Openscap can report false positives
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
openscap (Ubuntu) |
Fix Released
|
Medium
|
Eduardo Barretto | ||
Xenial |
Fix Released
|
Medium
|
Eduardo Barretto | ||
Bionic |
Fix Released
|
Medium
|
Eduardo Barretto | ||
Focal |
Fix Released
|
Medium
|
Eduardo Barretto | ||
Groovy |
Fix Released
|
Medium
|
Eduardo Barretto | ||
Hirsute |
Fix Released
|
Medium
|
Eduardo Barretto |
Bug Description
[Impact]
Openscap didn't implement Debian package version comparison algorithm.
This can cause a user/client to get false positive results when running
oscap.
For example, we have a system running Bionic, with package "foo" version
1.2.3-4ubuntu1~
"foo" on version 1.2.3-4ubuntu1. If oscap compares both version it would
would return "false", meaning that "foo" is not vulnerable, which is not
correct as 1.2.3-4ubuntu1 is greater than the installed version
1.2.3-4ubuntu1~
$ dpkg --compare-versions 1.2.3-4ubuntu1 gt 1.2.3-4ubuntu1~
TRUE
If a client relies on software like openscap to decide when to upgrade their system (especially for clients that need to have a downtime to upgrade packages), openscap could be giving the wrong information and causing unnecessary downtimes, or even showing the system as vulnerable, when it isn't or vice-versa.
[Test Case]
Attached to this bug is a zip file that contains oval data for 3 different
packages (gdcm, gnutls28 and openssl) with specific CVE data for each (
CVE-2016-5300, CVE-2018-10845 and CVE-2020-1968). This data* is for Bionic
only.
The test consists of comparing the installed version of the mentioned
packages, to different versions where the CVE could have been fixed.
For more info on the test data see:
https:/
Testing procedure (Bionic):
$ sudo apt update
$ sudo apt install libopenscap8
$ sudo apt install libgdcm2.8 openssl libgnutls30
$ tar -xzf test-data.tar.gz
$ cd test-data/
$ ./run.sh
Here is a diff between the results of the test, between current openscap
and the openscap with the algorithm fix:
https:/
*PS: This data doesn't reflect the reality of those vulnerabilities and it
should only be used for test purposes.
[Where problems could occur]
The patches only touch the comparison algorithm, so any regressions that it might have, might impact the comparison, generating false positives too.
[Other Info]
This affects all releases of Ubuntu, from Xenial to Hirsute.
The versioning algorithm implemented is based on dpkg's algorithm.
Upstream accepted and merged the Debian version comparison algorithm to
its maint-1.3 branch and it should make it to 1.3.5 version whenever it
gets released.
description: | updated |
Changed in openscap (Ubuntu Xenial): | |
importance: | Undecided → Medium |
Changed in openscap (Ubuntu Bionic): | |
importance: | Undecided → Medium |
Changed in openscap (Ubuntu Focal): | |
importance: | Undecided → Medium |
Changed in openscap (Ubuntu Groovy): | |
importance: | Undecided → Medium |
Changed in openscap (Ubuntu Hirsute): | |
importance: | Undecided → Medium |
tags: |
added: verification-done verification-done-bionic verification-done-focal verification-done-groovy verification-done-xenial removed: verification-needed verification-needed-bionic verification-needed-focal verification-needed-groovy verification-needed-xenial |
The attachment "xenial.debdiff" seems to be a debdiff. The ubuntu-sponsors team has been subscribed to the bug report so that they can review and hopefully sponsor the debdiff. If the attachment isn't a patch, please remove the "patch" flag from the attachment, remove the "patch" tag, and if you are member of the ~ubuntu-sponsors, unsubscribe the team.
[This is an automated message performed by a Launchpad user owned by ~brian-murray, for any issue please contact him.]