Re: Research on tcpdump

[Guy Harris <guy () alum mit edu>]

On Mar 18, 2013, at 11:13 AM, Michael Richardson <mcr () sandelman ca> wrote:

> > > > > > "Raymond" == Raymond Borges <borgesraymond () gmail com> writes:
>    Raymond> Specifically we are studying how versions fixed
>    Raymond> vulnerabilities by diffing the code functions where the CVE
>    Raymond> states the vulnerability was. We're also wondering why
>    Raymond> there are no listed CVEs after 2007 for tcpdump.
>    Raymond> http://cve.mitre.org/cgi-bin/cvekey.cgi?keyword=tcpdump
>
> There would be no CVEs prior to 3.5, because CVEs didn't exist.

Actually, CVE-1999-1024 is against "3.4a":

        http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-1024

(What happened with 3.4?  Did the LBL people not say "hey, we've released the final 3.4 version, no need to keep using 
the 3.4a alpha version" loudly enough, or did nobody notice?  I've seen places where people though "3.4a" was the final 
3.4 version....)

> I am unaware of a CVE against tcpdump since 2007.  That's good, right?

I.e., perhaps there are no listed CVEs after 2007 because there aren't any serious vulnerabilities in tcpdump any more.

I'm not naive enough to *assume* all the problems have been fixed and no new ones have been introduced, but perhaps, 
either because they haven't looked hard enough or because they're not there, nobody's found any vulnerabilities since 
2007.

(Michael, have you gotten Coverity Scan set up to do either nightly or post-commit runs on libpcap and tcpdump?

        http://scan.coverity.com

That's one way of getting the code checked.  I also did a Clang Static Humiliator run on both of them a while ago, and 
fixed some issues it found.)
_______________________________________________
tcpdump-workers mailing list
tcpdump-workers () lists tcpdump org
https://lists.sandelman.ca/mailman/listinfo/tcpdump-workers