This bug was fixed in the package openscap - 1.2.17-0.1ubuntu4 --------------- openscap (1.2.17-0.1ubuntu4) hirsute; urgency=medium
* Add dpkg version comparison algorithm to avoid false positives. (LP: #1911791) - debian/patches/dpkg-version-comparison-1.patch: Add dpkg version comparison algorithm. - debian/patches/dpkg-version-comparison-2.patch: Free a_copy and b_copy in case of failure and code format. - debian/patches/dpkg-version-comparison-3.patch: Fix oval_debian_evr_string_cmp. -- Eduardo Barretto <eduardo.barre...@canonical.com> Tue, 05 Jan 2021 17:19:13 -0300 ** Changed in: openscap (Ubuntu Hirsute) Status: In Progress => Fix Released -- You received this bug notification because you are a member of नेपाली भाषा समायोजकहरुको समूह, which is subscribed to Xenial. Matching subscriptions: Ubuntu 16.04 Bugs https://bugs.launchpad.net/bugs/1911791 Title: Openscap can report false positives Status in openscap package in Ubuntu: Fix Released Status in openscap source package in Xenial: In Progress Status in openscap source package in Bionic: In Progress Status in openscap source package in Focal: In Progress Status in openscap source package in Groovy: In Progress Status in openscap source package in Hirsute: Fix Released Bug description: [Impact] Openscap didn't implement Debian package version comparison algorithm. This can cause a user/client to get false positive results when running oscap. For example, we have a system running Bionic, with package "foo" version 1.2.3-4ubuntu1~18.04.1 installed. Ubuntu fixed CVE-2020-XXXX on Bionic for "foo" on version 1.2.3-4ubuntu1. If oscap compares both version it would would return "false", meaning that "foo" is not vulnerable, which is not correct as 1.2.3-4ubuntu1 is greater than the installed version 1.2.3-4ubuntu1~18.04.1. $ dpkg --compare-versions 1.2.3-4ubuntu1 gt 1.2.3-4ubuntu1~18.04.1 && echo TRUE || echo FALSE TRUE If a client relies on software like openscap to decide when to upgrade their system (especially for clients that need to have a downtime to upgrade packages), openscap could be giving the wrong information and causing unnecessary downtimes, or even showing the system as vulnerable, when it isn't or vice-versa. [Test Case] Attached to this bug is a zip file that contains oval data for 3 different packages (gdcm, gnutls28 and openssl) with specific CVE data for each ( CVE-2016-5300, CVE-2018-10845 and CVE-2020-1968). This data* is for Bionic only. The test consists of comparing the installed version of the mentioned packages, to different versions where the CVE could have been fixed. For more info on the test data see: https://pastebin.ubuntu.com/p/cVp2xcq9fs/ Testing procedure (Bionic): $ sudo apt update $ sudo apt install libopenscap8 $ sudo apt install libgdcm2.8 openssl libgnutls30 $ tar -xzf test-data.tar.gz $ cd test-data/ $ ./run.sh Here is a diff between the results of the test, between current openscap and the openscap with the algorithm fix: https://pastebin.ubuntu.com/p/38N8GsgZnf/ *PS: This data doesn't reflect the reality of those vulnerabilities and it should only be used for test purposes. [Where problems could occur] The patches only touch the comparison algorithm, so any regressions that it might have, might impact the comparison, generating false positives too. [Other Info] This affects all releases of Ubuntu, from Xenial to Hirsute. The versioning algorithm implemented is based on dpkg's algorithm. Upstream accepted and merged the Debian version comparison algorithm to its maint-1.3 branch and it should make it to 1.3.5 version whenever it gets released. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/openscap/+bug/1911791/+subscriptions _______________________________________________ Mailing list: https://launchpad.net/~group.of.nepali.translators Post to : group.of.nepali.translators@lists.launchpad.net Unsubscribe : https://launchpad.net/~group.of.nepali.translators More help : https://help.launchpad.net/ListHelp