The Linux Foundation's Core Infrastructure Initiative has completed its first-pass survey of the Linux toolset, and is highlighting which tools are most at risk.
While there's lots of attention on high-profile packages like crypto tools, web servers and mail agents, there's also a lot of packages that everyone uses and nobody cares about (compression and image libraries figuring high on the list).
On its Github page, the foundation's Census Project has released the final version of a survey by David Wheeler and Samir Khakimov, Open Source Software Projects Needing Security Investments.
While Wheeler and Khakimov write that their work was constrained by time, and to this stage concentrated mainly (but not exclusively) on tools associated with Debian, it's still worrying.
The list of “most exposed packages” is drawn from a range of metrics – how much maintenance it actually receives, how popular it is, and how important it is (that is, can you live without it?). After their automated assessment of more than 350 projects, the pair then ran human eyeballs to identify what they believe to be the most exposed to security vulnerabilities.
While the list includes more than 20 utilities, some of which are highly exposed to Internet risks (mail transfer agents, DHCP, BIND tools and so on), the survey is measuring not the “level of bugginess” per se, but rather how much damage a bug would do, and therefore how much TLC a particular tool or project needs.
Hence while OpenSSL and OpenSSH are rated as critically important, those projects are already operating under the CII's wing.
That's not true of tools like the widespread Bzip2 compression tool, which hasn't changed since 2010, doesn't operate any forums the authors could find, and doesn't operate a source code repository (the source code ships only in the tarballs).
Likewise, reports that BIND9 has a “huge backlog” of issues is worrying; wget has “a fair number of hacks, and functionality that was 'tacked on' (which is not good for security)”; and while the “vital” gzip tool has “many contributors”, the last formal release was in 2013.
Libxpat1 is also singled out: maintenance “effectively halted” in 2012, and its “bug reports” link produces an error page; and keyutils – used to manage security keys – has no bug tracker and no mailing list.