Package: likewise-open Severity: important Tags: security I have been working on a tool called Clonewise to automatically identify embedded code copies in Debian packages and determine if they are out of date and vulnerable. Ideally, embedding code and libraries should be avoided and a system wide library should be used instead.
I recently ran the tool on Debian 6 stable. The results are here at http://www.foocodechu.com/downloads/Clonewise-report.txt* *The liikewise-open package reported potential issues appended to this message. The analysis tries to justify why it believes a library or code is embedded in the package and if the relationship is not already being tracked by Debian in the embedded-code-copies database it shows the files that are shared between the two pieces of software. Apologies if these are false positives. Your help in advising me on whether these issues are real will help me improve the analysis for the future. -- Silvio Cesare Deakin University ### Summary: ### curl CLONED_IN_SOURCE likewise-open <unfixed> CVE-2011-2192 ### Reports by package: ### # Package likewise-open may be vulnerable to the following issues: # CVE-2011-2192 # SUMMARY: The Curl_input_negotiate function in http_negotiate.c in libcurl 7.10.6 through 7.21.6, as used in curl and other products, always performs credential delegation during GSSAPI authentication, which allows remote servers to impersonate clients via GSSAPI requests. # # CVE-2011-2192 relates to a vulnerability in package curl. # The following source filenames are likely responsible: # httpnegotiate.c # # The following package clones are NOT tracked in the embedded-code-copies # database. # curl CLONED_IN_SOURCE likewise-open <unfixed> CVE-2011-2192 MATCH .c/.c (5.235564) MATCH amigaos.c/amigaos.c (7.037686) MATCH anyauthput.c/anyauthput.c (8.711663) MATCH atatime.c/atatime.c (9.117128) MATCH base.c/base.c (4.038834) MATCH cacertinmem.c/cacertinmem.c (9.117128) MATCH ccsidcurl.c/ccsidcurl.c (9.117128) MATCH certinfo.c/certinfo.c (8.200837) MATCH curlgtk.c/curlgtk.c (8.423981) MATCH curlgusiconfig.c/curlgusiconfig.c (8.711663) MATCH curlmemrchr.c/curlmemrchr.c (9.117128) MATCH curlrand.c/curlrand.c (9.117128) MATCH curlsspi.c/curlsspi.c (9.117128) MATCH curltests.c/curltests.c (8.711663) MATCH curlthreads.c/curlthreads.c (9.117128) MATCH curlutil.c/curlutil.c (9.117128) MATCH curlx.c/curlx.c (8.711663) MATCH debug.c/debug.c (3.668238) MATCH dict.c/dict.c (5.310465) MATCH easy.c/easy.c (8.018516) MATCH escape.c/escape.c (6.121396) MATCH evhiperfifo.c/evhiperfifo.c (9.117128) MATCH file.c/cfile.c (7.037686) MATCH fileupload.c/fileupload.c (8.711663) MATCH first.c/first.c (6.919903) MATCH fopen.c/fopen.c (6.254927) MATCH formdata.c/formdata.c (7.730834) MATCH ftp.c/ftp.c (5.699401) MATCH ftp.pm/ftp.pm (6.919903) MATCH ftpget.c/ftpget.c (8.200837) MATCH ftpgetinfo.c/ftpgetinfo.c (9.117128) MATCH ftpgetresp.c/ftpgetresp.c (8.423981) MATCH ftpserver.pl/ftpserver.pl (8.711663) MATCH ftpupload.c/ftpupload.c (8.200837) MATCH ftpuploadresume.c/ftpuploadresume.c (9.117128) MATCH getenv.c/getent.c (7.507690) MATCH getinfo.c/getinfo.c (6.977062) MATCH getinmemory.c/getinmemory.c (8.423981) MATCH getpart.c/getpart.c (8.423981) MATCH getpart.pm/getpart.pm (8.711663) MATCH getpass.c/getpass.c (6.026085) MATCH ghiper.c/ghiper.c (9.117128) MATCH gtls.c/gtls.c (8.423981) MATCH hash.c/hash.c (3.784409) MATCH hiperfifo.c/hiperfifo.c (9.117128) MATCH hmac.c/hmac.c (5.651392) MATCH homedir.c/homedir.c (7.412380) MATCH hostares.c/hostares.c (8.423981) MATCH hostasyn.c/hostasyn.c (8.423981) MATCH hostip.c/hostip.c (8.200837) MATCH hostsyn.c/hostasyn.c (8.423981) MATCH hostthre.c/hostthre.c (8.423981) MATCH htmltidy.c/htmltidy.c (8.711663) MATCH htmltitle.c/htmltitle.c (8.711663) MATCH http.c/http.c (4.773323) MATCH httpchunks.c/httpchunks.c (8.423981) MATCH httpcustomheader.c/httpcustomheader.c (9.117128) MATCH httpdigest.c/httpdigest.c (8.018516) MATCH httpnegotiate.c/httpnegotiate.c (8.200837) MATCH httpntlm.c/httpntlm.c (8.200837) MATCH httppost.c/httppost.c (8.018516) MATCH httpput.c/httpput.c (8.200837) MATCH https.c/http.c (4.773323) MATCH httpserver.pl/httpserver.pl (8.711663) MATCH hugehelp.c/hugehelp.c (8.711663) MATCH ifip.c/ifip.c (8.423981) MATCH imap.c/imap.c (6.409078) MATCH inetntop.c/inetntop.c (5.415826) MATCH inetpton.c/inetpton.c (5.492787) MATCH krb.c/krb.c (7.730834) MATCH ldap.c/ldap.c (6.313767) MATCH llist.c/klist.c (8.200837) MATCH macosmain.c/macosmain.c (8.200837) MATCH main.c/main.c (1.999517) MATCH makefile.inc/makefile.inc (5.533609) MATCH md.c/md.c (3.554525) MATCH memanalyze.pl/memanalyze.pl (8.423981) MATCH memdebug.c/memdebug.c (7.245326) MATCH mkcabundle.pl/mkcabundle.pl (8.711663) MATCH mkhelp.pl/mkhelp.pl (8.711663) MATCH mprintf.c/mprintf.c (7.507690) MATCH multi.c/multi.c (6.442979) MATCH multiapp.c/multiapp.c (8.711663) MATCH multidebugcallback.c/multidebugcallback.c (8.711663) MATCH multidouble.c/multidouble.c (8.711663) MATCH multipost.c/multipost.c (8.711663) MATCH multisingle.c/multisingle.c (8.711663) MATCH multithread.c/multithread.c (7.864365) MATCH netrc.c/netrc.c (7.037686) MATCH nonblock.c/nonblock.c (7.507690) MATCH nss.c/nss.c (7.730834) MATCH nwlib.c/nwlib.c (8.200837) MATCH nwos.c/nwos.c (9.117128) MATCH opensslthreadlock.c/opensslthreadlock.c (8.711663) MATCH osspecific.c/osspecific.c (9.117128) MATCH ossys.c/ossys.c (9.117128) MATCH parsedate.c/parsedate.c (6.977062) MATCH persistant.c/persistant.c (8.423981) MATCH pingpong.c/pingpong.c (7.037686) MATCH pop.c/pop.c (6.254927) MATCH postcallback.c/postcallback.c (8.711663) MATCH postit.c/postit.c (8.423981) MATCH progress.c/progress.c (5.479542) MATCH qssl.c/qssl.c (8.711663) MATCH rawstr.c/rawstr.c (8.711663) MATCH resolve.c/resolve.c (5.878449) MATCH rtsp.c/rtsp.c (7.037686) MATCH rtspd.c/rtsp.c (7.037686) MATCH rtspserver.pl/rtspserver.pl (9.117128) MATCH runtests.pl/runtests.pl (6.674781) MATCH sampleconv.c/sampleconv.c (9.117128) MATCH secureserver.pl/secureserver.pl (9.117128) MATCH security.c/security.c (6.026085) MATCH select.c/select.c (4.868633) MATCH sendf.c/sendf.c (7.730834) MATCH sendrecv.c/sendrecv.c (7.245326) MATCH sepheaders.c/sepheaders.c (8.423981) MATCH serverhelp.pm/serverhelp.pm (9.117128) MATCH share.c/share.c (6.977062) MATCH simple.c/simple.c (4.942740) MATCH simplepost.c/simplepost.c (8.200837) MATCH simplessl.c/simplessl.c (8.423981) MATCH slist.c/klist.c (8.200837) MATCH smtp.c/smtp.c (6.026085) MATCH sockfilt.c/sockfilt.c (8.711663) MATCH socks.c/socks.c (6.632221) MATCH socksgssapi.c/socksgssapi.c (9.117128) MATCH sockssspi.c/sockssspi.c (9.117128) MATCH speedcheck.c/speedcheck.c (8.423981) MATCH splay.c/splay.c (7.325368) MATCH ssh.c/ssh.c (6.919903) MATCH sshhelp.pm/sshhelp.pm (9.117128) MATCH sshserver.pl/sshserver.pl (9.117128) MATCH sslgen.c/sslgen.c (8.423981) MATCH ssluse.c/ssluse.c (8.423981) MATCH strdup.c/strdup.c (4.792995) MATCH strequal.c/strequal.c (8.423981) MATCH strerror.c/strerror.c (4.568528) MATCH strtok.c/strtok.c (6.442979) MATCH strtoofft.c/strtoofft.c (8.200837) MATCH sws.c/sws.c (8.711663) MATCH synctime.c/synctime.c (8.423981) MATCH telnet.c/telnet.c (6.344539) MATCH test.pl/test.pl (3.981329) MATCH testcurl.pl/testcurl.pl (8.711663) MATCH testutil.c/testutil.c (6.283915) MATCH tftp.c/tftp.c (6.765753) MATCH tftpd.c/ftpd.c (7.613050) MATCH tftpserver.pl/ftpserver.pl (8.711663) MATCH threadedssl.c/threadedssl.c (9.117128) MATCH timeval.c/timeval.c (6.765753) MATCH transfer.c/transfer.c (6.254927) MATCH url.c/url.c (5.074077) MATCH urlglob.c/urlglob.c (8.711663) MATCH util.c/util.c (3.004553) MATCH valgrind.pm/valgrind.pm (8.423981) MATCH version.c/cversion.c (8.200837) MATCH warnless.c/warnless.c (9.117128) MATCH writeenv.c/writeenv.c (8.711663) MATCH writeout.c/writeout.c (8.711663) MATCH xattr.c/attr.c (5.620620)
