On Mon, Jun 28, 2004 at 02:30:09PM +0200, Javier Fernández-Sanguino Peña wrote:
> A simple way to find these is finding if the following directories [1] are
> used in the source code (of code or scripts):
>
> /var/cache/fonts/{pk,source,tfm}
> /var/spool/texmf/{pk,source,tfm}
> /var/lib/php4
> /var/lock/
> /tmp/
> /var/tmp/
>
> Do you believe you could code also an interface to search for
> files/packages which use those? I currently do this by hand but I think it
> would be great to be able to do this using my local Debian mirror copy.
That sound good, I was thinking to include more information. Trouble is
that my script scans only binary packages at this time and the machine
I'm doing this on is alreay at 95% of it's disk capacity, so there's not
really much room for including source packages.
That is, unless there is a mechanism that I could use to automatically
track new packages that enter the archive. That would take away the need
for a complete mirror and I could just delete the processed packages.
Any ideas how to do that? The buildds must be doing something similar..
> Errors of that kind are usually trivial to find/exploit/fix so I'm focusing
> on them (I have a list of packages I need to bug/patch related to this).
> Also, it would be great if someone coded in a way to automaticall run some
> automatic auditing software (such as RATS/Flawfinder/Pscan) and have that
> indexed in a way similar to how lintian.debian.org does it. It could make
> it easy to find packages which need to be analysed in depth. Any volunteer?
> :-)
That would be nice indeed. Some of the bugs I've come across could have
been found easily with an automated vulnerability scanner. Especially
stuff like passing user-controllable format strings to syslog() just
shouldn't happen any more..
The script could also scan packages for other interesting facts like
"includes header file sys/socket.h"
"installs into /etc/cron*"
"installs into /usr/lib/cgi-bin"
..
Anyone with big enough a machine to have this run on? :)
I'd volunteer to write the extraction scripts.
Cheers,
Max
-- 308E81E7B97963BCA0E6ED889D5BD511B7CDA2DCReceived on Mon Jun 28 2004 - 14:29:34 BST