[Bug 1851682] Re: oscap is broken in ubuntu 19.10

Fri Jul 17 23:12:09 UTC 2020

This has already been fixed in Groovy, and Eoan just went EOL.

I have uploaded your patches to Focal and Bionic, and they are waiting
in the respective queues. I tweaked the version numbers and made sure
the LP bug number was in the changelog, following SRU policy. I also
changed bionic-security to bionic in your Bionic diff changelog, since
in order for it to be SRU'ed it can't go directly to -security.

In the future, try to follow DEP-3 patch headers. It makes it easier for
others to review your patch, for uploading and further maintenance. You
can find more details here: https://dep-team.pages.debian.net/deps/dep3/

Also, please look at the Security Team document for version numbers:
https://wiki.ubuntu.com/SecurityTeam/UpdatePreparation#Update_the_packaging

Thank you for your contribution!

-- 
You received this bug notification because you are a member of Ubuntu
Sponsors Team, which is subscribed to the bug report.
https://bugs.launchpad.net/bugs/1851682

Title:
  oscap is broken in ubuntu 19.10

Status in openscap package in Ubuntu:
  Fix Released
Status in openscap source package in Bionic:
  New
Status in openscap source package in Focal:
  Confirmed
Status in openscap source package in Groovy:
  Fix Released

Bug description:
  [Impact]

  The bug causes oscap to fail to run with OVAL files produced by the
  Ubuntu Security team.

  This is the upstream issue:
  https://github.com/OpenSCAP/openscap/issues/1367

  The fix is simple and I've tested in under bionic, eoan, and focal.

  The patch corrects an typo or copy/paste error in the original code.
  https://github.com/OpenSCAP/openscap/commit/5e5bc61c1fc6a6556665aa5689a62d6bc6487c74

  [Test Case]

  This can be reproduced on eoan and focal by following the instructions
  for using ubuntu security oval data here: https://people.canonical.com
  /~ubuntu-security/oval/

  The bug does not manifest directly in bionic but if you include
  libopenscap8 in a snap based on core18, the version of oscap in the
  snap will produce the same behavior when you run the snap on eoan or
  focal

  [Regression Potential]

  The potential for regression seems low in this case. I've built the
  deb locally for bionic, eoan, and focal and smoke tested in in VMs
  using the ubuntu security OVAL files and the test file from the
  comment below
  https://bugs.launchpad.net/ubuntu/+source/openscap/+bug/1851682/comments/2

  If a regression were to exist, it would likely manifest itself with a
  runtime error much like the original problem.

  ############################################
  ORIGINAL BUG REPORT BELOW
  ###########################################
  oscap segfaults while trying to check using ubuntu-security definitions:

  The command:
  oscap oval eval --report /tmp/oscap_report.html /var/tmp/com.ubuntu.eoan.cve.oval.xml

  Segfault:
  ...
  Invalid oval result type: -1. [../../../../src/OVAL/results/oval_resultTest.c:179]
  Invalid oval result type: -1. [../../../../src/OVAL/results/oval_resultTest.c:179]
  Invalid oval result type: -1. [../../../../src/OVAL/results/oval_resultTest.c:179]
  Probe with PID=26379 has been killed with signal 11 [../../../../../src/OVAL/probes/SEAP/sch_pipe.c:178]
  Probe with PID=26379 has core dumped. [../../../../../src/OVAL/probes/SEAP/sch_pipe.c:182]
  Unable to close probe sd [../../../src/OVAL/oval_probe_ext.c:424]
  Unable to receive a message from probe [../../../src/OVAL/oval_probe_ext.c:579]
  Invalid oval result type: -1. [../../../../src/OVAL/results/oval_resultTest.c:179]
  Invalid oval result type: -1. [../../../../src/OVAL/results/oval_resultTest.c:179]
  Invalid oval result type: -1. [../../../../src/OVAL/results/oval_resultTest.c:179]
  Invalid oval result type: -1. [../../../../src/OVAL/results/oval_resultTest.c:179]
  Invalid oval result type: -1. [../../../../src/OVAL/results/oval_resultTest.c:179]
  Invalid oval result type: -1. [../../../../src/OVAL/results/oval_resultTest.c:179]
  Invalid oval result type: -1. [../../../../src/OVAL/results/oval_resultTest.c:179]
  Invalid oval result type: -1. [../../../../src/OVAL/results/oval_resultTest.c:179]
  Invalid oval result type: -1. [../../../../src/OVAL/results/oval_resultTest.c:179]
  Invalid oval result type: -1. [../../../../src/OVAL/results/oval_resultTest.c:179]
  Probe with PID=26393 has been killed with signal 11 [../../../../../src/OVAL/probes/SEAP/sch_pipe.c:178]
  Probe with PID=26393 has core dumped. [../../../../../src/OVAL/probes/SEAP/sch_pipe.c:182]
  Unable to close probe sd [../../../src/OVAL/oval_probe_ext.c:424]
  Unable to receive a message from probe [../../../src/OVAL/oval_probe_ext.c:579]
  Invalid oval result type: -1. [../../../../src/OVAL/results/oval_resultTest.c:179]

  The OVAL definitions are taken directly from
  https://people.canonical.com/~ubuntu-
  security/oval/com.ubuntu.eoan.cve.oval.xml

  Version:
  oscap --version
  OpenSCAP command line tool (oscap) 1.2.16
  Copyright 2009--2017 Red Hat Inc., Durham, North Carolina.

  ==== Supported specifications ====
  XCCDF Version: 1.2
  OVAL Version: 5.11.1
  CPE Version: 2.3
  CVSS Version: 2.0
  CVE Version: 2.0
  Asset Identification Version: 1.1
  Asset Reporting Format Version: 1.1
  CVRF Version: 1.1

  ==== Capabilities added by auto-loaded plugins ====
  SCE Version: 1.0 (from libopenscap_sce.so.8)

  ==== Paths ====
  Schema files: /usr/share/openscap/schemas
  Default CPE files: /usr/share/openscap/cpe
  Probes: /usr/lib/x86_64-linux-gnu/openscap

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/openscap/+bug/1851682/+subscriptions