Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) Source code repositories (CVSweb) File archive & mirrors How to verify digital signatures OVE IDs What's new

Message-ID: <CANO=Ty0kA2sgHgZj+w1Xg6Z2G9WGSexa_i59Hi2eo2PQeW=YPQ@mail.gmail.com>
Date: Fri, 14 Jul 2017 12:04:20 -0600
From: Kurt Seifried <kseifried@...hat.com>
To: oss-security <oss-security@...ts.openwall.com>
Subject: Re: Estimate for the total number of exploitable bugs
 in large linux distro?

> On Fri, Jul 14, 2017 at 12:34:01PM +0300, Georgi Guninski wrote:
> > What is an estimate for the total number of exploitable bugs in large
> > linux distro?
>

First you need to define "distribution". Do we go with "all" the packages
shipped? Ok... what about things like firefox?
https://cve.mitre.org/cgi-bin/cvekey.cgi?keyword=firefox 1500 CVEs... does
that count to the distribtion count?  What about non-free in Debian? Anyone
that ships Flash is also going to see their stats bumped way up.

Now we need to define "exploitable bugs", for example an exploit chain, is
that multiple bugs or do we count that as a single one for this discussion?
There's a lot of /tmp flaws that are "exploitable" but I can pretty much
guarantee nobody will ever bother.

I would then point out the only source of data anyone is mentioning is CVE.
And CVE has counting rules. For example if you find 100 XSS flaws in a php
app (because they forgot to use htmlspecialchars on output) in the same
version we'll assign a single CVE, not 100. So how many bugs do you count
this as?

CVE is also incomplete. There's lots and lots of vulns with no CVE
(something I'm trying to remediate with the DWF).

I would suggest before anyone continue this thread they go read:

https://media.blackhat.com/us-13/US-13-Martin-Buying-Into-The-Bias-Why-Vulnerability-Statistics-Suck-Slides.pdf

it's largely a pointless discussion because the question isn't well
defined, and we know for a fact we don't have good data to answer it
(yet...).


-- 
Kurt Seifried -- Red Hat -- Product Security -- Cloud
PGP A90B F995 7350 148F 66BF 7554 160D 4553 5E26 7993
Red Hat Product Security contact: secalert@...hat.com

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.