This is an old revision of the document!

This page will hopefully soon consist of many code review reports with proper description of project/version/architecture/possible flaws and security relevant patches.

As a start, I will add some packages which are common across a lot of Linux distributions and have been identified as a potential risk since they either run privileged or with network input. Feel free to add other OS's or move to another, separate, page. The intention is NOT to enumerate all possibly problematic packages such as editor-foo-bar.tgz but the core packages that are needed to setup minimal working desktop or server system.

For large packages, only per-subsystem status will likely make sense.

• glibc
  • URL: http://www.gnu.org/software/libc/
  • Last review: unknown
    • fts(3) subsystem reviewed and patched in 2001, now might be a good time to at least double-check that the old issues were not re-introduced since then, because fts(3) is starting to be used by find(1) in GNU findutils
  • Status: unknown

• GCC
  • URL: http://gcc.gnu.org
  • Last review:
    • checked RELRO and GOT/PLT protection in 04-2007
    • checked mudflap protection in 09-2009
  • Status: Need to re-check RELRO, global destructor, __cxa_finalize etc.

• DBUS
  • URL: http://www.freedesktop.org/wiki/Software/dbus
  • Last review: unknown
  • Status: unknown

• PolicyKit
  • URL: http://cgit.freedesktop.org/PolicyKit/
  • Last review: slightly in 08-2009 (by whom? where's the info? should possibly be a link to an external resource or a wiki sub-page)
  • Status: Needs in-depth analysis of credential caching

• ConsoleKit
  • URL: http://cgit.freedesktop.org/ConsoleKit/
  • Last review: unknown
  • Status: unknown

• DeviceKit
  • URL: http://cgit.freedesktop.org/DeviceKit/
  • Last review: unknown
  • Status: unknown

• openssl
  • URL: http://www.openssl.org
  • Last review: unknown
  • Status: unknown

• udev
  • URL: http://git.kernel.org/?p=linux/hotplug/udev.git
  • Last review:
    • checked message validation in 04-2009
  • Status: fixed

• HAL
  • URL: http://cgit.freedesktop.org/hal/
  • Last review: unknown
  • Status: unknown (will be replaced by DeviceKit)

• coreutils
  • URL: http://www.gnu.org/software/coreutils/
  • Last review: unknown
  • Status: unknown

• pwdutils
  • URL: http://www.thkukuk.de/pam/pwdutils/
  • Last review: unknown
  • Status: unknown

• PAM
  • URL: http://www.kernel.org/pub/linux/libs/pam/ (need URL for a source code repository here?)
  • Last review: unknown
  • Status: unknown