Hi Andrew, hi all, > I understand that Debian has a bunch of vulnerabilities as described in > the following PDF. > > http://pdos.csail.mit.edu/~xi/papers/stack-sosp13.pdf > > Just a small quote: > > "This paper presents the first systematic approach for > reasoning about and detecting unstable code. We implement > this approach in a static checker called Stack, and > use it to show that unstable code is present in a wide > range of systems software, including the Linux kernel and > the Postgres database. We estimate that unstable code > exists in 40% of the 8,575 Debian Wheezy packages that > contain C/C++ code. We also show that compilers are > increasingly taking advantage of undefined behavior for > optimizations, leading to more vulnerabilities related to > unstable code." This should be taken with a grain of salt. (I'm doing research in the area of automated software analysis myself.) It clearly is a well-written paper with a nice tool. Yet "unstable code" results from code that would otherwise be considered bogus anyway (they give a nice list in Figure 3 in their paper), thus it is not necessarily the case that compilers introduce completely new bugs - they just might make the existing ones worse. The use of the term "vulnerabilities" could be very misleading here: not all bugs yield security issues - many of them might just lead to unexpected behaviour, and not be exploitable to gain elevated privileges or the like. Consider the fact that Debian's source packages contain more than 200 million lines of code. If we trust Steve McConnell's "Code Complete" book, industry average lies at 15-50 errors per 1000 lines of code, which is more than 1 in 100 lines. In a very simplified way of reasoning, I'd dare to conclude that at least 2 million further bugs remain to be discovered. > > This looks very serious indeed, but a quick search of Debian mailing > lists didn't show anything being acknowledged for this issue.... should > Debian users be concerned? > Probably not more than before, but as much as always: you are using code that hasn't be proved to be correct. But with open-source software at least you know what code you are using, and which bugs are being found. Hope this helps, Michael
Attachment:
pgpSGA_tMgOt8.pgp
Description: PGP signature