[SRU] Allow openscap to be less strict about epoch digit and able to build security certification projects
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
openscap (Ubuntu) |
Fix Released
|
Undecided
|
Unassigned | ||
Trusty |
Fix Released
|
Undecided
|
Unassigned | ||
Xenial |
Fix Released
|
Undecided
|
Unassigned | ||
Bionic |
Fix Released
|
Undecided
|
Unassigned | ||
Focal |
Fix Released
|
Undecided
|
Unassigned | ||
Jammy |
Fix Released
|
Undecided
|
Unassigned | ||
Kinetic |
Fix Released
|
Undecided
|
Unassigned |
Bug Description
[Impact]
Back in [1] where we added dpkg version comparison algorithm, we were too strict about the epoch number, where oscap would return an error message if no epoch number was provided. This SRU backports the fix provided to upstream [2] and released with openscap 1.3.7, meaning lunar is not affected by it.
[Test Case]
Attached to this bug is a zip file that contains OVAL data for one package (expat) and data of one CVE (CVE-2022-43680). The OVAL data is in both OCI
and non-OCI format.
The test consists of comparing the installed version of the mentioned
packages, to different versions where the CVE could have been fixed.
Testing procedure (Bionic):
$ sudo apt update
$ sudo apt install libopenscap8
$ sudo apt install libexpat1
$ tar -xzf test-data.tar.gz
$ cd test-data/
$ ./run.sh
Here is the output of the test, with current openscap in jammy:
$ ./run.sh
oscap oval eval com.ubuntu.
Definition oval:com.
Definition oval:com.
OpenSCAP Error: Invalid epoch. [../../
oscap oval eval oci.com.
Definition oval:com.
OpenSCAP Error: Invalid epoch. [../../
and the output of the test, with patched openscap in jammy:
$ ./run.sh
oscap oval eval com.ubuntu.
Definition oval:com.
Definition oval:com.
Evaluation done.
oscap oval eval oci.com.
Definition oval:com.
Evaluation done.
[Where problems could occur]
The patch touches the comparison algorithm, so any regressions that it might have, might impact the comparison and scanning results.
[Other Info]
The epoch issue affects all releases from Bionic to Kinetic, and it also Trusty ESM and Xenial ESM and we will be handling those in the ESM PPAs.
The versioning algorithm implemented is based on dpkg's algorithm.
Upstream accepted and merged the Debian epoch fix to its maint-1.3 branch and it already made into 1.3.7 version [3]
[1] https:/
[2] https:/
[3] https:/
description: | updated |
description: | updated |
summary: |
- Allow openscap to be less strict about epoch digit and able to build - security certification projects + [SRU] Allow openscap to be less strict about epoch digit and able to + build security certification projects |
description: | updated |
Changed in openscap (Ubuntu Trusty): | |
status: | Confirmed → In Progress |
Changed in openscap (Ubuntu Xenial): | |
status: | Confirmed → In Progress |
description: | updated |
Changed in openscap (Ubuntu Trusty): | |
status: | In Progress → Fix Committed |
Changed in openscap (Ubuntu Xenial): | |
status: | In Progress → Fix Committed |
tags: |
added: verification-done-bionic verification-done-focal verification-done-jammy verification-done-kinetic removed: verification-needed verification-needed-bionic verification-needed-focal verification-needed-jammy verification-needed-kinetic |
Changed in openscap (Ubuntu): | |
status: | Confirmed → Fix Released |
Sponsored to -proposed for bionic, focal, jammy and kinetic