Audit of Debian/Ubuntu for unfixed vulnerabilities because of embedded code copies
Manuel A. Fernandez Montecelo
manuel.montezelo at gmail.com
Mon Jul 2 10:43:25 UTC 2012
Replying again, it seems that spam filters don't like the URL... You
can read the original message in:
http://lists.debian.org/debian-devel/2012/07/msg00026.html
2012/7/2 Manuel A. Fernandez Montecelo <manuel.montezelo at gmail.com>:
> Hi Silvio,
>
> [removing debian-*@l.d.o from destinations, adding pkg-sdl-maintainers]
>
> 2012/7/2 Silvio Cesare <silvio.cesare at gmail.com>:
>> Hi,
>>
>> I have been working on a tool called Clonewise
>> (http://www.github.com/silviocesare/Clonewise and [URL REMOVED])
>> to automatically identify code copies in Linux and try to infer if any of
>> these code copies are causing security issues because they haven't been
>> updated. The goal is for the Debian's security team to use Clonewise to find
>> bugs and track code copies. Clonewise has found tens of bugs in the past,
>> but I'm using some different approaches and code to what I've done in the
>> past. I'm working on getting it ready for release.
>>
>> I recently ran the tool and cross referenced identified code copies with
>> Debian's security tracking of affected packages by CVE. I did this for all
>> CVEs in 2010, 2011, and 2012.
>>
>> The report can be found here
>> [URL REMOVED]
>>
>> Clonewise reported 138 potentially unfixed code copies related to specific
>> CVEs in 22 packages.
>>
>> Now some of these cases are going to be false positives. From looking at the
>> results, many of the vulns were probably fixed but have not been reported in
>> the security tracker. The report tries to be self explanatory and justify
>> why it thinks it's found a code copy based on the source code being similar.
>> It also tells you which source file has the vuln based on the CVE summary.
>>
>> I will work on going through this report myself, but I thought I'd post it
>> to the list and see if anyone wants to help. If you find false positives, or
>> actual vulnerabilities, please tell me about it so I can tally up the
>> results, and also so I can improve the tool to have fewer false positives in
>> the future. If you think the report is missing something that would make it
>> easier to read, be sure to tell me.
>>
>> Thanks,
>>
>> Silvio Cesare
>> Deakin University
>> [URL REMOVED]
>
> Thanks for your work. I think that ia32-libs is on its way out of
> Debian archives, but somebody will tell you.
>
> I'm specially interested in the ones of sdl-mixer1.2 package. Can you
> please provide more information about it? Affected versions, files in
> the source package, chunks of code where the problem actually lies,
> etc...
>
>
> Cheers.
More information about the Pkg-sdl-maintainers
mailing list