1# Security overview 2 3## General 4 5libexif is a software library to process EXIF datablobs, which are usually 6embedded in JPEG files. 7 8It allows reading, writing, changing, and extraction (binary and textual versions) 9of this data. 10 11 12## Attack Surface 13 14Any data blob put into the library should be assumed untrusted and 15potentially malicious. 16 17ABI parameters can be considered trusted. 18 19The primary attack scenario is processing of files for EXIF content 20extraction (displaying) via unattended services, up to and including 21webservices where files can be uploaded by potential attackers. 22 23## Bugs considered security issues 24 25(Mostly for CVE assigments rules.) 26 27Triggering memory corruption of any form is considered in scope. 28Triggering endless loops is considered in scope. (would block services) 29Triggering unintentional aborts is considered in scope. 30 31Common library usage patterns are in scope. 32 33Crashes during writing out of data as EXIF could be in scope. 34 35## Bugs not considered security issues 36 37Crashes caused by debugging functionality are not in scope. 38 39## Bugreports 40 41Bugreports can be filed as github issues. 42 43If you want to report an embargoed security bug report, reach out to dan@coneharvesters.com. 44