Audit of Debian/Ubuntu for unfixed vulnerabilities because of embedded code copies

[Silvio Cesare <silvio.cesare@gmail.com>]

Hi,

I have been working on a tool called Clonewise (http://www.github.com/silviocesare/Clonewise and http://www.FooCodeChu.com) to automatically identify code copies in Linux and try to infer if any of these code copies are causing security issues because they haven't been updated. The goal is for the Debian's security team to use Clonewise to find bugs and track code copies. Clonewise has found tens of bugs in the past, but I'm using some different approaches and code to what I've done in the past. I'm working on getting it ready for release.

I recently ran the tool and cross referenced identified code copies with Debian's security tracking of affected packages by CVE. I did this for all CVEs in 2010, 2011, and 2012.

The report can be found here http://www.foocodechu.com/downloads/Clonewise-report.txt

Clonewise reported 138 potentially unfixed code copies related to specific CVEs in 22 packages.

Now some of these cases are going to be false positives. From looking at the results, many of the vulns were probably fixed but have not been reported in the security tracker. The report tries to be self explanatory and justify why it thinks it's found a code copy based on the source code being similar. It also tells you which source file has the vuln based on the CVE summary.

I will work on going through this report myself, but I thought I'd post it to the list and see if anyone wants to help. If you find false positives, or actual vulnerabilities, please tell me about it so I can tally up the results, and also so I can improve the tool to have fewer false positives in the future. If you think the report is missing something that would make it easier to read, be sure to tell me.

Thanks,

Silvio Cesare

Deakin University

http://www.FooCodeChu.com