<div dir="ltr">Hi,<div><br></div><div>it seems there are more errors. For example, I get a "fail" for the check: CVE-2012-2150.</div><div><br></div><div>If we review the oval file for that check:</div><div><br></div><div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"><definition class="vulnerability" id="oval:com.ubuntu.xenial:def:20122150000" version="1"><br>    ...<br><span style="white-space:pre">        </span><criteria><br><span style="white-space:pre">           </span><extend_definition definition_ref="oval:com.ubuntu.xenial:def:100" comment="Ubuntu 16.04 LTS (xenial) is installed." applicability_check="true" /><br><span style="white-space:pre">             </span><criterion test_ref="oval:com.ubuntu.xenial:tst:20122150000" comment="The 'xfsprogs' package in xenial is affected and needs fixing." /><br><span style="white-space:pre"> </span></criteria><br></definition><br><linux-def:dpkginfo_test id="oval:com.ubuntu.xenial:tst:20122150000" version="1" check_existence="at_least_one_exists" check="all" comment="Does the 'xfsprogs' package exist?"><br><span style="white-space:pre">   </span><linux-def:object object_ref="oval:com.ubuntu.xenial:obj:20122150000"/><br></linux-def:dpkginfo_test><br><linux-def:dpkginfo_object id="oval:com.ubuntu.xenial:obj:20122150000" version="1" comment="The 'xfsprogs' package."><br><span style="white-space:pre">       </span><linux-def:name>xfsprogs</linux-def:name><br></linux-def:dpkginfo_object></blockquote></div><div><br></div><div>It is checking if the <i>xfsprogs </i>package exists. In my machine I have <i>xfsprogs 4.3.0+nmu1ubuntu1</i> installed. So, the oscap is working properly. The point is: is my xfsprogs vulnerable?. If we take a look at the input file to generate the oval: <a href="http://bazaar.launchpad.net/~ubuntu-security/ubuntu-cve-tracker/master/view/12851/active/CVE-2012-2150">http://bazaar.launchpad.net/~ubuntu-security/ubuntu-cve-tracker/master/view/12851/active/CVE-2012-2150</a></div><div><br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">xfs_metadump in <b>xfsprogs before 3.2.4</b> does not properly obfuscate file data, which allows remote attackers to obtain sensitive information by reading a generated image.</blockquote><div><br><div>The description says: xfsprogs before 3.2.4 and I have the version 4. Oval is only checking if the package exists, but not its version. The reason is:</div><div><br></div><div>The function <i>parse_package_status (<a href="http://bazaar.launchpad.net/~ubuntu-security/ubuntu-cve-tracker/master/view/head:/scripts/generate-oval#L117">http://bazaar.launchpad.net/~ubuntu-security/ubuntu-cve-tracker/master/view/head:/scripts/generate-oval#L117</a>) </i>parses the line:</div></div><div><ul><li>"xenial_xfsprogs: needed" of <a href="http://bazaar.launchpad.net/~ubuntu-security/ubuntu-cve-tracker/master/view/12851/active/CVE-2012-2150">http://bazaar.launchpad.net/~ubuntu-security/ubuntu-cve-tracker/master/view/12851/active/CVE-2012-2150</a> to </li><li>"{'note': "The 'xfsprogs' package in trusty is affected and needs fixing.", 'status': 'vulnerable'}".<br></li><li>That means check only the package, not the version, because there is no version (<a href="http://bazaar.launchpad.net/~ubuntu-security/ubuntu-cve-tracker/master/view/head:/scripts/oval_lib.py#L220">http://bazaar.launchpad.net/~ubuntu-security/ubuntu-cve-tracker/master/view/head:/scripts/oval_lib.py#L220</a>)</li></ul><div>If we take a look at other checks:</div><ul><li>"xenial_git: released (1:2.7.4-0ubuntu1.1)" of <a href="http://bazaar.launchpad.net/~ubuntu-security/ubuntu-cve-tracker/master/view/head:/retired/CVE-2017-8386">http://bazaar.launchpad.net/~ubuntu-security/ubuntu-cve-tracker/master/view/head:/retired/CVE-2017-8386</a> is parsed to</li><li>{'fix-version': '1:2.7.4-0ubuntu1.1', 'note': "The 'git' package in xenial was vulnerable but has been fixed (note: '1:2.7.4-0ubuntu1.1').", 'status': 'fixed'}<br></li><li>Here the version is checked.</li></ul><div>So, my final questions are:</div></div><div><ul><li>Who generates this file <a href="http://bazaar.launchpad.net/~ubuntu-security/ubuntu-cve-tracker/master/view/12851/active/CVE-2012-2150">http://bazaar.launchpad.net/~ubuntu-security/ubuntu-cve-tracker/master/view/12851/active/CVE-2012-2150</a>?</li><li>Why there is no a specific version?</li></ul><div>There are 109 fails after fix the issue that I commented in the previous email and my OS is updated, so I suspect it is happening the same in the rest of checks.</div></div><div><br></div><div>Thanks.</div><div>Regards.</div><div><br></div><div><br></div><div><br></div></div><div class="gmail_extra"><br><div class="gmail_quote">On Wed, Jul 5, 2017 at 3:19 PM, Jesus Linares <span dir="ltr"><<a href="mailto:jesus@wazuh.com" target="_blank">jesus@wazuh.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div dir="ltr">Hi,<div><br></div><div>finally I found the issue: <a href="http://bazaar.launchpad.net/~ubuntu-security/ubuntu-cve-tracker/master/view/head:/scripts/oval_lib.py#L110" target="_blank">http://bazaar.<wbr>launchpad.net/~ubuntu-<wbr>security/ubuntu-cve-tracker/<wbr>master/view/head:/scripts/<wbr>oval_lib.py#L110</a></div><div><br></div><div>In that line there is an if-else. The <i>else </i>has the logic to add the "negate" attribute, but the <i>if</i> doesn't have it.</div><div><br></div><div>It is neccesary to replace the lines 111 to 113, for:</div><div><br></div><div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">negation_attribute = 'negate = "true" ' if 'negate' in test_refs[0] and test_refs[0]['negate'] else ''<br>mapping['criteria'] = '<criterion test_ref="{0}" comment="{1}" {2}/>'.format(test_refs[0]['<wbr>id'], escape(test_refs[0]['comment']<wbr>), negation_attribute)</blockquote></div><div><br></div><div>In this way, the scan reports 109 fails instead of 1750. Now, I'm going to review these 109 fails.</div><div><br></div><div>Please, update the script ASAP.</div><div><br></div><div>Thanks.</div><div>Regards.</div><div><br></div></div><div class="HOEnZb"><div class="h5"><div class="gmail_extra"><br><div class="gmail_quote">On Tue, Jul 4, 2017 at 7:50 PM, Jesus Linares <span dir="ltr"><<a href="mailto:jesus@wazuh.com" target="_blank">jesus@wazuh.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div dir="ltr">Hi,<div><br></div><div>I'm testing again the oval files for Xenial 16.04 (updated) and OpenSCAP reports 1750 <i>fails</i>... Something weird is happening. I will check out this issue again, but I would appreciate any help.</div><div><br></div><div>Here an example:</div><div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"><linux-def:dpkginfo_test id="oval:com.ubuntu.xenial:tst<wbr>:20176919000" version="1" check_existence="any_exist" check="all" comment="<b>Returns true whether or not the 'drupal7' package exists.</b>"><br><span style="white-space:pre-wrap">      </span><linux-def:object object_ref="oval:com.ubuntu.xe<wbr>nial:obj:20076752000"/><br></linux-def:dpkginfo_test><br><linux-def:dpkginfo_object id="oval:com.ubuntu.xenial:obj<wbr>:20076752000" version="1" comment="The 'drupal7' package."><br><span style="white-space:pre-wrap">     </span><linux-def:name>drupal7</linux<wbr>-def:name><br></linux-def:dpkginfo_object></blockquote></div><div><br></div><div>If the check return always true, it doesn't make sense...</div><div><br></div><div>Thanks.</div><div>Regards.</div><div><br></div><div><br></div></div><div class="m_9152991512343776824HOEnZb"><div class="m_9152991512343776824h5"><div class="gmail_extra"><br><div class="gmail_quote">On Wed, Nov 2, 2016 at 11:29 AM, Jesus Linares <span dir="ltr"><<a href="mailto:jesus@wazuh.com" target="_blank">jesus@wazuh.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div dir="ltr">Hi,<div><br></div><div>this is from the specific CVE: <span class="m_9152991512343776824m_3421474847820858891m_8911438507652353542gmail-pyg-n" style="color:rgb(0,0,0);font-family:"ubuntubeta mono","ubuntu mono",monospace;font-size:12.8697px">xenial_libapache</span><span class="m_9152991512343776824m_3421474847820858891m_8911438507652353542gmail-pyg-o" style="font-family:"ubuntubeta mono","ubuntu mono",monospace;font-size:12.8697px;color:rgb(48,48,48)">-</span><span class="m_9152991512343776824m_3421474847820858891m_8911438507652353542gmail-pyg-n" style="color:rgb(0,0,0);font-family:"ubuntubeta mono","ubuntu mono",monospace;font-size:12.8697px">mod</span><span class="m_9152991512343776824m_3421474847820858891m_8911438507652353542gmail-pyg-o" style="font-family:"ubuntubeta mono","ubuntu mono",monospace;font-size:12.8697px;color:rgb(48,48,48)">-</span><span class="m_9152991512343776824m_3421474847820858891m_8911438507652353542gmail-pyg-n" style="color:rgb(0,0,0);font-family:"ubuntubeta mono","ubuntu mono",monospace;font-size:12.8697px">jk</span><span class="m_9152991512343776824m_3421474847820858891m_8911438507652353542gmail-pyg-o" style="font-family:"ubuntubeta mono","ubuntu mono",monospace;font-size:12.8697px;color:rgb(48,48,48)">:</span><span style="color:rgb(0,0,0);font-family:"ubuntubeta mono","ubuntu mono",monospace;font-size:12.8697px"> </span><span class="m_9152991512343776824m_3421474847820858891m_8911438507652353542gmail-pyg-n" style="color:rgb(0,0,0);font-family:"ubuntubeta mono","ubuntu mono",monospace;font-size:12.8697px">not</span><span class="m_9152991512343776824m_3421474847820858891m_8911438507652353542gmail-pyg-o" style="font-family:"ubuntubeta mono","ubuntu mono",monospace;font-size:12.8697px;color:rgb(48,48,48)">-</span><span class="m_9152991512343776824m_3421474847820858891m_8911438507652353542gmail-pyg-n" style="color:rgb(0,0,0);font-family:"ubuntubeta mono","ubuntu mono",monospace;font-size:12.8697px">affected</span><span style="color:rgb(0,0,0);font-family:"ubuntubeta mono","ubuntu mono",monospace;font-size:12.8697px"> </span><span class="m_9152991512343776824m_3421474847820858891m_8911438507652353542gmail-pyg-o" style="font-family:"ubuntubeta mono","ubuntu mono",monospace;font-size:12.8697px;color:rgb(48,48,48)">(</span><span class="m_9152991512343776824m_3421474847820858891m_8911438507652353542gmail-pyg-mi" style="font-family:"ubuntubeta mono","ubuntu mono",monospace;font-size:12.8697px;color:rgb(0,0,208);font-weight:bold">1</span><span class="m_9152991512343776824m_3421474847820858891m_8911438507652353542gmail-pyg-o" style="font-family:"ubuntubeta mono","ubuntu mono",monospace;font-size:12.8697px;color:rgb(48,48,48)">:</span><span class="m_9152991512343776824m_3421474847820858891m_8911438507652353542gmail-pyg-mf" style="font-family:"ubuntubeta mono","ubuntu mono",monospace;font-size:12.8697px;color:rgb(96,0,224);font-weight:bold">1.2</span><span class="m_9152991512343776824m_3421474847820858891m_8911438507652353542gmail-pyg-o" style="font-family:"ubuntubeta mono","ubuntu mono",monospace;font-size:12.8697px;color:rgb(48,48,48)">.</span><span class="m_9152991512343776824m_3421474847820858891m_8911438507652353542gmail-pyg-mi" style="font-family:"ubuntubeta mono","ubuntu mono",monospace;font-size:12.8697px;color:rgb(0,0,208);font-weight:bold">40</span><span class="m_9152991512343776824m_3421474847820858891m_8911438507652353542gmail-pyg-o" style="font-family:"ubuntubeta mono","ubuntu mono",monospace;font-size:12.8697px;color:rgb(48,48,48)">+</span><span class="m_9152991512343776824m_3421474847820858891m_8911438507652353542gmail-pyg-n" style="color:rgb(0,0,0);font-family:"ubuntubeta mono","ubuntu mono",monospace;font-size:12.8697px">svn150520</span><span class="m_9152991512343776824m_3421474847820858891m_8911438507652353542gmail-pyg-o" style="font-family:"ubuntubeta mono","ubuntu mono",monospace;font-size:12.8697px;color:rgb(48,48,48)">-</span><span class="m_9152991512343776824m_3421474847820858891m_8911438507652353542gmail-pyg-mi" style="font-family:"ubuntubeta mono","ubuntu mono",monospace;font-size:12.8697px;color:rgb(0,0,208);font-weight:bold">1</span><span class="m_9152991512343776824m_3421474847820858891m_8911438507652353542gmail-pyg-o" style="font-family:"ubuntubeta mono","ubuntu mono",monospace;font-size:12.8697px;color:rgb(48,48,48)">)</span></div><div><span class="m_9152991512343776824m_3421474847820858891m_8911438507652353542gmail-pyg-o" style="font-family:"ubuntubeta mono","ubuntu mono",monospace;font-size:12.8697px;color:rgb(48,48,48)"><br></span></div><div>So, if it is not affected for xenial, the check should include the "negate" in order to return that is not a vulnerability, right?.</div><div><br></div><div>Regards.</div><div><br></div></div><div class="gmail_extra"><br><div class="gmail_quote"><div><div class="m_9152991512343776824m_3421474847820858891h5">On Fri, Oct 28, 2016 at 9:10 PM, Seth Arnold <span dir="ltr"><<a href="mailto:seth.arnold@canonical.com" target="_blank">seth.arnold@canonical.com</a>></span> wrote:<br></div></div><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div><div class="m_9152991512343776824m_3421474847820858891h5"><span>On Fri, Oct 28, 2016 at 11:19:21AM +0200, Jesus Linares wrote:<br>
> I think this test should have the "negate" due to the comment "While<br>
</span>> related to the CVE in some way, the 'libapache-mod-jk' package in* xenial<br>
> is not affected*". So, maybe the input of the script is wrong?. Where is<br>
> the input?.<br>
<br>
The input is from the ubuntu-cve-tracker bzr tree;<br>
<br>
<a href="https://code.launchpad.net/~ubuntu-security/ubuntu-cve-tracker/master" rel="noreferrer" target="_blank">https://code.launchpad.net/~ub<wbr>untu-security/ubuntu-cve-track<wbr>er/master</a><br>
<br>
In the case of this specific CVE:<br>
<br>
<a href="http://bazaar.launchpad.net/~ubuntu-security/ubuntu-cve-tracker/master/view/head:/active/CVE-2014-8111" rel="noreferrer" target="_blank">http://bazaar.launchpad.net/~u<wbr>buntu-security/ubuntu-cve-trac<wbr>ker/master/view/head:/active/C<wbr>VE-2014-8111</a><br>
<br>
Thanks<br>
<br></div></div><span>--<br>
ubuntu-hardened mailing list<br>
<a href="mailto:ubuntu-hardened@lists.ubuntu.com" target="_blank">ubuntu-hardened@lists.ubuntu.c<wbr>om</a><br>
<a href="https://lists.ubuntu.com/mailman/listinfo/ubuntu-hardened" rel="noreferrer" target="_blank">https://lists.ubuntu.com/mailm<wbr>an/listinfo/ubuntu-hardened</a><br>
<br></span></blockquote></div><span><br><br clear="all"><div><br></div>-- <br><div class="m_9152991512343776824m_3421474847820858891m_8911438507652353542gmail_signature" data-smartmail="gmail_signature"><div dir="ltr"><b style="font-size:12.8px"><font color="#0b5394">Jesus Linares</font></b><div style="font-size:12.8px"><i><font color="#999999">IT Security Engineer</font></i></div><div style="font-size:12.8px"><i><font color="#999999"><img src="https://docs.google.com/uc?export=download&id=0Bx75KsPzHxO_THFpRzBONGpoeWs&revid=0Bx75KsPzHxO_aG5WOW1OU3p3V3JOVUczVDlPViszMTdGZUtrPQ" width="96" height="16"><br></font></i></div></div></div>
</span></div>
</blockquote></div><br><br clear="all"><div><br></div>-- <br><div class="m_9152991512343776824m_3421474847820858891gmail_signature" data-smartmail="gmail_signature"><div dir="ltr"><b style="font-size:12.8px"><font color="#0b5394">Jesus Linares</font></b><div style="font-size:12.8px"><i><font color="#999999">IT Security Engineer</font></i></div><div style="font-size:12.8px"><i><font color="#999999"><img src="https://docs.google.com/uc?export=download&id=0Bx75KsPzHxO_THFpRzBONGpoeWs&revid=0Bx75KsPzHxO_aG5WOW1OU3p3V3JOVUczVDlPViszMTdGZUtrPQ" width="96" height="16"><br></font></i></div></div></div>
</div>
</div></div></blockquote></div><br><br clear="all"><div><br></div>-- <br><div class="m_9152991512343776824gmail_signature" data-smartmail="gmail_signature"><div dir="ltr"><b style="font-size:12.8px"><font color="#0b5394">Jesus Linares</font></b><div style="font-size:12.8px"><i><font color="#999999">IT Security Engineer</font></i></div><div style="font-size:12.8px"><i><font color="#999999"><img src="https://docs.google.com/uc?export=download&id=0Bx75KsPzHxO_THFpRzBONGpoeWs&revid=0Bx75KsPzHxO_aG5WOW1OU3p3V3JOVUczVDlPViszMTdGZUtrPQ" width="96" height="16"><br></font></i></div></div></div>
</div>
</div></div></blockquote></div><br><br clear="all"><div><br></div>-- <br><div class="gmail_signature" data-smartmail="gmail_signature"><div dir="ltr"><b style="font-size:12.8px"><font color="#0b5394">Jesus Linares</font></b><div style="font-size:12.8px"><i><font color="#999999">IT Security Engineer</font></i></div><div style="font-size:12.8px"><i><font color="#999999"><img src="https://docs.google.com/uc?export=download&id=0Bx75KsPzHxO_THFpRzBONGpoeWs&revid=0Bx75KsPzHxO_aG5WOW1OU3p3V3JOVUczVDlPViszMTdGZUtrPQ" width="96" height="16"><br></font></i></div></div></div>
</div>