[Henri Salo]
> Has there been any progress with this project? I am glad to help if
> there is something I can do? This is needed in my opinion.
You could try to run the scripts I created in the debian-security svn
repository, and see how they could be improved. I have not had time
to work much on
On Mon, Jul 02, 2012 at 07:59:26PM +0200, Petter Reinholdtsen wrote:
> [Silvio Cesare]
> > I recently ran the tool and cross referenced identified code copies with
> > Debian's security tracking of affected packages by CVE. I did this for all
> > CVEs in 2010, 2011, and 2012.
>
> This sound like a
On Mon, Jul 02, 2012 at 12:27:06PM +0200, Bernd Zeimetz wrote:
> On 07/02/2012 10:53 AM, Silvio Cesare wrote:
> > Hi,
> > [ ... ]
> > Now some of these cases are going to be false positives. From looking at
> > the results, many of the vulns were probably fixed but have not been
> > reported in the
[Michael Gilbert]
>> Are you aware of my proposal to do this, mentioned on debian-security
>> and also drafted on http://wiki.debian.org/CPEtagPackagesDep >?
>
> Does this actually cover embedded code copies? The spec probably
> needs to get something like an "XBS-Embeds-Source-From-CPE" tag for
On Mon, Jul 2, 2012 at 1:59 PM, Petter Reinholdtsen wrote:
>
> [Silvio Cesare]
>> I recently ran the tool and cross referenced identified code copies with
>> Debian's security tracking of affected packages by CVE. I did this for all
>> CVEs in 2010, 2011, and 2012.
>
> This sound like a job that co
On Mon, Jul 2, 2012 at 4:38 AM, Bastian Blank wrote:
> Can this tool be used to identify all code copies, regardless of CVE?
Indeed, we plan to run it over the whole archive on a regular basis
and link to the results from the PTS.
Silvio, thanks a lot for your work, I'm looking forward to sponso
On Mon, July 2, 2012 13:38, Silvio Cesare wrote:
> On Mon, Jul 2, 2012 at 8:27 PM, Bernd Zeimetz wrote:
>> The ia32-libs stuff are all false positives (assuming the package was
>> updated after the security fixes came out, I'm not 100% sure about that
>> :) And the openssl source is expected to c
Last I checked, ia32-libs on squeeze didn't have the openssl patches for
0.9.8. I may have to check more thoroughly to be sure. It might have some
other vulns as well.
--
Silvio
On Mon, Jul 2, 2012 at 8:27 PM, Bernd Zeimetz wrote:
> On 07/02/2012 10:53 AM, Silvio Cesare wrote:
> > Hi,
> > [ ...
On Mon, Jul 02, 2012 at 06:53:54PM +1000, Silvio Cesare wrote:
> I recently ran the tool and cross referenced identified code copies with
> Debian's security tracking of affected packages by CVE. I did this for all
> CVEs in 2010, 2011, and 2012.
Can this tool be used to identify all code copies,
On 07/02/2012 10:53 AM, Silvio Cesare wrote:
> Hi,
> [ ... ]
> Now some of these cases are going to be false positives. From looking at
> the results, many of the vulns were probably fixed but have not been
> reported in the security tracker. The report tries to be self
> explanatory and justify wh
Hi,
I have been working on a tool called Clonewise
(http://www.github.com/silviocesare/Clonewise and http://www.FooCodeChu.com)
to automatically identify code copies in Linux and try to infer if any of
these code copies are causing security issues because they haven't been
updated. The goal is for
11 matches
Mail list logo
