Audit of Debian/Ubuntu for unfixed vulnerabilities because of embedded code copies
Manuel A. Fernandez Montecelo
manuel.montezelo at gmail.com
Mon Jul 2 10:43:25 UTC 2012
Replying again, it seems that spam filters don't like the URL... You
can read the original message in:
2012/7/2 Manuel A. Fernandez Montecelo <manuel.montezelo at gmail.com>:
> Hi Silvio,
> [removing email@example.com from destinations, adding pkg-sdl-maintainers]
> 2012/7/2 Silvio Cesare <silvio.cesare at gmail.com>:
>> I have been working on a tool called Clonewise
>> (http://www.github.com/silviocesare/Clonewise and [URL REMOVED])
>> to automatically identify code copies in Linux and try to infer if any of
>> these code copies are causing security issues because they haven't been
>> updated. The goal is for the Debian's security team to use Clonewise to find
>> bugs and track code copies. Clonewise has found tens of bugs in the past,
>> but I'm using some different approaches and code to what I've done in the
>> past. I'm working on getting it ready for release.
>> I recently ran the tool and cross referenced identified code copies with
>> Debian's security tracking of affected packages by CVE. I did this for all
>> CVEs in 2010, 2011, and 2012.
>> The report can be found here
>> [URL REMOVED]
>> Clonewise reported 138 potentially unfixed code copies related to specific
>> CVEs in 22 packages.
>> Now some of these cases are going to be false positives. From looking at the
>> results, many of the vulns were probably fixed but have not been reported in
>> the security tracker. The report tries to be self explanatory and justify
>> why it thinks it's found a code copy based on the source code being similar.
>> It also tells you which source file has the vuln based on the CVE summary.
>> I will work on going through this report myself, but I thought I'd post it
>> to the list and see if anyone wants to help. If you find false positives, or
>> actual vulnerabilities, please tell me about it so I can tally up the
>> results, and also so I can improve the tool to have fewer false positives in
>> the future. If you think the report is missing something that would make it
>> easier to read, be sure to tell me.
>> Silvio Cesare
>> Deakin University
>> [URL REMOVED]
> Thanks for your work. I think that ia32-libs is on its way out of
> Debian archives, but somebody will tell you.
> I'm specially interested in the ones of sdl-mixer1.2 package. Can you
> please provide more information about it? Affected versions, files in
> the source package, chunks of code where the problem actually lies,
More information about the Pkg-sdl-maintainers