oss-sec mailing list archives
Re: Estimate for the total number of exploitable bugs in large linux distro?
From: Kurt Seifried <kseifried () redhat com>
Date: Fri, 14 Jul 2017 12:04:20 -0600
On Fri, Jul 14, 2017 at 12:34:01PM +0300, Georgi Guninski wrote:What is an estimate for the total number of exploitable bugs in large linux distro?
First you need to define "distribution". Do we go with "all" the packages shipped? Ok... what about things like firefox? https://cve.mitre.org/cgi-bin/cvekey.cgi?keyword=firefox 1500 CVEs... does that count to the distribtion count? What about non-free in Debian? Anyone that ships Flash is also going to see their stats bumped way up. Now we need to define "exploitable bugs", for example an exploit chain, is that multiple bugs or do we count that as a single one for this discussion? There's a lot of /tmp flaws that are "exploitable" but I can pretty much guarantee nobody will ever bother. I would then point out the only source of data anyone is mentioning is CVE. And CVE has counting rules. For example if you find 100 XSS flaws in a php app (because they forgot to use htmlspecialchars on output) in the same version we'll assign a single CVE, not 100. So how many bugs do you count this as? CVE is also incomplete. There's lots and lots of vulns with no CVE (something I'm trying to remediate with the DWF). I would suggest before anyone continue this thread they go read: https://media.blackhat.com/us-13/US-13-Martin-Buying-Into-The-Bias-Why-Vulnerability-Statistics-Suck-Slides.pdf it's largely a pointless discussion because the question isn't well defined, and we know for a fact we don't have good data to answer it (yet...). -- Kurt Seifried -- Red Hat -- Product Security -- Cloud PGP A90B F995 7350 148F 66BF 7554 160D 4553 5E26 7993 Red Hat Product Security contact: secalert () redhat com
Current thread:
- Estimate for the total number of exploitable bugs in large linux distro? Georgi Guninski (Jul 14)
- Re: Estimate for the total number of exploitable bugs in large linux distro? Greg KH (Jul 14)
- Re: Estimate for the total number of exploitable bugs in large linux distro? Steven Miano (Jul 14)
- Re: Estimate for the total number of exploitable bugs in large linux distro? Alan Coopersmith (Jul 14)
- Re: Estimate for the total number of exploitable bugs in large linux distro? Hanno Böck (Jul 14)
- Re: Estimate for the total number of exploitable bugs in large linux distro? Steve Grubb (Jul 14)
- Re: Estimate for the total number of exploitable bugs in large linux distro? Santiago Torres (Jul 14)
- Re: Estimate for the total number of exploitable bugs in large linux distro? Kurt Seifried (Jul 14)
- Re: Estimate for the total number of exploitable bugs in large linux distro? Javantea (Jul 14)
- Re: Estimate for the total number of exploitable bugs in large linux distro? Kristian Fiskerstrand (Jul 14)