[Bug 1987629] Re: Package version manifest included package archicture causing oscap CVE audits to not list CVEs for that package
Philip Roche
1987629 at bugs.launchpad.net
Thu Aug 25 09:23:47 UTC 2022
** Attachment added: "Manifest without architecture suffix"
https://bugs.launchpad.net/ubuntu/+source/livecd-rootfs/+bug/1987629/+attachment/5611614/+files/20220711-ubuntu-20.04-server-cloudimg-amd64-no-arch.manifest
--
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to livecd-rootfs in Ubuntu.
https://bugs.launchpad.net/bugs/1987629
Title:
Package version manifest included package archicture causing oscap CVE
audits to not list CVEs for that package
Status in livecd-rootfs package in Ubuntu:
New
Bug description:
The package version manifest created during Ubuntu cloud image builds
using common function `create_manifest` @
https://git.launchpad.net/ubuntu/+source/livecd-rootfs/tree/live-
build/functions?h=ubuntu/jammy#n40
Produces package versions listings which include the package
architecture
```
libgnutls30:amd64 3.6.13-2ubuntu1.6
```
These will fail to be checked when doing a CVE audit like that
detailed @ https://ubuntu.com/security/oval
The package `libgnutls30:amd64 3.6.13-2ubuntu1.6` is
vulnerable/affected by CVE-2022-2509
(https://ubuntu.com/security/CVE-2022-2509) but it is not listed when
a manifest containing this package version is audited.
https://cloud-
images.ubuntu.com/releases/focal/release-20220711/ubuntu-20.04-server-
cloudimg-amd64-root.manifest is one such manifest.
To reproduce the bug:
First find the Oval definition for CVE-2022-2509 by inspecting the
OVal XML for Focal @ https://security-
metadata.canonical.com/oval/oci.com.ubuntu.focal.usn.oval.xml.bz2. The
definition is oval:com.ubuntu.focal:def:55501000000
```
<definition id="oval:com.ubuntu.focal:def:55501000000" version="1" class="patch">
<metadata>
<title>5550-1 -- GnuTLS vulnerabilities</title>
<affected family="unix">
<platform>Ubuntu 20.04 LTS</platform>
</affected>
<reference source="USN" ref_url="https://ubuntu.com/security/notices/USN-5550-1" ref_id="USN-5550-1"/>
<reference source="CVE" ref_url="https://ubuntu.com/security/CVE-2021-4209" ref_id="CVE-2021-4209"/>
<reference source="CVE" ref_url="https://ubuntu.com/security/CVE-2022-2509" ref_id="CVE-2022-2509"/>
<!-- snip -->
</definition>
```
Reproducer
```
wget https://security-metadata.canonical.com/oval/oci.com.ubuntu.focal.usn.oval.xml.bz2
bunzip2 oci.com.ubuntu.focal.usn.oval.xml.bz2
wget -O manifest https://cloud-images.ubuntu.com/releases/focal/release-20220711/ubuntu-20.04-server-cloudimg-amd64-root.manifest
oscap oval eval --report report.html oci.com.ubuntu.focal.usn.oval.xml | grep oval:com.ubuntu.focal:def:55501000000 # check if cve detected
```
```
❯ oscap oval eval --report report.html oci.com.ubuntu.focal.usn.oval.xml | grep oval:com.ubuntu.focal:def:55501000000
Definition oval:com.ubuntu.focal:def:55501000000: false
```
@ebarretto made the suggestion that we should use
```
dpkg-query -f '${Package} ${Version}\n' --show --admindir="/var/lib/dpkg"
```
instead of
```
dpkg-query --show --admindir="/var/lib/dpkg"
```
This will include only the binary name, without the architecture
suffix.
I have created such a manifest for this image @ https://people.canonical.com/~philroche/20220825-oval-audit-arch-bug/20220711-ubuntu-20.04-server-cloudimg-amd64-no-arch.manifest
This can be seen to list the CVE-2022-2509 as expected.
```
wget https://security-metadata.canonical.com/oval/oci.com.ubuntu.focal.usn.oval.xml.bz2
bunzip2 oci.com.ubuntu.focal.usn.oval.xml.bz2
wget -O manifest https://people.canonical.com/~philroche/20220825-oval-audit-arch-bug/20220711-ubuntu-20.04-server-cloudimg-amd64-no-arch.manifest
oscap oval eval --report report.html oci.com.ubuntu.focal.usn.oval.xml | grep oval:com.ubuntu.focal:def:55501000000 # check if cve detected
```
```
❯ oscap oval eval --report report.html oci.com.ubuntu.focal.usn.oval.xml | grep oval:com.ubuntu.focal:def:55501000000
Definition oval:com.ubuntu.focal:def:55501000000: true
```
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/livecd-rootfs/+bug/1987629/+subscriptions
More information about the foundations-bugs
mailing list