Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) Source code repositories (CVSweb) File archive & mirrors How to verify digital signatures OVE IDs What's new

Date: Fri, 14 Jul 2017 17:52:01 -0000
From: Javantea <jvoss@...sci.com>
To: oss-security@...ts.openwall.com
Subject: Re: Estimate for the total number of exploitable bugs in large linux distro?

On Fri, 14 Jul 2017 11:45:20 +0200, Greg KH wrote:
> On Fri, Jul 14, 2017 at 12:34:01PM +0300, Georgi Guninski wrote:
>> What is an estimate for the total number of exploitable bugs in large
>> linux distro?
> 
> Define "exploitable" please.
> 
Let's assume exploitable means CVSS exploitability score >= 1.6. Therefore network attacks, and easy local attacks are acceptable.

> Define "large Linux Distro".
> 
Let's say Gentoo, Ubuntu, or Fedora.

>> Also, does the total number decrease, increase or change in other way
>> over time?
> 
> The world changes over time, why would the number not also change?
> 
> What exactly are you trying to determine here, and what kind of research
> have you done to try to answer it yourself?
> 
> thanks,
> 
> greg k-h
> 
> 
First you must accept that the most well-reasoned answer you will get will probably be off by an order of magnitude. One method of answering this question is to take the number of GLSAs, RHSAs, and USNs depending on which distro you want to track. If you multiply that number by 2, you'll have a reasonable guess. There's no guarantee that this number will be accurate because many bugs will last years or decades and many never become CVEs and thus won't become RHSAs, GLSAs, or USNs. Many bugs that are fixed in 2017 were present in 2016. Some fixed in 2017 weren't there in 2016.

https://security.gentoo.org/glsa
https://access.redhat.com/security/
https://www.ubuntu.com/usn/

Here is the code for Gentoo:
for year in 2007 2008 2009 2010 2011 2012 2013 2014 2015 2016; do echo -n "$year "; ls -1 /usr/portage/metadata/glsa/glsa-"$year"* |wc -l; done
2007 264
2008 208
2009 153
2010 43
2011 47
2012 149
2013 98
2014 242
2015 97
2016 162

This shows that GLSAs are neither increasing nor decreasing within the margin of error over the past 10 years.

Regards,
Javantea

Download attachment "signature.asc" of type "application/pgp-signature" (834 bytes)

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.