oss-sec mailing list archives
Re: Estimate for the total number of exploitable bugs in large linux distro?
From: Javantea <jvoss () altsci com>
Date: Fri, 14 Jul 2017 17:52:01 -0000
On Fri, 14 Jul 2017 11:45:20 +0200, Greg KH wrote:
On Fri, Jul 14, 2017 at 12:34:01PM +0300, Georgi Guninski wrote:What is an estimate for the total number of exploitable bugs in large linux distro?Define "exploitable" please.
Let's assume exploitable means CVSS exploitability score >= 1.6. Therefore network attacks, and easy local attacks are acceptable.
Define "large Linux Distro".
Let's say Gentoo, Ubuntu, or Fedora.
Also, does the total number decrease, increase or change in other way over time?The world changes over time, why would the number not also change? What exactly are you trying to determine here, and what kind of research have you done to try to answer it yourself? thanks, greg k-h
First you must accept that the most well-reasoned answer you will get will probably be off by an order of magnitude. One method of answering this question is to take the number of GLSAs, RHSAs, and USNs depending on which distro you want to track. If you multiply that number by 2, you'll have a reasonable guess. There's no guarantee that this number will be accurate because many bugs will last years or decades and many never become CVEs and thus won't become RHSAs, GLSAs, or USNs. Many bugs that are fixed in 2017 were present in 2016. Some fixed in 2017 weren't there in 2016. https://security.gentoo.org/glsa https://access.redhat.com/security/ https://www.ubuntu.com/usn/ Here is the code for Gentoo: for year in 2007 2008 2009 2010 2011 2012 2013 2014 2015 2016; do echo -n "$year "; ls -1 /usr/portage/metadata/glsa/glsa-"$year"* |wc -l; done 2007 264 2008 208 2009 153 2010 43 2011 47 2012 149 2013 98 2014 242 2015 97 2016 162 This shows that GLSAs are neither increasing nor decreasing within the margin of error over the past 10 years. Regards, Javantea
Attachment:
signature.asc
Description:
Current thread:
- Estimate for the total number of exploitable bugs in large linux distro? Georgi Guninski (Jul 14)
- Re: Estimate for the total number of exploitable bugs in large linux distro? Greg KH (Jul 14)
- Re: Estimate for the total number of exploitable bugs in large linux distro? Steven Miano (Jul 14)
- Re: Estimate for the total number of exploitable bugs in large linux distro? Alan Coopersmith (Jul 14)
- Re: Estimate for the total number of exploitable bugs in large linux distro? Hanno Böck (Jul 14)
- Re: Estimate for the total number of exploitable bugs in large linux distro? Steve Grubb (Jul 14)
- Re: Estimate for the total number of exploitable bugs in large linux distro? Santiago Torres (Jul 14)
- Re: Estimate for the total number of exploitable bugs in large linux distro? Kurt Seifried (Jul 14)
- Re: Estimate for the total number of exploitable bugs in large linux distro? Javantea (Jul 14)
- Re: Estimate for the total number of exploitable bugs in large linux distro? Kristian Fiskerstrand (Jul 14)