Linux Archive

Linux Archive (http://www.linux-archive.org/)
-   Debian Development (http://www.linux-archive.org/debian-development/)
-   -   Audit of Debian/Ubuntu for unfixed vulnerabilities because of embedded code copies (http://www.linux-archive.org/debian-development/679252-audit-debian-ubuntu-unfixed-vulnerabilities-because-embedded-code-copies.html)

Silvio Cesare 07-02-2012 08:53 AM

Audit of Debian/Ubuntu for unfixed vulnerabilities because of embedded code copies
 
Hi,
I have been working on a tool called Clonewise (http://www.github.com/silviocesare/Clonewise and http://www.FooCodeChu.com) to automatically identify code copies in Linux and try to infer if any of these code copies are causing security issues because they haven't been updated. The goal is for the Debian's security team to use Clonewise to find bugs and track code copies. Clonewise has found tens of bugs in the past, but I'm using some different approaches and code to what I've done in the past. I'm working on getting it ready for release.

I recently ran the tool and cross referenced identified code copies with Debian's security tracking of affected packages by CVE. I did this for all CVEs in 2010, 2011, and 2012.

The report can be found here*http://www.foocodechu.com/downloads/Clonewise-report.txt

Clonewise reported 138 potentially unfixed code copies related to specific CVEs in 22 packages.
Now some of these cases are going to be false positives. From looking at the results, many of the vulns were probably fixed but have not been reported in the security tracker.*The report tries to be self explanatory and justify why it thinks it's found a code copy based on the source code being similar. It also tells you which source file has the vuln based on the CVE summary.

I will work on going through this report myself, but I thought I'd post it to the list and see if anyone wants to help. If you find false positives, or actual vulnerabilities, please tell me about it so I can tally up the results, and also so I can improve the tool to have fewer false positives in the future. If you think the report is missing something that would make it easier to read, be sure to tell me.

Thanks,
Silvio CesareDeakin Universityhttp://www.FooCodeChu.com*

Bernd Zeimetz 07-02-2012 10:27 AM

Audit of Debian/Ubuntu for unfixed vulnerabilities because of embedded code copies
 
On 07/02/2012 10:53 AM, Silvio Cesare wrote:
> Hi,
> [ ... ]
> Now some of these cases are going to be false positives. From looking at
> the results, many of the vulns were probably fixed but have not been
> reported in the security tracker. The report tries to be self
> explanatory and justify why it thinks it's found a code copy based on
> the source code being similar. It also tells you which source file has
> the vuln based on the CVE summary.

The ia32-libs stuff are all false positives (assuming the package was
updated after the security fixes came out, I'm not 100% sure about that
:) And the openssl source is expected to contain the openssl source.

Otherwise I think it might be worth to integraet such a check into the
qa tools Debian runs regularity.

Thanks for your work!

Cheers,

Bernd



--
Bernd Zeimetz Debian GNU/Linux Developer
http://bzed.de http://www.debian.org
GPG Fingerprint: ECA1 E3F2 8E11 2432 D485 DD95 EB36 171A 6FF9 435F


--
To UNSUBSCRIBE, email to debian-devel-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
Archive: 4FF1777A.6050704@bzed.de">http://lists.debian.org/4FF1777A.6050704@bzed.de

Bastian Blank 07-02-2012 10:38 AM

Audit of Debian/Ubuntu for unfixed vulnerabilities because of embedded code copies
 
On Mon, Jul 02, 2012 at 06:53:54PM +1000, Silvio Cesare wrote:
> I recently ran the tool and cross referenced identified code copies with
> Debian's security tracking of affected packages by CVE. I did this for all
> CVEs in 2010, 2011, and 2012.

Can this tool be used to identify all code copies, regardless of CVE?

Bastian

--
Insults are effective only where emotion is present.
-- Spock, "Who Mourns for Adonais?" stardate 3468.1


--
To UNSUBSCRIBE, email to debian-devel-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
Archive: 20120702103844.GB24474@wavehammer.waldi.eu.org">ht tp://lists.debian.org/20120702103844.GB24474@wavehammer.waldi.eu.org

Silvio Cesare 07-02-2012 11:38 AM

Audit of Debian/Ubuntu for unfixed vulnerabilities because of embedded code copies
 
Last I checked, ia32-libs on squeeze didn't have the openssl patches for 0.9.8. I may have to check more thoroughly to be sure. It might have some other vulns as well.
--Silvio


On Mon, Jul 2, 2012 at 8:27 PM, Bernd Zeimetz <bernd@bzed.de> wrote:

On 07/02/2012 10:53 AM, Silvio Cesare wrote:

> Hi,

> [ ... ]

> Now some of these cases are going to be false positives. From looking at

> the results, many of the vulns were probably fixed but have not been

> reported in the security tracker. The report tries to be self

> explanatory and justify why it thinks it's found a code copy based on

> the source code being similar. It also tells you which source file has

> the vuln based on the CVE summary.



The ia32-libs stuff are all false positives (assuming the package was

updated after the security fixes came out, I'm not 100% sure about that

:) And the openssl source is expected to contain the openssl source.



Otherwise I think it might be worth to integraet such a check into the

qa tools Debian runs regularity.



Thanks for your work!



Cheers,



Bernd







--

*Bernd Zeimetz * * * * * * * * * * * * * *Debian GNU/Linux Developer

*http://bzed.de * * * * * * * * * * * * * * * *http://www.debian.org

*GPG Fingerprint: ECA1 E3F2 8E11 2432 D485 *DD95 EB36 171A 6FF9 435F

"Thijs Kinkhorst" 07-02-2012 12:36 PM

Audit of Debian/Ubuntu for unfixed vulnerabilities because of embedded code copies
 
On Mon, July 2, 2012 13:38, Silvio Cesare wrote:
> On Mon, Jul 2, 2012 at 8:27 PM, Bernd Zeimetz <bernd@bzed.de> wrote:

>> The ia32-libs stuff are all false positives (assuming the package was
>> updated after the security fixes came out, I'm not 100% sure about that
>> :) And the openssl source is expected to contain the openssl source.

> Last I checked, ia32-libs on squeeze didn't have the openssl patches for
> 0.9.8. I may have to check more thoroughly to be sure.

Yes. ia32-libs is usually only updated shortly before stable point
releases, so there's commonly a small delta of security updates that have
not been incorporated into it, yet. This is hence 'expected'.


Cheers,
Thijs


--
To UNSUBSCRIBE, email to debian-devel-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
Archive: 0b3925476909d758f14bd272308c641a.squirrel@wm.kinkh orst.nl">http://lists.debian.org/0b3925476909d758f14bd272308c641a.squirrel@wm.kinkh orst.nl

Paul Wise 07-02-2012 03:02 PM

Audit of Debian/Ubuntu for unfixed vulnerabilities because of embedded code copies
 
On Mon, Jul 2, 2012 at 4:38 AM, Bastian Blank wrote:

> Can this tool be used to identify all code copies, regardless of CVE?

Indeed, we plan to run it over the whole archive on a regular basis
and link to the results from the PTS.

Silvio, thanks a lot for your work, I'm looking forward to sponsoring clonewise!

--
bye,
pabs

http://wiki.debian.org/PaulWise


--
To UNSUBSCRIBE, email to debian-devel-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
Archive: http://lists.debian.org/CAKTje6HxYsN16ubYHR4vr2L9z=f6L20uRMJ-FYmmtowLMQzF-Q@mail.gmail.com

Michael Gilbert 07-02-2012 09:43 PM

Audit of Debian/Ubuntu for unfixed vulnerabilities because of embedded code copies
 
On Mon, Jul 2, 2012 at 1:59 PM, Petter Reinholdtsen wrote:
>
> [Silvio Cesare]
>> I recently ran the tool and cross referenced identified code copies with
>> Debian's security tracking of affected packages by CVE. I did this for all
>> CVEs in 2010, 2011, and 2012.
>
> This sound like a job that could become a bit easier if we tagged
> Debian packages with the CPE ids assosiated with CVEs, to make it
> easier to figure out which Debian package are affected by a given CVE.
>
> Are you aware of my proposal to do this, mentioned on debian-security
> and also drafted on <URL: http://wiki.debian.org/CPEtagPackagesDep >?

Does this actually cover embedded code copies? The spec probably
needs to get something like an "XBS-Embeds-Source-From-CPE" tag for
that.

Even so, do you think maintainers are really going to go through the
trouble to keep these tags accurately populated? I suppose its worth
it to try, but I have my doubts. Inaccurate information can be worse
than no information. At least with embedded-code-copies, we have a
centralized record that's kept up to date by security-involved people.

Best wishes,
Mike


--
To UNSUBSCRIBE, email to debian-devel-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
Archive: http://lists.debian.org/CANTw=MNq6=9rBjjcM-CvkB13v8S=V1VA12yDT_R-eS1qu5XhoA@mail.gmail.com

Petter Reinholdtsen 07-02-2012 09:59 PM

Audit of Debian/Ubuntu for unfixed vulnerabilities because of embedded code copies
 
[Michael Gilbert]
>> Are you aware of my proposal to do this, mentioned on debian-security
>> and also drafted on <URL: http://wiki.debian.org/CPEtagPackagesDep >?
>
> Does this actually cover embedded code copies? The spec probably
> needs to get something like an "XBS-Embeds-Source-From-CPE" tag for
> that.

I did not have embedded code copies in mind when I wrote the draft, but
it would be handled by just listing both the upstream CPE and the embedded
CPE separated with commas.

> Even so, do you think maintainers are really going to go through the
> trouble to keep these tags accurately populated? I suppose its worth
> it to try, but I have my doubts. Inaccurate information can be worse
> than no information. At least with embedded-code-copies, we have a
> centralized record that's kept up to date by security-involved people.

I suspect it will be done if we can provide mechanism that make it
useful for the maintainers to include the CPE codes and keep them
updated.

One idea would be to automatically show all CVEs that might affect the
package on the packages.qa.debian.org page, to make it easier to track
security issues. I hope to come up with other and perhaps better ideas
to motivate people to provide CPE codes with the packages.
--
Happy hacking
Petter Reinholdtsen


--
To UNSUBSCRIBE, email to debian-devel-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
Archive: 20120702215911.GD32020@ulrik.uio.no">http://lists.debian.org/20120702215911.GD32020@ulrik.uio.no

Goswin von Brederlow 07-17-2012 01:14 PM

Audit of Debian/Ubuntu for unfixed vulnerabilities because of embedded code copies
 
On Mon, Jul 02, 2012 at 12:27:06PM +0200, Bernd Zeimetz wrote:
> On 07/02/2012 10:53 AM, Silvio Cesare wrote:
> > Hi,
> > [ ... ]
> > Now some of these cases are going to be false positives. From looking at
> > the results, many of the vulns were probably fixed but have not been
> > reported in the security tracker. The report tries to be self
> > explanatory and justify why it thinks it's found a code copy based on
> > the source code being similar. It also tells you which source file has
> > the vuln based on the CVE summary.
>
> The ia32-libs stuff are all false positives (assuming the package was
> updated after the security fixes came out, I'm not 100% sure about that
> :) And the openssl source is expected to contain the openssl source.
>
> Otherwise I think it might be worth to integraet such a check into the
> qa tools Debian runs regularity.
>
> Thanks for your work!
>
> Cheers,
>
> Bernd

Just FYI: the ia32-libs nightmare for security will end in wheezy.

I'm afraid till then ia32-libs remain (security) buggy a lot of the time.
Updates are done rarely, and only before a point release and fixing >50
security bugs all together at that time in such an update isn't unheard of.

The changelog contains the relevant parts of the included sources changelogs
including BTS bug number and CVE numbers if you want to check. It also
contains a list of soruce packages + versions for easier comparison of
open issues.

Unfortunatley the existing code duplication automatism the security
team has is not up to the task of handling ia32-libs so the package
never got the automated tracking of issues other code duplication has.

Anyway, it will soon be gone... any second now... only took 10+ years... :)

MfG
Goswin


--
To UNSUBSCRIBE, email to debian-devel-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
Archive: http://lists.debian.org/20120717131424.GC23876@frosties

Henri Salo 09-29-2012 08:22 PM

Audit of Debian/Ubuntu for unfixed vulnerabilities because of embedded code copies
 
On Mon, Jul 02, 2012 at 07:59:26PM +0200, Petter Reinholdtsen wrote:
> [Silvio Cesare]
> > I recently ran the tool and cross referenced identified code copies with
> > Debian's security tracking of affected packages by CVE. I did this for all
> > CVEs in 2010, 2011, and 2012.
>
> This sound like a job that could become a bit easier if we tagged
> Debian packages with the CPE ids assosiated with CVEs, to make it
> easier to figure out which Debian package are affected by a given CVE.
>
> Are you aware of my proposal to do this, mentioned on debian-security
> and also drafted on <URL: http://wiki.debian.org/CPEtagPackagesDep >?
> --
> Happy hacking
> Petter Reinholdtsen

Has there been any progress with this project? I am glad to help if there is something I can do? This is needed in my opinion.

- Henri Salo


--
To UNSUBSCRIBE, email to debian-devel-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
Archive: 20120929202243.GA12772@kludge.henri.nerv.fi">http://lists.debian.org/20120929202243.GA12772@kludge.henri.nerv.fi


All times are GMT. The time now is 06:16 AM.

VBulletin, Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
Content Relevant URLs by vBSEO ©2007, Crawlability, Inc.