[VIM] what a tangled web of code we weave

security curmudgeon jericho at attrition.org
Sat Mar 4 04:16:43 EST 2006

While digging around tonight, ran into this sequence of links trying to 
find where the real vulnerability was:

sux0r 1.6 was released to fix a vuln [1]
this was due to a vuln in MagpieRSS, which v 0.72 fixed [2]
the MagpieRSS issue was due to a vuln in Snoopy [3]

At this point, the sux0r release was linked two steps back to Snoopy, via 
MagpieRSS. Also attached to the same original vulnerability:

Ampache was also found to be using Snoopy [4]
Jinzora was also found to be using Snoopy [5]

Obviously, most people in the industry who read Bugtraq or F-D for vuln 
info didn't see all of this. This is a pretty good case where some 
vulnerability databases show their worth in followup research and 

I wonder if the authors of sux0r know that one of the packages they use, 
also uses other packages. This makes me wonder how many layers deep some 
of the software goes these days. Imagine having a really accurate mapping 
of such relationships and integration, that would let us see just how far 
one vulnerability can spread into different codebases.

[1] http://sourceforge.net/forum/forum.php?forum_id=546886
[2] http://sourceforge.net/project/shownotes.php?release_id=368750&group_id=55691
[3] http://www.sec-consult.com/216.html
[4] http://www.secunia.com/advisories/17779/
[5] http://sourceforge.net/project/shownotes.php?release_id=375385

More information about the VIM mailing list