On Sun, Oct 09, 2005 at 11:48:17AM -0700, vivek khurana wrote:
> I want to share my experience in code audit with
> debian. How can i start auditing code and who should i
> report the vulnerabilities.
Start auditing code by downloading the source to a couple
of packages and looking around.
If you find a genuine security problem mail security@xxxxxxxxxx
with a detailed description, and ideally a patch. If you're
not sure whether you've found something you're welcome to
mail me direct..
> Also can some one point me a small package taht can be a
> good starting point.
Anything providing a service over a network, setuid, setgid,
or executed as root by a system cron-job is a good candidate.
Hard to pick a package in particular, but you could do worse
than look at lpr, inn2, mailman, nighthawk, phalanx, screen,
or xemeraldia.
Of course if we knew which packages had bugs for you to find
in advance then we'd find it a lot easier ;)
> I would like to have hang of things first.
Have a look over the webpages and if you have any comments
or suggestions to make them more useful let us know:
http://www.debian.org/security/audit/
Steve
--
Debian GNU/Linux System Administration
http://www.debian-administration.org/
|
