Audit of Debian/Ubuntu for unfixed vulnerabilities because of embedded code copies

Manuel A. Fernandez Montecelo manuel.montezelo at
Mon Jul 2 10:43:25 UTC 2012

Replying again, it seems that spam filters don't like the URL...  You
can read the original message in:

2012/7/2 Manuel A. Fernandez Montecelo <manuel.montezelo at>:
> Hi Silvio,
> [removing debian-*@l.d.o from destinations, adding pkg-sdl-maintainers]
> 2012/7/2 Silvio Cesare <silvio.cesare at>:
>> Hi,
>> I have been working on a tool called Clonewise
>> ( and [URL REMOVED])
>> to automatically identify code copies in Linux and try to infer if any of
>> these code copies are causing security issues because they haven't been
>> updated. The goal is for the Debian's security team to use Clonewise to find
>> bugs and track code copies. Clonewise has found tens of bugs in the past,
>> but I'm using some different approaches and code to what I've done in the
>> past. I'm working on getting it ready for release.
>> I recently ran the tool and cross referenced identified code copies with
>> Debian's security tracking of affected packages by CVE. I did this for all
>> CVEs in 2010, 2011, and 2012.
>> The report can be found here
>> Clonewise reported 138 potentially unfixed code copies related to specific
>> CVEs in 22 packages.
>> Now some of these cases are going to be false positives. From looking at the
>> results, many of the vulns were probably fixed but have not been reported in
>> the security tracker. The report tries to be self explanatory and justify
>> why it thinks it's found a code copy based on the source code being similar.
>> It also tells you which source file has the vuln based on the CVE summary.
>> I will work on going through this report myself, but I thought I'd post it
>> to the list and see if anyone wants to help. If you find false positives, or
>> actual vulnerabilities, please tell me about it so I can tally up the
>> results, and also so I can improve the tool to have fewer false positives in
>> the future. If you think the report is missing something that would make it
>> easier to read, be sure to tell me.
>> Thanks,
>> Silvio Cesare
>> Deakin University
> Thanks for your work.  I think that ia32-libs is on its way out of
> Debian archives, but somebody will tell you.
> I'm specially interested in the ones of sdl-mixer1.2 package.  Can you
> please provide more information about it?  Affected versions, files in
> the source package, chunks of code where the problem actually lies,
> etc...
> Cheers.

More information about the Pkg-sdl-maintainers mailing list