Maniphest T101785

Policy for Vulnerability Reporting: Proposal
Confirmed, NormalDESIGN
Actions

Assigned To
Campbell Barton (campbellbarton)
Authored By
Campbell Barton (campbellbarton)
Oct 13 2022, 7:29 AM
Tags
  • BF Blender
Subscribers
Bastien Montagne (mont29)
Brecht Van Lommel (brecht)
Campbell Barton (campbellbarton)
Dalai Felinto (dfelinto)
Dan McGrath (dmcgrath)
Francesco Siddi (fsiddi)
Philipp Oeser (lichtwerk)
2 More Subscribers

Description

This task proposes to formalize how security vulnerabilities reports are handled.

The following text is a proposal for a page describing the process of handling vulnerabilities.

Intended destination: https://wiki.blender.org/wiki/Process/Vulnerability_Reports to be listed along side "Bug Reports" on the communication page.

= Blender Vulnerability Reporting Policy =

== General Process ==

Security issues should be reported to `{security[at]blender.org}`. The security team will typically get back to vulnerability reporters within several days.

== Timelines ==

Since addressing most vulnerabilities in Blender requires coordination between developers the time between initial report of a vulnerability and its public disclosure will vary.

Expectations for handling vulnerabilities:

* All reports responded within 14 days.
* All medium or high severity vulnerabilities patched within 60 days of having been publicly known.
* All critical vulnerabilities fixed shortly after they are reported.
* Updates to official Blender releases available for current and long term support (LTS) releases.

== Vulnerability vs regular bug ==

It is not possible to provide guidance on what constitutes a security vulnerability and what is just an ordinary software bug. When in doubt, please contact the Blender security team.

== Public Disclosure ==

Security related issues are to be disclosed by Blender's security team via blender's issue tracking system
[tagged with "Security"] and sent to a the `{security-announce}` mailing list.
Disclosure may be postponed until a fix is available.

== 3rd Party Libraries ==

The security team actively tracks CVEs for Blender and 3rd party libraries.
When such a vulnerability is determined to impact Blender releases,
updates and public disclosure are handled the same as other security issues.

<!-- For vulnerabilities in 3rd party libraries, see: [See Blender CVE Policy] `{a separate WIP document}` -->

Notes:

  • The "Public Disclosure" mentions a {security-announce} mailing list. This is most likely to be useful for Linux package maintainers. While I'd rather avoid more mailing lists I don't think it's reasonable to expect Linux package maintainers to follow tagged tasks on Blender's issue tracker.
  • This document doesn't cover what we consider medium to high risk (it's implied this is up to the developers involved to decide), the kinds of issues flagged as security concerns by static analysis tools can be handled as regular bugs in practically all cases. We don't need to state these details on the policy though.
  • To my knowledge the occurrence of medium or greater risk vulnerabilities is very low, so while our process for handling these should be correct, I'm wary of having more complex processes for something that's infrequent.

Open Topics:

  • KDE offers secure PGP encrypted email (in case of email interception) this seems more applicable to system-level software, but we could consider supporting it.
  • The {security-announce} list could be used to notify us of CVE's in libraries Blender uses too (no strong opinion on this at the moment).
  • Communicating with down-stream Linux package maintainers before public disclosure isn't part of this document - flagging this as something to address.
  • When to create CVE's for Blender (again, doesn't have to be handled in this document, but it would be good to have a clear policy on that).

Related Objects
Search...

StatusSubtypeAssignedTask
 ConfirmedDESIGNNoneT71640 Development Policies
 ConfirmedDESIGNCampbell Barton (campbellbarton)T101785 Policy for Vulnerability Reporting: Proposal

Event Timeline

Campbell Barton (campbellbarton) changed the task status from Needs Triage to Confirmed.Oct 13 2022, 7:29 AM
Campbell Barton (campbellbarton) created this task.
Campbell Barton (campbellbarton) updated the task description.Oct 13 2022, 7:32 AM
Campbell Barton (campbellbarton) updated the task description.Oct 13 2022, 7:40 AM
Campbell Barton (campbellbarton) mentioned this in T71640: Development Policies.
Dalai Felinto (dfelinto) added a comment.EditedOct 13 2022, 10:56 AM

Feedback on the content:

Personally I would make it explicit that the "security team" (or Blender developers) is the one responsible for the Public Disclosure, not the reporter. Reading this with a layman's eyes I got that I would need to write to security@blender.org, but then also create a task.

Feedback on the form:

The text has a lot of English problems by the way:

  • (...) guidance on what constitutes (...)
  • Security issues should be reported to {security[at]blender.org} . The security team will typically get (...)

The list of Expectations for handling vulnerabilities: overall reads rather badly. A suggestion:

* All reports responded within 14 days.
* All medium or high severity vulnerabilities patched within 60 days of having been publicly known.
* All critical vulnerabilities fixed shortly after they are reported.
* Updates to official Blender releases available for current and long term support (LTS) releases.

Now, I would be a bit wary of promising patches/fixes for all medium CVEs. Is that a standard thing to do? Or where you referring only to the public disclosure? I honestly couldn't get this from the original text and I'm assuming you were talking about the fix itself.

Brecht Van Lommel (brecht) added a comment.Oct 13 2022, 1:06 PM

For CVE policy, I think all we need to mention is something like this, and not link to another document.

The security team actively tracks CVEs for Blender and 3rd party libraries. When such a vulnerability is determined to impact Blender releases, updates and public disclosure are handled the same as other security issues.

The rest of the CVE policy I was writing either overlaps or is about the internal process.

I would not use "medium" severity in the text, since we don't even define it. Maybe just say:

  • All high severity vulnerabilities patched within 60 days of having been publicly known.

Then we can still figure out how what we consider low/medium/high as we get a sense of the types of issues reported.

Regarding a {security-announce} mailing list, I guess in general package maintainers are interested in tracking Blender releases, and then it's useful to know which ones have security fixes? But I'm not sure how they are tracking releases now.

Ray Molenkamp (LazyDodo) added a subscriber: Ray Molenkamp (LazyDodo).Oct 13 2022, 3:26 PM
In T101785#1431843, @Brecht Van Lommel (brecht) wrote:

I would not use "medium" severity in the text, since we don't even define it. Maybe just say:
Then we can still figure out how what we consider low/medium/high as we get a sense of the types of issues reported.

cvss defines these already, best not to run our own classification system here.

The security team will respond to reports within 14 days.

Sounds fine.

No unpatched vulnerabilities of medium or higher severity that have been publicly known for more than 60 days.

"No Unpatched" means source fix only?

All critical vulnerabilities rapidly after they are reported.

I think your forgot to verb :)

Updates to official Blender releases will be available for current and long term support (LTS) releases.

How is this different from our current/normal release process? If it's the same, why mention it? if it's different, what's different about it?

Dan McGrath (dmcgrath) added a comment.Oct 13 2022, 4:01 PM

Ah, the "cyber" 🤔

Just figure I would drop a URL or two that might be helpful to some that are looking into some of the various topics of this thread:

Brecht Van Lommel (brecht) added a comment.Oct 13 2022, 5:07 PM
In T101785#1431940, @Ray Molenkamp (LazyDodo) wrote:

cvss defines these already, best not to run our own classification system here.

The issue is that there are some CVEs marked as high (meaning "catastrophic adverse effect"), which actually have no real impact for Blender users. Being required to do a new release based on a classification set by a third party does not seem great to me, although we could see how it goes and if it's much of a problem in practice.

Sergey Sharybin (sergey) added a comment.Oct 13 2022, 5:25 PM

Those third parties have much better idea of severity of a problem, and whether some code bug has a practical exploit associated with it. A high number is not going to be assigned to a vulnerability which does not have huge impact on the users of that software.

To me the review is more on a side of: is the vulnerable piece of code enabled in the library we use or not. If some level 10 CVE is in the code which we do not enable (i.e. we don't enable all FFmpeg features) then we do not need to rush with update. If the level 10 is in the codepath of a library which we actually use we'd better do something.

Ray Molenkamp (LazyDodo) added a comment.Oct 13 2022, 5:44 PM

cvss accounts for that , things being marked "high" is only the base score, though temporal and environmental scores the final score can be drastically different, i encourage everyone to read the specifications i linked , if you're crunched for time or just want a tl;dr this will do.

If you want something more hands on, the NVD has a calculator on every CVE listed, for instance on https://nvd.nist.gov/vuln/detail/CVE-2022-25235 click on the 9.8 Critical base score, and you'll be able to set additional properties.

For instance libexpat is not connected to the network stack for us and used mainly by OCIO, someone would have to install a custom OCIO profile to trigger the problem.

So in environmental:
set Attack Complexity (MAC) to High as an attacker must get the user to both download and install the profile
set Attack Vector (MAV) to local as blender does not access the network
set Privileges Required (MPR) to Low as a regular user can do this
set User Interaction (MUI) to required as the user has to manually download and install and select the profile in blender

Which bring the final score down already from 9.8 to 6.7

Brecht Van Lommel (brecht) added a comment.EditedOct 13 2022, 6:39 PM

Some examples of high severity that I don't think actually have a huge impact on our users:

  • CVE-2022-2832: crash in headless build, which is not a build option official releases or Linux packages use.
  • CVE-2022-2833: endless loop in the thumbnailer. (Incorrectly?) marked as having network attack vector.
  • CVE-2005-3151: buffer overflow in Blender player could allow arbitrary code execution. Blender player already executed arbitrary Python code by design, so no additional risk.

This is all fine to fix the next release and monthly LTS, but I wouldn't schedule a new release for them. Though with the current frequency of releases this may just be a non-issue and we can just put fixes in the releases already scheduled. So maybe not worth overthinking this.

The environmental scores are interesting, we could calculate them to mention in public disclosure.

Ray Molenkamp (LazyDodo) added a comment.Oct 13 2022, 7:38 PM

I appears vendors are free to dispute or request changes to a record. if we disagree with the assessment of CVE-2022-2833 there's a process for either updating or disputing I have to admit we're rapidly approaching the boundaries of my knowledge on this subject and i have no idea how any of this would be done practically.

Brecht Van Lommel (brecht) added a comment.Oct 13 2022, 8:14 PM

My main concern is adding unnecessary overhead. This bug should be (and was) fixed regardless, not really worth getting into some process to dispute scores that adds another type of overhead.

Anyway, I think it's fine to wait and see if it will be an actual problem.

Campbell Barton (campbellbarton) updated the task description.Oct 14 2022, 10:47 AM
Campbell Barton (campbellbarton) updated the task description.
Campbell Barton (campbellbarton) updated the task description.Oct 14 2022, 10:53 AM
Brecht Van Lommel (brecht) added a comment.Oct 14 2022, 2:49 PM

+1 on the proposed text now.

Campbell Barton (campbellbarton) added a comment.EditedOct 17 2022, 11:01 AM
In T101785#1431740, @Dalai Felinto (dfelinto) wrote:

Feedback on the content:

Personally I would make it explicit that the "security team" (or Blender developers) is the one responsible for the Public Disclosure, not the reporter. Reading this with a layman's eyes I got that I would need to write to security@blender.org, but then also create a task.

Edited to make this clear.

In T101785#1431740, @Dalai Felinto (dfelinto) wrote:

The list of Expectations for handling vulnerabilities: overall reads rather badly. A suggestion:

* All reports responded within 14 days.
* All medium or high severity vulnerabilities patched within 60 days of having been publicly known.
* All critical vulnerabilities fixed shortly after they are reported.
* Updates to official Blender releases available for current and long term support (LTS) releases.

Applied.

Now, I would be a bit wary of promising patches/fixes for all medium CVEs. Is that a standard thing to do? Or where you referring only to the public disclosure? I honestly couldn't get this from the original text and I'm assuming you were talking about the fix itself.

The section is "expectations" these aren't promises - that could be stated more explicitly, something along the lines of "These time-frames for resolving issues assurances we will make a concerned effort are met, although we cannot give absolute promises." - it feels a bit weasely though.

As for "all vulnerabilities", I think it's reasonable for vulnerabilities that apply to Blender (excluding CVE's in 3rd party libraries that don't apply to Blender at all).

In T101785#1431940, @Ray Molenkamp (LazyDodo) wrote:

No unpatched vulnerabilities of medium or higher severity that have been publicly known for more than 60 days.

"No Unpatched" means source fix only?

We could be more explicit and say source fix and binary builds available, I'm not sure it's needed but if others prefer, the wording can be updated to note that both source patches and binaries will be available.

Updates to official Blender releases will be available for current and long term support (LTS) releases.

How is this different from our current/normal release process? If it's the same, why mention it? if it's different, what's different about it?

This is just making something explicit that users might assume. It's to be clear that we will *not* be providing fixes to older releases.

An awkward aspect to this is users on older Linux distributions may well have known vulnerabilities (if those issues are with Blender it's self and not in the 3rd party libraries). This is part of the reason I think a security-announce mailing list is needed, so anyone wanting to maintain security fixes for outdated releases is able to do so.
Although handling this can be a separate topic.

Dalai Felinto (dfelinto) added a comment.Oct 17 2022, 12:55 PM

happy with the edits as well

Campbell Barton (campbellbarton) updated the task description.Dec 7 2022, 4:42 AM

As there seems to be general agreement that this can go in, I think this is only waiting on a {security-announce} mailing list to be created, having a link to [See Blender CVE Policy] would be good too.

Dan McGrath (dmcgrath) added a comment.Dec 7 2022, 2:17 PM
In T101785#1456057, @Campbell Barton (campbellbarton) wrote:

As there seems to be general agreement that this can go in, I think this is only waiting on a {security-announce} mailing list to be created, having a link to [See Blender CVE Policy] would be good too.

Were you thinking about a Mailman mailing list, similar to bf-committers and friends? Or were you aiming more for a Google Workspace group? While I presume Mailman, when an upgrade to 3.x does finally come around, it could have links break.

Brecht Van Lommel (brecht) added a comment.Dec 12 2022, 6:16 PM

I don't know if there really is demand for a security-announce mailing list, I'd wait until someone ask for that before creating it.