check-cves handles esm-apps incorrectly when a fix landed before the devel release
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
Ubuntu CVE Tracker |
Fix Committed
|
High
|
Alex Murray |
Bug Description
When a CVE has been issued for an older issue where the fix landed in a release earlier than the devel release, check-cves / active-edit is setting the state of the esm-apps releases incorrectly.
An example CVE that I hit today where this occurs is for CVE-2021-46877 affecting jackson-databind:
$ ./scripts/
Loading /home/steve/
Loading nvdcve-
97% [======
*******
CVE-2021-46877 (1/1: 100%)
https:/
*******
Published: 2023-03-18 22:15:00 UTC
MISC: https:/
MISC: https:/
=======
CVE-2021-46877
jackson-databind 2.10.x through 2.12.x before 2.12.6 and 2.13.x before 2.13.1 allows attackers to cause a denial of service (2 GB tra
nsient heap usage per read) in uncommon situations involving JsonNode JDK serialization.
=======
Debian CVE Tracker: FOUND
NOTE: https:/
NOTE: https:/
NOTE: https:/
NOTE: https:/
Debian: jackson-databind: 2.13.2.2-1 (needs-triage)
Ubuntu: jackson-databind | 2.9.8-1~18.04 | bionic-
Ubuntu: jackson-databind | 2.10.2-1 | focal/universe
Ubuntu: jackson-databind | 2.13.0-2 | jammy/universe
Ubuntu: jackson-databind | 2.13.2.2-1 | kinetic/universe
Ubuntu: jackson-databind | 2.14.0-1 | lunar/universe
A]dd (or R]epeat), I]gnore forever, S]kip for now, or Q]uit? [add]
Package(s) affected? [jackson-databind]
# This results in the following CVE file generated:
Candidate: CVE-2021-46877
PublicDate: 2023-03-21
References:
https:/
https:/
https:/
https:/
https:/
Description:
jackson-databind 2.10.x through 2.12.x before 2.12.6 and 2.13.x before
2.13.1 allows attackers to cause a denial of service (2 GB transient heap
usage per read) in uncommon situations involving JsonNode JDK
serialization.
Ubuntu-
Notes:
Mitigation:
Bugs:
Priority: untriaged
Discovered-by:
Assigned-to:
CVSS:
Patches_
upstream_
trusty_
xenial_
bionic_
focal_
jammy_
kinetic_
trusty/
esm-apps/
esm-apps/
esm-apps/
esm-apps/
devel_
Note that the version that debian notated was fixed landed in the kinetic cycle, so check-cves or active_edit correctly marked that version as not-affected with the version, and then attempted to mark all later versions (which would just be the devel version (lunar), but instead marked trusty/esm and all the esm-apps versions as not-affected, rather than the needs-triage that they should be.
Related branches
- Steve Beattie: Approve
-
Diff: 238 lines (+66/-34)3 files modifiedscripts/active_edit (+1/-1)
scripts/cve_lib.py (+39/-33)
scripts/test_cve_lib.py (+26/-0)
CVE References
description: | updated |
Changed in ubuntu-cve-tracker: | |
status: | In Progress → Fix Committed |
Ugh.. so this is because of the following code in active_edit (which I think I cribbed from check-cves originally?) - https:/ /git.launchpad. net/ubuntu- cve-tracker/ tree/scripts/ active_ edit#n117 - which basically assumes that releases which come after the one where it was fixed are also fixed - so perhaps it would be sufficient to just sort the list of release names by the date they were created / released or similar?