[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: Which "Codebases" do these candidates really split into?
Spaf wrote: > >AFFECTED OSes: > > Digital Unix, FreeBSD, HPUX, AIX, IRIX, Linux, OSF/1, SCO, Solaris > > > >QUESTION: is the appropriate codebase "Unix"? Or do we separate it > >into BSD and System V? Or each individual OS? > > Systems that used the old BSD IP stack have this problem. The Linux > stack was developed independently, as was (I believe) AIX. All of > the others derived from the same underlying IP code. However, each > one has undergone quite a bit of change. > > MacOS is also vulnerable in some versions. I believe VMS and > NextStep were too. > > So here we have the problem of defining "same." > > Me feeling would be to split out each independent OS unless we know > they use the same underlying code. The drawback to this approach would seem to be a huge explosion of vulnerability numbers. We often won't know, as we don't here (correct me if I'm wrong), if the code that contains the vulnerability is materially the same or not in different systems. Most CERT advisories about Unix vulnerabilities contain a laundry list of which systems are vulnerable and which aren't. If every CERT advisory becomes 10 CVE numbers, that seems a high price to pay. Plus it seems insufficient to say that the codebase is "Solaris" vs "Solaris versions before 2.3, 2.4 without patch foo1, 2.5 without foo2....". Finally, would it be really obnoxious of me to point out that the typical Unix program on the typical Unix system is probably stuffed full of #ifdefs that may mean a program which is identical per 'diff' will behave differently, and possibly have different vulnerabilities, on different systems? I guess this is mainly a technicality - we can, at least conceptually, imagine comparing the code after the preprocessor has been over it. I don't have a constructive suggestion how to achieve this, but it seems a desirable property would be that the CVE not split up CERT and similar advisories into lots of different pieces (unless they were clearly referring to two different holes to begin with. "Same advisory, same vulnerability"? [Note - I'm not taking a position on how to proceed and please don't count this email as a vote. I'm just trying to understand the issues.] Stuart. -- Stuart Staniford-Chen --- President --- Silicon Defense firstname.lastname@example.org (707) 822-4588 (707) 826-7571 (FAX)