Differences between revisions 1 and 2
Revision 1 as of 2019-02-24 17:06:15
Size: 1123
Editor: nodiscc
Comment: move content from [[Bugs]] page since this seems to be a personal notes page
Revision 2 as of 2019-02-25 03:19:03
Size: 0
Editor: PaulWise
Comment: not a personal notes page but other folks seem to want it gone
Deletions are marked like this. Additions are marked like this.
Line 1: Line 1:
= Bugs =

This page list common bugs, current checks, potential checks, solutions and links to potentially affected code in Debian.

== External advice ==

 * General: [[https://cwe.mitre.org/data/|CWE]] [[https://bazaar.launchpad.net/~ubuntu-security/ubuntu-security-tools/trunk/view/head:/audits/review.template|Ubuntu review template]]
 * Web applications: [[https://www.owasp.org/|OWASP]]

== Issues ==

 * memory use after free
  * Explanations: https://cwe.mitre.org/data/definitions/416.html
  * Affected: libc free() without NULL afterwards, C++ delete
    * Potentially affected: http://codesearch.debian.net/search?q=\bfree\%28[^\%29]*\%29
  * Checks: [[https://code.google.com/p/address-sanitizer/|AddressSanitizer]] [[DebianPackage:valgrind|Valgrind]]
  * Solution:
 * array bounds checking issues
 * [[http://bonedaddy.net/pabs3/log/2014/02/17/pid-preservation-society/|shell metacharacter injection]]
 * unauthenticated code/data downloads
 * SQL injection
 * HTML template injection
 * YAML loading arbitrary code
 * XML recursive entity resolution
 * XML entity arbitrary file load