Re: Estimate for the total number of exploitable bugs in large linux distro?

[Javantea <jvoss () altsci com>]

On Fri, 14 Jul 2017 11:45:20 +0200, Greg KH wrote:
> On Fri, Jul 14, 2017 at 12:34:01PM +0300, Georgi Guninski wrote:
> > What is an estimate for the total number of exploitable bugs in large
> > linux distro?
>
> Define "exploitable" please.
Let's assume exploitable means CVSS exploitability score >= 1.6. Therefore network attacks, and easy local attacks are 
acceptable.

> Define "large Linux Distro".
Let's say Gentoo, Ubuntu, or Fedora.

> > Also, does the total number decrease, increase or change in other way
> > over time?
>
> The world changes over time, why would the number not also change?
>
> What exactly are you trying to determine here, and what kind of research
> have you done to try to answer it yourself?
>
> thanks,
>
> greg k-h
First you must accept that the most well-reasoned answer you will get will probably be off by an order of magnitude. 
One method of answering this question is to take the number of GLSAs, RHSAs, and USNs depending on which distro you 
want to track. If you multiply that number by 2, you'll have a reasonable guess. There's no guarantee that this number 
will be accurate because many bugs will last years or decades and many never become CVEs and thus won't become RHSAs, 
GLSAs, or USNs. Many bugs that are fixed in 2017 were present in 2016. Some fixed in 2017 weren't there in 2016.

https://security.gentoo.org/glsa
https://access.redhat.com/security/
https://www.ubuntu.com/usn/

Here is the code for Gentoo:
for year in 2007 2008 2009 2010 2011 2012 2013 2014 2015 2016; do echo -n "$year "; ls -1 
/usr/portage/metadata/glsa/glsa-"$year"* |wc -l; done
2007 264
2008 208
2009 153
2010 43
2011 47
2012 149
2013 98
2014 242
2015 97
2016 162

This shows that GLSAs are neither increasing nor decreasing within the margin of error over the past 10 years.

Regards,
Javantea

Attachment: signature.asc
Description: