2021-01-14 17:31:51 |
Eduardo Barretto |
bug |
|
|
added bug |
2021-01-14 17:31:51 |
Eduardo Barretto |
attachment added |
|
test-data.tar.gz https://bugs.launchpad.net/bugs/1911791/+attachment/5453045/+files/test-data.tar.gz |
|
2021-01-14 17:32:29 |
Eduardo Barretto |
attachment added |
|
xenial.debdiff https://bugs.launchpad.net/ubuntu/+source/openscap/+bug/1911791/+attachment/5453046/+files/xenial.debdiff |
|
2021-01-14 17:32:46 |
Eduardo Barretto |
attachment added |
|
bionic.debdiff https://bugs.launchpad.net/ubuntu/+source/openscap/+bug/1911791/+attachment/5453047/+files/bionic.debdiff |
|
2021-01-14 17:33:00 |
Eduardo Barretto |
attachment added |
|
focal.debdiff https://bugs.launchpad.net/ubuntu/+source/openscap/+bug/1911791/+attachment/5453048/+files/focal.debdiff |
|
2021-01-14 17:33:31 |
Eduardo Barretto |
attachment added |
|
groovy.debdiff https://bugs.launchpad.net/ubuntu/+source/openscap/+bug/1911791/+attachment/5453049/+files/groovy.debdiff |
|
2021-01-14 17:33:48 |
Eduardo Barretto |
attachment added |
|
hirsute.debdiff https://bugs.launchpad.net/ubuntu/+source/openscap/+bug/1911791/+attachment/5453050/+files/hirsute.debdiff |
|
2021-01-14 20:30:51 |
Ubuntu Foundations Team Bug Bot |
tags |
|
patch |
|
2021-01-14 20:30:58 |
Ubuntu Foundations Team Bug Bot |
bug |
|
|
added subscriber Ubuntu Sponsors Team |
2021-01-14 20:42:18 |
Andreas Hasenack |
bug |
|
|
added subscriber Andreas Hasenack |
2021-01-15 12:32:41 |
Marc Deslauriers |
nominated for series |
|
Ubuntu Groovy |
|
2021-01-15 12:32:41 |
Marc Deslauriers |
bug task added |
|
openscap (Ubuntu Groovy) |
|
2021-01-15 12:32:41 |
Marc Deslauriers |
nominated for series |
|
Ubuntu Hirsute |
|
2021-01-15 12:32:41 |
Marc Deslauriers |
bug task added |
|
openscap (Ubuntu Hirsute) |
|
2021-01-15 12:32:41 |
Marc Deslauriers |
nominated for series |
|
Ubuntu Bionic |
|
2021-01-15 12:32:41 |
Marc Deslauriers |
bug task added |
|
openscap (Ubuntu Bionic) |
|
2021-01-15 12:32:41 |
Marc Deslauriers |
nominated for series |
|
Ubuntu Xenial |
|
2021-01-15 12:32:41 |
Marc Deslauriers |
bug task added |
|
openscap (Ubuntu Xenial) |
|
2021-01-15 12:32:41 |
Marc Deslauriers |
nominated for series |
|
Ubuntu Focal |
|
2021-01-15 12:32:41 |
Marc Deslauriers |
bug task added |
|
openscap (Ubuntu Focal) |
|
2021-01-15 12:32:53 |
Marc Deslauriers |
openscap (Ubuntu Xenial): status |
New |
Confirmed |
|
2021-01-15 12:32:59 |
Marc Deslauriers |
openscap (Ubuntu Xenial): status |
Confirmed |
In Progress |
|
2021-01-15 12:33:01 |
Marc Deslauriers |
openscap (Ubuntu Bionic): status |
New |
In Progress |
|
2021-01-15 12:33:03 |
Marc Deslauriers |
openscap (Ubuntu Focal): status |
New |
In Progress |
|
2021-01-15 12:33:06 |
Marc Deslauriers |
openscap (Ubuntu Groovy): status |
New |
In Progress |
|
2021-01-15 12:33:09 |
Marc Deslauriers |
openscap (Ubuntu Hirsute): status |
New |
In Progress |
|
2021-01-15 12:33:23 |
Marc Deslauriers |
openscap (Ubuntu Xenial): assignee |
|
Eduardo Barretto (ebarretto) |
|
2021-01-15 12:33:31 |
Marc Deslauriers |
openscap (Ubuntu Bionic): assignee |
|
Eduardo Barretto (ebarretto) |
|
2021-01-15 12:33:39 |
Marc Deslauriers |
openscap (Ubuntu Focal): assignee |
|
Eduardo Barretto (ebarretto) |
|
2021-01-15 12:33:45 |
Marc Deslauriers |
openscap (Ubuntu Groovy): assignee |
|
Eduardo Barretto (ebarretto) |
|
2021-01-15 12:33:52 |
Marc Deslauriers |
openscap (Ubuntu Hirsute): assignee |
Ubuntu Sponsors Team (ubuntu-sponsors) |
Eduardo Barretto (ebarretto) |
|
2021-01-15 15:50:46 |
Eduardo Barretto |
description |
[Impact]
Openscap didn't implement Debian package version comparison algorithm.
This can cause a user/client to get false positive results when running
oscap.
For example, we have a system running Bionic, with package "foo" version
1.2.3-4ubuntu1~18.04.1 installed. Ubuntu fixed CVE-2020-XXXX on Bionic for
"foo" on version 1.2.3-4ubuntu1. If oscap compares both version it would
would return "false", meaning that "foo" is not vulnerable, which is not
correct as 1.2.3-4ubuntu1 is greater than the installed version
1.2.3-4ubuntu1~18.04.1.
$ dpkg --compare-versions 1.2.3-4ubuntu1 gt 1.2.3-4ubuntu1~18.04.1 && echo TRUE || echo FALSE
TRUE
[Test Case]
Attached to this bug is a zip file that contains oval data for 3 different
packages (gdcm, gnutls28 and openssl) with specific CVE data for each (
CVE-2016-5300, CVE-2018-10845 and CVE-2020-1968). This data* is for Bionic
only.
The test consists of comparing the installed version of the mentioned
packages, to different versions where the CVE could have been fixed.
For more info on the test data see:
https://pastebin.ubuntu.com/p/cVp2xcq9fs/
Testing procedure (Bionic):
$ sudo apt update
$ sudo apt install libopenscap8
$ sudo apt install libgdcm2.8 openssl libgnutls30
$ tar -xzf test-data.tar.gz
$ cd test-data/
$ ./run.sh
Here is a diff between the results of the test, between current openscap
and the openscap with the algorithm fix:
https://pastebin.ubuntu.com/p/38N8GsgZnf/
*PS: This data doesn't reflect the reality of those vulnerabilities and it
should only be used for test purposes.
[Where problems could occur]
Whenever a user or client relies on software like openscap to decide when
to update (and reboot it if needed) their system because it is vulnerable
to a CVE. Specially for clients that need to have a downtime to upgrade
packages, openscap could be giving them wrong information and causing
unnecessary downtimes.
Clients could also be vulnerable to a CVE and not know about it because of
a wrong openscap report.
[Other Info]
This affects all releases of Ubuntu, from Xenial to Hirsute.
The versioning algorithm implemented is based on dpkg's algorithm.
Upstream accepted and merged the Debian version comparison algorithm to
its maint-1.3 branch and it should make it to 1.3.5 version whenever it
gets released. |
[Impact]
Openscap didn't implement Debian package version comparison algorithm.
This can cause a user/client to get false positive results when running
oscap.
For example, we have a system running Bionic, with package "foo" version
1.2.3-4ubuntu1~18.04.1 installed. Ubuntu fixed CVE-2020-XXXX on Bionic for
"foo" on version 1.2.3-4ubuntu1. If oscap compares both version it would
would return "false", meaning that "foo" is not vulnerable, which is not
correct as 1.2.3-4ubuntu1 is greater than the installed version
1.2.3-4ubuntu1~18.04.1.
$ dpkg --compare-versions 1.2.3-4ubuntu1 gt 1.2.3-4ubuntu1~18.04.1 && echo TRUE || echo FALSE
TRUE
If a client relies on software like openscap to decide when to upgrade their system (especially for clients that need to have a downtime to upgrade packages), openscap could be giving the wrong information and causing unnecessary downtimes, or even showing the system as vulnerable, when it isn't or vice-versa.
[Test Case]
Attached to this bug is a zip file that contains oval data for 3 different
packages (gdcm, gnutls28 and openssl) with specific CVE data for each (
CVE-2016-5300, CVE-2018-10845 and CVE-2020-1968). This data* is for Bionic
only.
The test consists of comparing the installed version of the mentioned
packages, to different versions where the CVE could have been fixed.
For more info on the test data see:
https://pastebin.ubuntu.com/p/cVp2xcq9fs/
Testing procedure (Bionic):
$ sudo apt update
$ sudo apt install libopenscap8
$ sudo apt install libgdcm2.8 openssl libgnutls30
$ tar -xzf test-data.tar.gz
$ cd test-data/
$ ./run.sh
Here is a diff between the results of the test, between current openscap
and the openscap with the algorithm fix:
https://pastebin.ubuntu.com/p/38N8GsgZnf/
*PS: This data doesn't reflect the reality of those vulnerabilities and it
should only be used for test purposes.
[Where problems could occur]
The patches only touch the comparison algorithm, so any regressions that it might have, might impact the comparison, generating false positives too.
[Other Info]
This affects all releases of Ubuntu, from Xenial to Hirsute.
The versioning algorithm implemented is based on dpkg's algorithm.
Upstream accepted and merged the Debian version comparison algorithm to
its maint-1.3 branch and it should make it to 1.3.5 version whenever it
gets released. |
|
2021-01-15 15:56:27 |
Eduardo Barretto |
attachment added |
|
xenial.debdiff https://bugs.launchpad.net/ubuntu/+source/openscap/+bug/1911791/+attachment/5453536/+files/xenial.debdiff |
|
2021-01-15 15:56:56 |
Eduardo Barretto |
attachment added |
|
bionic.debdiff https://bugs.launchpad.net/ubuntu/+source/openscap/+bug/1911791/+attachment/5453537/+files/bionic.debdiff |
|
2021-01-15 15:57:32 |
Eduardo Barretto |
attachment added |
|
focal.debdiff https://bugs.launchpad.net/ubuntu/+source/openscap/+bug/1911791/+attachment/5453538/+files/focal.debdiff |
|
2021-01-15 15:57:53 |
Eduardo Barretto |
attachment added |
|
groovy.debdiff https://bugs.launchpad.net/ubuntu/+source/openscap/+bug/1911791/+attachment/5453539/+files/groovy.debdiff |
|
2021-01-15 15:58:54 |
Eduardo Barretto |
attachment added |
|
hirsute.debdiff https://bugs.launchpad.net/ubuntu/+source/openscap/+bug/1911791/+attachment/5453540/+files/hirsute.debdiff |
|
2021-01-15 17:21:01 |
Marc Deslauriers |
bug |
|
|
added subscriber Ubuntu Stable Release Updates Team |
2021-01-15 23:17:53 |
Launchpad Janitor |
openscap (Ubuntu Hirsute): status |
In Progress |
Fix Released |
|
2021-01-16 23:47:27 |
Mathew Hodson |
openscap (Ubuntu Xenial): importance |
Undecided |
Medium |
|
2021-01-16 23:47:30 |
Mathew Hodson |
openscap (Ubuntu Bionic): importance |
Undecided |
Medium |
|
2021-01-16 23:47:32 |
Mathew Hodson |
openscap (Ubuntu Focal): importance |
Undecided |
Medium |
|
2021-01-16 23:47:34 |
Mathew Hodson |
openscap (Ubuntu Groovy): importance |
Undecided |
Medium |
|
2021-01-16 23:47:37 |
Mathew Hodson |
openscap (Ubuntu Hirsute): importance |
Undecided |
Medium |
|
2021-01-19 18:31:42 |
Brian Murray |
openscap (Ubuntu Groovy): status |
In Progress |
Fix Committed |
|
2021-01-19 18:31:46 |
Brian Murray |
bug |
|
|
added subscriber SRU Verification |
2021-01-19 18:31:48 |
Brian Murray |
tags |
patch |
patch verification-needed verification-needed-groovy |
|
2021-01-19 18:35:03 |
Brian Murray |
openscap (Ubuntu Focal): status |
In Progress |
Fix Committed |
|
2021-01-19 18:35:10 |
Brian Murray |
tags |
patch verification-needed verification-needed-groovy |
patch verification-needed verification-needed-focal verification-needed-groovy |
|
2021-01-19 18:36:01 |
Brian Murray |
openscap (Ubuntu Bionic): status |
In Progress |
Fix Committed |
|
2021-01-19 18:36:09 |
Brian Murray |
tags |
patch verification-needed verification-needed-focal verification-needed-groovy |
patch verification-needed verification-needed-bionic verification-needed-focal verification-needed-groovy |
|
2021-01-19 18:37:22 |
Brian Murray |
openscap (Ubuntu Xenial): status |
In Progress |
Fix Committed |
|
2021-01-19 18:37:29 |
Brian Murray |
tags |
patch verification-needed verification-needed-bionic verification-needed-focal verification-needed-groovy |
patch verification-needed verification-needed-bionic verification-needed-focal verification-needed-groovy verification-needed-xenial |
|
2021-01-19 18:38:01 |
Brian Murray |
removed subscriber Ubuntu Sponsors Team |
|
|
|
2021-01-20 18:41:01 |
Eduardo Barretto |
cve linked |
|
2017-9763 |
|
2021-01-20 18:41:01 |
Eduardo Barretto |
cve linked |
|
2019-18348 |
|
2021-01-20 18:41:01 |
Eduardo Barretto |
cve linked |
|
2020-14779 |
|
2021-01-20 18:41:01 |
Eduardo Barretto |
cve linked |
|
2020-14781 |
|
2021-01-20 18:41:01 |
Eduardo Barretto |
cve linked |
|
2020-14782 |
|
2021-01-20 18:41:01 |
Eduardo Barretto |
cve linked |
|
2020-14792 |
|
2021-01-20 18:41:01 |
Eduardo Barretto |
cve linked |
|
2020-14796 |
|
2021-01-20 18:41:01 |
Eduardo Barretto |
cve linked |
|
2020-14797 |
|
2021-01-20 18:41:01 |
Eduardo Barretto |
cve linked |
|
2020-14798 |
|
2021-01-20 18:41:01 |
Eduardo Barretto |
cve linked |
|
2020-14803 |
|
2021-01-21 11:43:22 |
Eduardo Barretto |
tags |
patch verification-needed verification-needed-bionic verification-needed-focal verification-needed-groovy verification-needed-xenial |
patch verification-done verification-done-bionic verification-done-focal verification-done-groovy verification-done-xenial |
|
2021-01-26 22:27:58 |
Launchpad Janitor |
openscap (Ubuntu Groovy): status |
Fix Committed |
Fix Released |
|
2021-01-26 22:28:03 |
Brian Murray |
removed subscriber Ubuntu Stable Release Updates Team |
|
|
|
2021-01-26 22:31:20 |
Launchpad Janitor |
openscap (Ubuntu Focal): status |
Fix Committed |
Fix Released |
|
2021-01-26 22:57:28 |
Launchpad Janitor |
openscap (Ubuntu Bionic): status |
Fix Committed |
Fix Released |
|
2021-01-26 23:03:54 |
Launchpad Janitor |
openscap (Ubuntu Xenial): status |
Fix Committed |
Fix Released |
|