Ubuntu CVE Tracker

check-cves handles esm-apps incorrectly when a fix landed before the devel release

Bug #2012327 reported by Steve Beattie
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
Ubuntu CVE Tracker
Fix Committed
High
Alex Murray

Bug Description

When a CVE has been issued for an older issue where the fix landed in a release earlier than the devel release, check-cves / active-edit is setting the state of the esm-apps releases incorrectly.

An example CVE that I hit today where this occurs is for CVE-2021-46877 affecting jackson-databind:

$ ./scripts/check-cves --cve CVE-2021-46877 nvdcve-1.1-2021.json
Loading /home/steve/git/cve_trackers/debian-security-tracker/data/CVE/list ...
Loading nvdcve-1.1-2021.json ...
 97% [==================================================================================================== ] 130438317 ETA: 0:00:00

***********************************************************************
 CVE-2021-46877 (1/1: 100%)
 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-46877
***********************************************************************
 Published: 2023-03-18 22:15:00 UTC
 MISC: https://github.com/FasterXML/jackson-databind/issues/3328
 MISC: https://groups.google.com/g/jackson-user/c/OsBsirPM_Vw

======================== CVE details ==========================
 CVE-2021-46877
 jackson-databind 2.10.x through 2.12.x before 2.12.6 and 2.13.x before 2.13.1 allows attackers to cause a denial of service (2 GB tra
nsient heap usage per read) in uncommon situations involving JsonNode JDK serialization.

======================= Debian details ========================
 Debian CVE Tracker: FOUND
        NOTE: https://groups.google.com/g/jackson-user/c/OsBsirPM_Vw
        NOTE: https://github.com/FasterXML/jackson-databind/issues/3328
        NOTE: https://github.com/FasterXML/jackson-databind/commit/3ccde7d938fea547e598fdefe9a82cff37fed5cb (jackson-databind-2.12.6)
        NOTE: https://github.com/FasterXML/jackson-databind/commit/3ccde7d938fea547e598fdefe9a82cff37fed5cb (jackson-databind-3.13.1)
  Debian: jackson-databind: 2.13.2.2-1 (needs-triage)
    Ubuntu: jackson-databind | 2.9.8-1~18.04 | bionic-updates/universe
    Ubuntu: jackson-databind | 2.10.2-1 | focal/universe
    Ubuntu: jackson-databind | 2.13.0-2 | jammy/universe
    Ubuntu: jackson-databind | 2.13.2.2-1 | kinetic/universe
    Ubuntu: jackson-databind | 2.14.0-1 | lunar/universe

A]dd (or R]epeat), I]gnore forever, S]kip for now, or Q]uit? [add]
Package(s) affected? [jackson-databind]

# This results in the following CVE file generated:

  Candidate: CVE-2021-46877
  PublicDate: 2023-03-21
  References:
   https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-46877
   https://groups.google.com/g/jackson-user/c/OsBsirPM_Vw
   https://github.com/FasterXML/jackson-databind/issues/3328
   https://github.com/FasterXML/jackson-databind/commit/3ccde7d938fea547e598fdefe9a82cff37fed5cb (jackson-databind-2.12.6)
   https://github.com/FasterXML/jackson-databind/commit/3ccde7d938fea547e598fdefe9a82cff37fed5cb (jackson-databind-3.13.1)
  Description:
   jackson-databind 2.10.x through 2.12.x before 2.12.6 and 2.13.x before
   2.13.1 allows attackers to cause a denial of service (2 GB transient heap
   usage per read) in uncommon situations involving JsonNode JDK
   serialization.
  Ubuntu-Description:
  Notes:
  Mitigation:
  Bugs:
  Priority: untriaged
  Discovered-by:
  Assigned-to:
  CVSS:

  Patches_jackson-databind:
  upstream_jackson-databind: released (2.13.2.2-1)
  trusty_jackson-databind: ignored (out of standard support)
  xenial_jackson-databind: ignored (out of standard support)
  bionic_jackson-databind: needs-triage
  focal_jackson-databind: needs-triage
  jammy_jackson-databind: needs-triage
  kinetic_jackson-databind: not-affected (2.13.2.2-1)
  trusty/esm_jackson-databind: not-affected
  esm-apps/xenial_jackson-databind: not-affected
  esm-apps/bionic_jackson-databind: not-affected
  esm-apps/focal_jackson-databind: not-affected
  esm-apps/jammy_jackson-databind: not-affected
  devel_jackson-databind: not-affected

Note that the version that debian notated was fixed landed in the kinetic cycle, so check-cves or active_edit correctly marked that version as not-affected with the version, and then attempted to mark all later versions (which would just be the devel version (lunar), but instead marked trusty/esm and all the esm-apps versions as not-affected, rather than the needs-triage that they should be.

See original description

Related branches

~alexmurray/ubuntu-cve-tracker:fix-lp-2012327
Steve Beattie: Approve
Diff: 238 lines (+66/-34)
3 files modified
scripts/active_edit (+1/-1)
scripts/cve_lib.py (+39/-33)
scripts/test_cve_lib.py (+26/-0)

CVE References

Steve Beattie (sbeattie)
description: updated
Revision history for this message
Alex Murray (alexmurray) wrote :

Ugh.. so this is because of the following code in active_edit (which I think I cribbed from check-cves originally?) - https://git.launchpad.net/ubuntu-cve-tracker/tree/scripts/active_edit#n117 - which basically assumes that releases which come after the one where it was fixed are also fixed - so perhaps it would be sufficient to just sort the list of release names by the date they were created / released or similar?

Revision history for this message
Alex Murray (alexmurray) wrote :

See https://code.launchpad.net/~alexmurray/ubuntu-cve-tracker/+git/ubuntu-cve-tracker-1/+merge/439296 for a proposed fix.

Changed in ubuntu-cve-tracker:
status: New → In Progress
importance: Undecided → High
assignee: nobody → Alex Murray (alexmurray)
Alex Murray (alexmurray)
Changed in ubuntu-cve-tracker:
status: In Progress → Fix Committed
Revision history for this message
Steve Beattie (sbeattie) wrote :

Hey, thanks for landing the merge request. I do get slightly different sorting behavior than what you demonstrated; doing:

  rm active/CVE-2021-46877 && \
  unset CHECK_CVES_EXPERIMENTAL && \
  ./scripts/check-cves --cve CVE-2021-46877 nvdcve-1.1-2021.json

now nets me the following package section sort order:

Patches_jackson-databind:
upstream_jackson-databind: released (2.13.2.2-1)
trusty_jackson-databind: ignored (out of standard support)
trusty/esm_jackson-databind: needs-triage
esm-apps/xenial_jackson-databind: needs-triage
xenial_jackson-databind: ignored (out of standard support)
bionic_jackson-databind: needs-triage
esm-apps/bionic_jackson-databind: needs-triage
esm-apps/focal_jackson-databind: needs-triage
focal_jackson-databind: needs-triage
esm-apps/jammy_jackson-databind: needs-triage
jammy_jackson-databind: needs-triage
kinetic_jackson-databind: not-affected (2.13.2.2-1)
devel_jackson-databind: not-affected

note the difference for bionic. Do you have any idea what's happening there?

Revision history for this message
Alex Murray (alexmurray) wrote :

Yep - so when I originally created the merge proposal it didn't have the logic to sort by both the release stamp *and* the release name - so things with the same release stamp would get sorted in some random order with respect to each other. Now they sort with the name so bionic gets sorted before esm-apps/bionic - I had wondered if I should do something like 'if release name contains a / sort later than those that don't' but I couldn't figure out a good way to do that (although thinking about it more, perhaps we could just add 1 to the release stamp in that case so they look slightly newer?)

Revision history for this message
Alex Murray (alexmurray) wrote :

Thoughts on the attached change?

To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Patches

Remote bug watches

Bug watches keep track of this bug in other bug trackers.