How to find files that were changed/added to correct a Tomcat vulnerability

[Naaliel Mendes]

Dear Tomcat users,

I am trying to characterize the way vulnerabilities are corrected and I have
used the vulnerability reports of the Apache Tomcat in my research work.

Currently I am facing difficulties to find out how some of the reported
vulnerabilities were corrected, especially when there is no revision ID
associated to a vulnerability report. Some of the e-mail I found at
jakarta.tomcat.devel mailing list have guided me (for instance,
http://article.gmane.org/gmane.comp.jakarta.tomcat.devel/79600/match=2007+5333),
but even so I am not finding the files that were changed to correct certain
vulnerabilities (examples: CVE-2008-0002, CVE-2007-3382, CVE-2007-1355).
Could anyone please give me some advice on how to find these files (if they
are available)? I am aware that in some cases instead of changing files
developers provide a security recommendation. I am using diff tools to
compare the fixed and affected version to find out the files that were
changed for correct a vulnerability, but I am wondering whether there is a
easier method to do this.

Many Thanks!
N. Mendes

Re: How to find files that were changed/added to correct a Tomcat vulnerability

[Naaliel Mendes]

On Thu, Mar 25, 2010 at 5:11 PM, Mark Thomas ma...@apache.org wrote:

 On 25/03/2010 16:35, Naaliel Mendes wrote:
  Dear Tomcat users,
 
  I am trying to characterize the way vulnerabilities are corrected and I
 have
  used the vulnerability reports of the Apache Tomcat in my research work.
 
  Currently I am facing difficulties to find out how some of the reported
  vulnerabilities were corrected, especially when there is no revision ID
  associated to a vulnerability report. Some of the e-mail I found at
  jakarta.tomcat.devel mailing list have guided me (for instance,
 
 http://article.gmane.org/gmane.comp.jakarta.tomcat.devel/79600/match=2007+5333
 ),
  but even so I am not finding the files that were changed to correct
 certain
  vulnerabilities (examples: CVE-2008-0002, CVE-2007-3382, CVE-2007-1355).
  Could anyone please give me some advice on how to find these files (if
 they
  are available)?

 All of the source code - including all the changes is in SVN.

 Matching svn rev to CVE is on the todo list.

  I am aware that in some cases instead of changing files
  developers provide a security recommendation. I am using diff tools to
  compare the fixed and affected version to find out the files that were
  changed for correct a vulnerability, but I am wondering whether there is
 a
  easier method to do this.

 The CVEs normally appear in the chaneglog but without the CVE and a
 sometimes oblique descrioption. If you can match a CVE to a change log
 entry it is then easy to use svn to match it up to the code changes.

 I'd suggest taking a stab at matching up CVEs and changelog entries and
 finding the associated svn revisions. If you pick some more of the mroe
 recent ones, I should be able to confirm if they are correct or not. And
 I can then get the security pages and svn log updated.


Thank you for your suggestion. I am working on that and, if I succeed, I
will send you the results of the mapping between CVEs and changelog and its
respective svn revision ID. Should I use this mailing list to keep in touch?


 Mark



 -
 To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
 For additional commands, e-mail: users-h...@tomcat.apache.org