Posed on Wed, 05 Mar 2008 :: /geek/debian/security :: link
As some people may know, I'm a member of the Debian
testing security team. As well as tracking
all CVE IDs with which packages they affect, we also keep a list of known
embedded code copies. Embedded code copies are a
bad thing, as they cause no end of problems for the security teams.
One of the problems we've had to find a solution for is:
How do we know what statically compiles against a library, or even worse, ships it's own copy?
So, we're looking for something that looks a particular set of bytes in arbitary executeables; a signature of the library if you will. And we do have a rather good tool that can be used to scanning for binary signatures: clamav :)
Step 1
Create a clamav signature
Clamav have a nice
guide on how to create signatures on their site. The method I use is fairly simple: find a unique binary string and pass it to
sigtool --hex-dump and place it in a nbd file.
Step 2
Scan the archive
for I in `find /mirror/debian/pool/ -name *all.deb`; do
clamscan -i -d smarty.ndb --deb --tempdir=/home/maulkin --no-summary \
--max-space=1024m --stdout $I >> /home/maulkin/smarty.log;
done;
Step 3
???
Step 4
PROFIT!!!
While I'm talking about testing security, we're all rather busy at the moment in the team, so we could do with some help! If you fancy helping, have a quick read of the
intro and come onto #debian-security on irc.debian.org and say hi!
Posed on Sat, 16 Dec 2006 :: /geek/debian/security :: link
aba recently
announced
the freeze of Debian Etch, which is great news. However, it now means that
a lot of work is now important for the secure testing team. So, if you have
time, please help us out and look through the
list of vulnerable
packages in the testing suite, and provide patches/upload fixes :) I'd like
as many of these fixed as possible before we hand over to the stable security
team.
I've also been actively recruiting recently. Luk has joined the team, and
should also be helping to issue updates in the near future. Please come find me
on IRC (Maulkin) if you want to help us produce a nice secure operating system
:P
As this seems to be a post about testing security, I'll put a bit of a status
update too:
- Updates now go through newklecker (aka: security.debian.org)
- The embargoed/unembargoed queues seem to work (mostly), whcih means that there should be a greater number of people who can do updates for stable
- We're working through all the outstanding issues which don't have CVE-IDs yet, and requesting them
- I'm working on various clamav signatures to find embedded code copies in other packages
Posed on Tue, 06 Jun 2006 :: /geek/debian/security :: link
Extract from the secure testing team list of doom changelog:
maulkin@cheddar:/home/repos/secure-testing$ svn log -r4160 data/CVE/list
------------------------------------------------------------------------
r4160 | stef-guest | 2006-06-07 00:20:30 +0100 (Wed, 07 Jun 2006) | 7 lines
some bug reports have been closed, but were missed:
fftw fixed
moodle fixed
gnumach fixed
linux fixed
------------------------------------------------------------------------
Finally! Linux has been fixed!
