Ubuntu
openscap package

oscap is broken in ubuntu 19.10

Bug #1851682 reported by god
12
This bug affects 2 people
Affects Status Importance Assigned to Milestone
openscap (Ubuntu)
Fix Released
Low
Unassigned
Bionic
Fix Released
Low
Unassigned
Focal
Fix Released
Low
Unassigned
Groovy
Fix Released
Low
Unassigned

Bug Description

[Impact]

The bug causes oscap to fail to run with OVAL files produced by the Ubuntu Security team.

This is the upstream issue: https://github.com/OpenSCAP/openscap/issues/1367

The fix is simple and I've tested in under bionic, eoan, and focal.

The patch corrects an typo or copy/paste error in the original code.
https://github.com/OpenSCAP/openscap/commit/5e5bc61c1fc6a6556665aa5689a62d6bc6487c74

[Test Case]

This can be reproduced on eoan and focal by following the instructions for using ubuntu security oval data here: https://people.canonical.com/~ubuntu-security/oval/

The bug does not manifest directly in bionic but if you include libopenscap8 in a snap based on core18, the version of oscap in the snap will produce the same behavior when you run the snap on eoan or focal

[Regression Potential]

The potential for regression seems low in this case. I've built the deb locally for bionic, eoan, and focal and smoke tested in in VMs using the ubuntu security OVAL files and the test file from the comment below https://bugs.launchpad.net/ubuntu/+source/openscap/+bug/1851682/comments/2

If a regression were to exist, it would likely manifest itself with a runtime error much like the original problem.

############################################
ORIGINAL BUG REPORT BELOW
###########################################
oscap segfaults while trying to check using ubuntu-security definitions:

The command:
oscap oval eval --report /tmp/oscap_report.html /var/tmp/com.ubuntu.eoan.cve.oval.xml

Segfault:
...
Invalid oval result type: -1. [../../../../src/OVAL/results/oval_resultTest.c:179]
Invalid oval result type: -1. [../../../../src/OVAL/results/oval_resultTest.c:179]
Invalid oval result type: -1. [../../../../src/OVAL/results/oval_resultTest.c:179]
Probe with PID=26379 has been killed with signal 11 [../../../../../src/OVAL/probes/SEAP/sch_pipe.c:178]
Probe with PID=26379 has core dumped. [../../../../../src/OVAL/probes/SEAP/sch_pipe.c:182]
Unable to close probe sd [../../../src/OVAL/oval_probe_ext.c:424]
Unable to receive a message from probe [../../../src/OVAL/oval_probe_ext.c:579]
Invalid oval result type: -1. [../../../../src/OVAL/results/oval_resultTest.c:179]
Invalid oval result type: -1. [../../../../src/OVAL/results/oval_resultTest.c:179]
Invalid oval result type: -1. [../../../../src/OVAL/results/oval_resultTest.c:179]
Invalid oval result type: -1. [../../../../src/OVAL/results/oval_resultTest.c:179]
Invalid oval result type: -1. [../../../../src/OVAL/results/oval_resultTest.c:179]
Invalid oval result type: -1. [../../../../src/OVAL/results/oval_resultTest.c:179]
Invalid oval result type: -1. [../../../../src/OVAL/results/oval_resultTest.c:179]
Invalid oval result type: -1. [../../../../src/OVAL/results/oval_resultTest.c:179]
Invalid oval result type: -1. [../../../../src/OVAL/results/oval_resultTest.c:179]
Invalid oval result type: -1. [../../../../src/OVAL/results/oval_resultTest.c:179]
Probe with PID=26393 has been killed with signal 11 [../../../../../src/OVAL/probes/SEAP/sch_pipe.c:178]
Probe with PID=26393 has core dumped. [../../../../../src/OVAL/probes/SEAP/sch_pipe.c:182]
Unable to close probe sd [../../../src/OVAL/oval_probe_ext.c:424]
Unable to receive a message from probe [../../../src/OVAL/oval_probe_ext.c:579]
Invalid oval result type: -1. [../../../../src/OVAL/results/oval_resultTest.c:179]

The OVAL definitions are taken directly from https://people.canonical.com/~ubuntu-security/oval/com.ubuntu.eoan.cve.oval.xml

Version:
oscap --version
OpenSCAP command line tool (oscap) 1.2.16
Copyright 2009--2017 Red Hat Inc., Durham, North Carolina.

==== Supported specifications ====
XCCDF Version: 1.2
OVAL Version: 5.11.1
CPE Version: 2.3
CVSS Version: 2.0
CVE Version: 2.0
Asset Identification Version: 1.1
Asset Reporting Format Version: 1.1
CVRF Version: 1.1

==== Capabilities added by auto-loaded plugins ====
SCE Version: 1.0 (from libopenscap_sce.so.8)

==== Paths ====
Schema files: /usr/share/openscap/schemas
Default CPE files: /usr/share/openscap/cpe
Probes: /usr/lib/x86_64-linux-gnu/openscap

See original description
Revision history for this message
Launchpad Janitor (janitor) wrote :

Status changed to 'Confirmed' because the bug affects multiple users.

Changed in openscap (Ubuntu):
status: New → Confirmed
Revision history for this message
Mark Morlino (markmorlino) wrote :
Download full text (13.1 KiB)

I created a test OVAL file to dig into this a little bit more.

$ cat com.ubuntu.test.cve.oval.xml
<oval_definitions
    xmlns="http://oval.mitre.org/XMLSchema/oval-definitions-5"
    xmlns:ind-def="http://oval.mitre.org/XMLSchema/oval-definitions-5#independent"
    xmlns:oval="http://oval.mitre.org/XMLSchema/oval-common-5"
    xmlns:unix-def="http://oval.mitre.org/XMLSchema/oval-definitions-5#unix"
    xmlns:linux-def="http://oval.mitre.org/XMLSchema/oval-definitions-5#linux"
    xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://oval.mitre.org/XMLSchema/oval-common-5 oval-common-schema.xsd http://oval.mitre.org/XMLSchema/oval-definitions-5 oval-definitions-schema.xsd http://oval.mitre.org/XMLSchema/oval-definitions-5#independent independent-definitions-schema.xsd http://oval.mitre.org/XMLSchema/oval-definitions-5#unix unix-definitions-schema.xsd http://oval.mitre.org/XMLSchema/oval-definitions-5#macos linux-definitions-schema.xsd">

    <generator>
        <oval:product_name>Canonical CVE OVAL Generator</oval:product_name>
        <oval:product_version>1.1</oval:product_version>
        <oval:schema_version>5.11.1</oval:schema_version>
        <oval:timestamp>2020-03-03T10:37:20</oval:timestamp>
    </generator>

    <definitions>
        <definition class="vulnerability" id="oval:com.ubuntu.test:def:200" version="1">
            <metadata>
                <title>CVE-1970-0200 on Ubuntu - high.</title>
                <description>OVAL TEST
    To simulate a vunlerable package with no available patch being installed on the system.
    Checks for the 'linux-doesnotexist-base' package to be installed on the system.
    There is no 'linux-doesnotexist-base' package so it will never be installed.
    This test should always return false (not vulnerable) and appear green in the report.</description>
                <affected family="unix">
                    <platform>Ubuntu</platform>
                </affected>
                <advisory>
                    <severity>High</severity>
                    <rights>Copyright (C) 2018 Canonical Ltd.</rights>
                    <public_date>2018-01-24 10:29:00 UTC</public_date>
                </advisory>
            </metadata>
            <criteria>
                <criterion test_ref="oval:com.ubuntu.test:tst:200" comment="linux-doesnotexist-base package is affected and needs fixing." />
            </criteria>
        </definition>
        <definition class="vulnerability" id="oval:com.ubuntu.test:def:300" version="1">
            <metadata>
                <title>CVE-1970-0300 on Ubuntu - high.</title>
                <description>OVAL TEST
    This is the opposite of the previous test, just to confirm that oscap correct detects the installed package
    Checks for the 'linux-base' package to be installed on the system.
    There should always be a 'linux-base' package installed.
    This test should always return true (vulnerable) and appear red/orange in the report.</description>
                <affected family="unix">
                    <platform>Ubuntu</platform>
                </affected>
                <advisory>
                    <severity>Hi...

Revision history for this message
Mark Morlino (markmorlino) wrote :
description: updated
Revision history for this message
Mark Morlino (markmorlino) wrote :
Revision history for this message
Mark Morlino (markmorlino) wrote :
description: updated
Mathew Hodson (mhodson)
Changed in openscap (Ubuntu Bionic):
importance: Undecided → Low
Changed in openscap (Ubuntu Eoan):
importance: Undecided → Low
Changed in openscap (Ubuntu Focal):
importance: Undecided → Low
Revision history for this message
Seth Arnold (seth-arnold) wrote :

Because the focal change wasn't picked up before 20.04 LTS's release, groovy will probably need a fix, too, before these packages can be released.

Thanks

Simon Quigley (tsimonq2)
Changed in openscap (Ubuntu Groovy):
status: Confirmed → Fix Released
no longer affects: openscap (Ubuntu Eoan)
Revision history for this message
Simon Quigley (tsimonq2) wrote :

This has already been fixed in Groovy, and Eoan just went EOL.

I have uploaded your patches to Focal and Bionic, and they are waiting in the respective queues. I tweaked the version numbers and made sure the LP bug number was in the changelog, following SRU policy. I also changed bionic-security to bionic in your Bionic diff changelog, since in order for it to be SRU'ed it can't go directly to -security.

In the future, try to follow DEP-3 patch headers. It makes it easier for others to review your patch, for uploading and further maintenance. You can find more details here: https://dep-team.pages.debian.net/deps/dep3/

Also, please look at the Security Team document for version numbers: https://wiki.ubuntu.com/SecurityTeam/UpdatePreparation#Update_the_packaging

Thank you for your contribution!

Revision history for this message
Brian Murray (brian-murray) wrote : Please test proposed package

Hello god, or anyone else affected,

Accepted openscap into focal-proposed. The package will build now and be available at https://launchpad.net/ubuntu/+source/openscap/1.2.16-2ubuntu3.1 in a few hours, and then in the -proposed repository.

Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation on how to enable and use -proposed. Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested, what testing has been performed on the package and change the tag from verification-needed-focal to verification-done-focal. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed-focal. In either case, without details of your testing we will not be able to proceed.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance for helping!

N.B. The updated package will be released to -updates after the bug(s) fixed by this package have been verified and the package has been in -proposed for a minimum of 7 days.

Changed in openscap (Ubuntu Focal):
status: Confirmed → Fix Committed
tags: added: verification-needed verification-needed-focal
Revision history for this message
Brian Murray (brian-murray) wrote :

Hello god, or anyone else affected,

Accepted openscap into bionic-proposed. The package will build now and be available at https://launchpad.net/ubuntu/+source/openscap/1.2.15-1ubuntu0.2 in a few hours, and then in the -proposed repository.

Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation on how to enable and use -proposed. Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested, what testing has been performed on the package and change the tag from verification-needed-bionic to verification-done-bionic. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed-bionic. In either case, without details of your testing we will not be able to proceed.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance for helping!

N.B. The updated package will be released to -updates after the bug(s) fixed by this package have been verified and the package has been in -proposed for a minimum of 7 days.

Changed in openscap (Ubuntu Bionic):
status: New → Fix Committed
tags: added: verification-needed-bionic
Joy Latten (j-latten)
tags: added: verification-done-bionic
removed: verification-needed-bionic
tags: added: verification-done-focal
removed: verification-needed-focal
Revision history for this message
Joy Latten (j-latten) wrote :

Verified this on both bionic and focal.

Testcase: (focal)

$ dpkg -l | grep libopenscap8
ii libopenscap8 1.2.16-2ubuntu3.1 amd64 Set of libraries enabling integration of the SCAP line of standards

$ oscap oval eval --report cve-report.html com.ubuntu.focal.cve.oval.xml

The scan was successful and generated a report.

Testcase: (bionic)

$ dpkg -l | grep libopenscap8
ii libopenscap8 1.2.15-1ubuntu0.2 amd64 Set of libraries enabling integration of the SCAP line of standards

$oscap oval eval --report cve-report.html com.ubuntu.bionic.cve.oval.xml

The scan was successful and generate a report.

Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package openscap - 1.2.16-2ubuntu3.1

---------------
openscap (1.2.16-2ubuntu3.1) focal; urgency=medium

  * debian/patches/5e5bc61c1fc6a6556665aa5689a62d6bc6487c74.patch: Fix
    dangling '*' in dpkginfo_free_reply declaration (LP: #1851682).

 -- Mark Morlino <email address hidden> Wed, 25 Mar 2020 14:39:37 -0400

Changed in openscap (Ubuntu Focal):
status: Fix Committed → Fix Released
Revision history for this message
Łukasz Zemczak (sil2100) wrote : Update Released

The verification of the Stable Release Update for openscap has completed successfully and the package is now being released to -updates. Subsequently, the Ubuntu Stable Release Updates Team is being unsubscribed and will not receive messages about this bug report. In the event that you encounter a regression using the package from -updates please report a new bug using ubuntu-bug and tag the bug report regression-update so we can easily find any regressions.

Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package openscap - 1.2.15-1ubuntu0.2

---------------
openscap (1.2.15-1ubuntu0.2) bionic; urgency=medium

  * debian/patches/5e5bc61c1fc6a6556665aa5689a62d6bc6487c74.patch: Fix
    dangling '*' in dpkginfo_free_reply declaration (LP: #1851682).

 -- Mark Morlino <email address hidden> Wed, 25 Mar 2020 09:53:38 -0400

Changed in openscap (Ubuntu Bionic):
status: Fix Committed → Fix Released
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.