Re: Audit of Debian/Ubuntu for unfixed vulnerabilities because of embedded code copies
On Mon, Jul 02, 2012 at 12:27:06PM +0200, Bernd Zeimetz wrote:
> On 07/02/2012 10:53 AM, Silvio Cesare wrote:
> > Hi,
> > [ ... ]
> > Now some of these cases are going to be false positives. From looking at
> > the results, many of the vulns were probably fixed but have not been
> > reported in the security tracker. The report tries to be self
> > explanatory and justify why it thinks it's found a code copy based on
> > the source code being similar. It also tells you which source file has
> > the vuln based on the CVE summary.
> The ia32-libs stuff are all false positives (assuming the package was
> updated after the security fixes came out, I'm not 100% sure about that
> :) And the openssl source is expected to contain the openssl source.
> Otherwise I think it might be worth to integraet such a check into the
> qa tools Debian runs regularity.
> Thanks for your work!
Just FYI: the ia32-libs nightmare for security will end in wheezy.
I'm afraid till then ia32-libs remain (security) buggy a lot of the time.
Updates are done rarely, and only before a point release and fixing >50
security bugs all together at that time in such an update isn't unheard of.
The changelog contains the relevant parts of the included sources changelogs
including BTS bug number and CVE numbers if you want to check. It also
contains a list of soruce packages + versions for easier comparison of
Unfortunatley the existing code duplication automatism the security
team has is not up to the task of handling ia32-libs so the package
never got the automated tracking of issues other code duplication has.
Anyway, it will soon be gone... any second now... only took 10+ years... :)