On Wed, Aug 31, 2005 at 10:01:21PM +0200, Javier Fern?ndez-Sanguino Pe?a wrote:
> It might be better to scan all _sources_ for syslog calls and do a
> 'grep -v %s' to find those that might be vulnerable to this format string
> attacks.
Indeed.
> Consider the attached program that extracts the source packages of a local
> mirror to a directory and runs rats, flawfinder et al in them.
> I've slightly modified it today (only minimal testing though) so you can use
> it to both scan sources and binary packages in a local mirror pool for a
> given string.
I'm going to start scanning over the weekend. I have the Sarge sources
on three DVDs, so I should be able to setup three machines to scan
one DVD each.
> What i would really love is to have some place that would automatically
> maintain a pool of the Debian sources in order to do these searches
> faster.
> That syncs with the pool from time to time and knowns how to use
> things like cdbs and yada to generate proper (patched) Debian sources that
> can be grepped (or searched) when you are investigating a security vuln.
That would indeed be most useful.
> Having that information crossreferenced would be a plus and being able to
> find files that are _almost_ close duplicates would be even better and would
> provide a way to find when a given vulnerability, patched in some program
> source A, is present in program B since it has reused some files from A.
> This is _very_ common in the OSS world.
Yes. Some of the search engines like gonzui might be useful - although
this creates a *huge* database for even small amounts of source.
> Baring that, the attached scripts can generate a report in about 5 hours
> in my 2GHz / 512MB system. Reviewing the report certainly takes much more
> time.
>
> So, anyone have hardware and/or time to spare? :-)
I don't have any hardware as powerful as that! But I've got time,
so I guess I can start. I'll post an update when I've started and
try to keep track of how long it takes and how much space is consumed.
Steve
--Received on Wed Aug 31 2005 - 22:38:10 BST