that involve our product. - -Please report any suspected security vulnerability in QEMU to the following -addresses. You can use GPG keys for respective receipients to communicate = with -us securely. If you do, please upload your GPG public key or supply it to = us -in some other way, so that we can communicate to you in a secure way, too! -Please include the tag **\[QEMU-SECURITY\]** on the subject line to help us -identify your message as security-related.=20 - -## QEMU Security Contact List - -Please copy everyone on this list: - - Contact Person(s) | Contact Address | Company | GPG Key | GPG key fing= erprint -:-----------------------|:------------------------------|:--------------|:= ---------:|:-------------------- - Michael S. Tsirkin | mst@redhat.com | Red Hat Inc. | [🔑](https:/= /pgp.mit.edu/pks/lookup?op=3Dvindex&search=3D0xC3503912AFBE8E67) | 0270 606= B 6F3C DF3D 0B17 0970 C350 3912 AFBE 8E67 - Petr Matousek | pmatouse@redhat.com | Red Hat Inc. | [🔑](https:= //pgp.mit.edu/pks/lookup?op=3Dvindex&search=3D0x3E786F42C44977CA) | 8107 AF= 16 A416 F9AF 18F3 D874 3E78 6F42 C449 77CA - Stefano Stabellini | sstabellini@kernel.org | Independent | [🔑](= https://pgp.mit.edu/pks/lookup?op=3Dvindex&search=3D0x894F8F4870E1AE90) | D= 04E 33AB A51F 67BA 07D3 0AEA 894F 8F48 70E1 AE90 - Security Response Team | secalert@redhat.com | Red Hat Inc. | [🔑= ](https://access.redhat.com/site/security/team/contact/#contact) | - Michael Roth | michael.roth@amd.com | AMD | [🔑](https://pgp.mit= .edu/pks/lookup?op=3Dvindex&search=3D0x3353C9CEF108B584) | CEAC C9E1 5534 E= BAB B82D 3FA0 3353 C9CE F108 B584 - Prasad J Pandit | pjp@redhat.com | Red Hat Inc. | [🔑](http://po= ol.sks-keyservers.net/pks/lookup?op=3Dvindex&search=3D0xE2858B5AF050DE8D) |= 8685 545E B54C 486B C6EB 271E E285 8B5A F050 DE8D=20 - -## How to Contact Us Securely - -We use GNU Privacy Guard (GnuPG or GPG) keys to secure communications. Mail -sent to members of the list can be encrypted with public keys of all membe= rs -of the list. We expect to change some of the keys we use from time to time. -Should a key change, the previous one will be revoked. - -## How we respond - -Maintainers listed on the security reporting list operate a policy of -responsible disclosure. As such they agree that any information you share = with -them about security issues that are not public knowledge is kept confident= ial -within respective affiliated companies. It is not passed on to any third-p= arty, -including Xen Security Project, without your permission. - -Email sent to us is read and acknowledged with a non-automated response. F= or -issues that are complicated and require significant attention, we will ope= n an -investigation and keep you informed of our progress. We might take one or = more -of the following steps: +Please report any suspected security issue in QEMU to the security mailing +list at: + +* [\](https://lists.nongnu.org/mailman/listinfo= /qemu-security) + +To report an issue via [GPG](https://gnupg.org/) encrypted email, please s= end +it to the Red Hat Product Security team at: + +* [\](https://access.redhat.com/security/team/contac= t/#contact) + +**Note:** after the triage, encrypted issue details shall be sent to the u= pstream +'qemu-security' mailing list for archival purposes. + +## How to report an issue: + +* Please include as many details as possible in the issue report. + Ex: + - QEMU version, upstream commit/tag + - Host & Guest architecture x86/Arm/PPC, 32/64 bit etc. + - Affected code area/snippets + - Stack traces, crash details + - Malicious inputs/reproducer steps etc. + - Any configurations/settings required to trigger the issue. + +* Please share the QEMU command line used to invoke a guest VM. + +* Please specify whom to acknowledge for reporting this issue. + +## How we respond: + +* Process of handling security issues comprises following steps: + + 0) **Acknowledge:** + - A non-automated response email is sent to the reporter(s) to acknowl= edge + the reception of the report. (*60 day's counter starts here*) + + 1) **Triage:** + - Examine the issue details and confirm whether the issue is genuine + - Validate if it can be misused for malicious purposes + - Determine its worst case impact and severity + [Low/Moderate/Important/Critical] + + 2) **Response:** + - Negotiate embargo timeline (if required, depending on severity) + - Request a [CVE](https://cveform.mitre.org/) and open an upstream + [bug](https://www.qemu.org/contribute/report-a-bug/) + - Create an upstream fix patch annotated with + - CVE-ID + - Link to an upstream bugzilla + - Reported-by, Tested-by etc. tags + - Once the patch is merged, close the upstream bug with a link to the + commit + - Fixed in: + +* Above security lists are operated by select analysts, maintainers and/or + representatives from downstream communities. + +* List members follow a **responsible disclosure** policy. Any non-public + information you share about security issues, is kept confidential within + members of the QEMU security team and a minimal supporting staff in their + affiliated companies. Such information will not be disclosed to third pa= rty + organisations/individuals without prior permission from the reporter(s). + +* We aim to process security issues within maximum of **60 days**. That is= not + to say that issues will remain private for 60 days, nope. After the tria= ging + step above + - If severity of the issue is sufficiently low, an upstream public bug + will be created immediately. + - If severity of the issue requires co-ordinated disclosure at a future + date, then the embargo process below is followed, and upstream bug w= ill + be opened at the end of the embargo period. + + This will allow upstream contributors to create, test and track fix patc= h(es). =20 ### Publication embargo =20 -If a security issue is reported that is not already publicly disclosed, an -embargo date may be assigned and communicated to the reporter. Embargo -periods will be negotiated by mutual agreement between members of the secu= rity -team and other relevant parties to the problem. Members of the security co= ntact -list agree not to publicly disclose any details of the security issue until -the embargo date expires. +* If a security issue is reported that is not already public and its sever= ity + requires coordinated disclosure, then an embargo date will be set and + communicated to the reporter(s). + +* Embargo periods will be negotiated by mutual agreement between reporter(= s), + members of the security list and other relevant parties to the problem. + The preferred embargo period is upto [2 + weeks](https://oss-security.openwall.org/wiki/mailing-lists/distros). + However, longer embargoes may be negotiated if the severity of the issue + requires it. + +* Members of the security list agree not to publicly disclose any details = of + an embargoed security issue until its embargo date expires. =20 ### CVE allocation =20 -An security issue is assigned with a CVE number. The CVE numbers will usua= lly -be allocated by one of the vendor security engineers on the security conta= ct -list. +Each security issue is assigned a [CVE](https://cveform.mitre.org/) number. +The CVE number is allocated by one of the vendor security engineers on the +security list. =20 -## When to contact the QEMU Security Contact List +## When to contact the QEMU Security List =20 -You should contact the Security Contact List if: +You should contact the Security List if: * You think there may be a security vulnerability in QEMU. * You are unsure about how a known vulnerability affects QEMU. * You can contact us in English. We are unable to respond in other languag= es. =20 -## When *not* to contact the QEMU Security Contact List +## When *not* to contact the QEMU Security List * You need assistance in a language other than English. * You require technical assistance (for example, "how do I configure QEMU?= "). * You need help upgrading QEMU due to security alerts. @@ -76,6 +114,9 @@ You should contact the Security Contact List if: =20 ## How impact and severity of a bug is decided =20 +**Security criterion:** + -> [https://www.qemu.org/docs/master/system/security.html](https://www= .qemu.org/docs/master/system/security.html) + All security issues in QEMU are not equal. Based on the parts of the QEMU sources wherein the bug is found, its impact and severity could vary. =20 @@ -122,8 +163,3 @@ used to write programs for the SoC device. In such deve= loper environments, it is generally assumed that the guest is trusted. =20 And thus, this buffer overflow turned out to be a security non-issue. - -## What to Send to the QEMU Security Contact List - -Please provide as much information about your system and the issue as poss= ible -when contacting the list. -- 2.28.0