Bug#1041848: debsecan: Fails to list CVE affecting two separate kernel source packages

Sebastien Delafond Mon, 24 Jul 2023 03:45:21 -0700

Package: debsecan
Version: 0.4.20.1
Severity: normal

CVE-2022-4696 is listed in the tracker[0] as affecting both linux and
linux-5.10 source packages. The data debsecan creates out of that only
associates it to linux-5.10, though. This prevents that CVE from being
reported on a bullseye system with a vulnerable (< 5.10.162-1) kernel:


  root# dpkg -l *linux-image* | grep ii
  ii  linux-image-5.10.0-19-amd64-unsigned 5.10.149-2   amd64        Linux 5.10 
for 64-bit PCs
  root# debsecan | grep CVE-2022-4696
  root# 

Tinkering a bit with the debsecan source code, we can see that
CVE-2022-4696 is internally referenced with id 35011, for which the
corresponding package line yields a reference tied only to linux-5.10:

  root# grep 35011 /tmp/debsecan-data-20230724.txt
  CVE-2022-4696 linux-5.10,35011,S   ,,5.10.162-1~deb10u1 5.10.178-3~deb10u1 
5.10.179-1~deb10u1

Comparing with for instance CVE-2023-0615, which is linked in the
tracker[1] only to the linux source package, and assigned the internal
id 35182, we can verify that debsecan properly reports it:

  root# grep 35182 /tmp/data
  linux,35182,S   ,6.1.4-1,4.19.282-1 5.10.158-1 5.10.158-2 5.10.162-1 
5.10.178-1 5.10.178-3 5.10.179-1 5.10.179-2
  root# debsecan | grep CVE-2023-0615
  CVE-2023-0615 linux-image-5.10.0-19-amd64-unsigned

Cheers,

-- 
Seb

[0] https://security-tracker.debian.org/tracker/CVE-2022-4696
[1] https://security-tracker.debian.org/tracker/CVE-2023-0615

-- System Information:
Debian Release: 12.0
  APT prefers oldstable-security
  APT policy: (500, 'oldstable-security'), (500, 'unstable'), (500, 'stable'), 
(500, 'oldstable'), (1, 'experimental')
Architecture: amd64 (x86_64)
Foreign Architectures: i386

Kernel: Linux 6.1.0-8-amd64 (SMP w/36 CPU threads; PREEMPT)
Kernel taint flags: TAINT_PROPRIETARY_MODULE, TAINT_OOT_MODULE, 
TAINT_UNSIGNED_MODULE
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8), LANGUAGE not set
Shell: /bin/sh linked to /usr/bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled

Versions of packages debsecan depends on:
ii  ca-certificates        20230311
ii  debconf [debconf-2.0]  1.5.82
ii  python3                3.11.2-1+b1
ii  python3-apt            2.5.3

Versions of packages debsecan recommends:
ii  cron [cron-daemon]              3.0pl1-162
ii  postfix [mail-transport-agent]  3.7.4-2

debsecan suggests no packages.

Bug#1041848: debsecan: Fails to list CVE affecting two separate kernel source packages

Reply via email to