[Bug 1911791] [NEW] Openscap can report false positives

Eduardo Barretto 1911791 at bugs.launchpad.net
Thu Jan 14 17:31:51 UTC 2021 

Public bug reported:

[Impact]

Openscap didn't implement Debian package version comparison algorithm.
This can cause a user/client to get false positive results when running
oscap.

For example, we have a system running Bionic, with package "foo" version
1.2.3-4ubuntu1~18.04.1 installed. Ubuntu fixed CVE-2020-XXXX on Bionic for
"foo" on version 1.2.3-4ubuntu1. If oscap compares both version it would
would return "false", meaning that "foo" is not vulnerable, which is not
correct as 1.2.3-4ubuntu1 is greater than the installed version
1.2.3-4ubuntu1~18.04.1.

$ dpkg --compare-versions 1.2.3-4ubuntu1 gt 1.2.3-4ubuntu1~18.04.1 && echo TRUE || echo FALSE
TRUE

[Test Case]

Attached to this bug is a zip file that contains oval data for 3 different
packages (gdcm, gnutls28 and openssl) with specific CVE data for each (
CVE-2016-5300, CVE-2018-10845 and CVE-2020-1968). This data* is for Bionic
only.

The test consists of comparing the installed version of the mentioned
packages, to different versions where the CVE could have been fixed.

For more info on the test data see:
https://pastebin.ubuntu.com/p/cVp2xcq9fs/

Testing procedure (Bionic):
$ sudo apt update
$ sudo apt install libopenscap8
$ sudo apt install libgdcm2.8 openssl libgnutls30
$ tar -xzf test-data.tar.gz
$ cd test-data/
$ ./run.sh

Here is a diff between the results of the test, between current openscap
and the openscap with the algorithm fix:
https://pastebin.ubuntu.com/p/38N8GsgZnf/

*PS: This data doesn't reflect the reality of those vulnerabilities and it
should only be used for test purposes.

[Where problems could occur]

Whenever a user or client relies on software like openscap to decide when
to update (and reboot it if needed) their system because it is vulnerable
to a CVE. Specially for clients that need to have a downtime to upgrade
packages, openscap could be giving them wrong information and causing
unnecessary downtimes.

Clients could also be vulnerable to a CVE and not know about it because of
a wrong openscap report.

[Other Info]

This affects all releases of Ubuntu, from Xenial to Hirsute.

The versioning algorithm implemented is based on dpkg's algorithm.

Upstream accepted and merged the Debian version comparison algorithm to
its maint-1.3 branch and it should make it to 1.3.5 version whenever it
gets released.

** Affects: openscap (Ubuntu)
     Importance: Undecided
     Assignee: Ubuntu Sponsors Team (ubuntu-sponsors)
         Status: New

** Attachment added: "test-data.tar.gz"
   https://bugs.launchpad.net/bugs/1911791/+attachment/5453045/+files/test-data.tar.gz

-- 
You received this bug notification because you are a member of Ubuntu
Sponsors Team, which is a bug assignee.
https://bugs.launchpad.net/bugs/1911791

Title:
  Openscap can report false positives

Status in openscap package in Ubuntu:
  New

Bug description:
  [Impact]

  Openscap didn't implement Debian package version comparison algorithm.
  This can cause a user/client to get false positive results when running
  oscap.

  For example, we have a system running Bionic, with package "foo" version
  1.2.3-4ubuntu1~18.04.1 installed. Ubuntu fixed CVE-2020-XXXX on Bionic for
  "foo" on version 1.2.3-4ubuntu1. If oscap compares both version it would
  would return "false", meaning that "foo" is not vulnerable, which is not
  correct as 1.2.3-4ubuntu1 is greater than the installed version
  1.2.3-4ubuntu1~18.04.1.

  $ dpkg --compare-versions 1.2.3-4ubuntu1 gt 1.2.3-4ubuntu1~18.04.1 && echo TRUE || echo FALSE
  TRUE

  [Test Case]

  Attached to this bug is a zip file that contains oval data for 3 different
  packages (gdcm, gnutls28 and openssl) with specific CVE data for each (
  CVE-2016-5300, CVE-2018-10845 and CVE-2020-1968). This data* is for Bionic
  only.

  The test consists of comparing the installed version of the mentioned
  packages, to different versions where the CVE could have been fixed.

  For more info on the test data see:
  https://pastebin.ubuntu.com/p/cVp2xcq9fs/

  Testing procedure (Bionic):
  $ sudo apt update
  $ sudo apt install libopenscap8
  $ sudo apt install libgdcm2.8 openssl libgnutls30
  $ tar -xzf test-data.tar.gz
  $ cd test-data/
  $ ./run.sh

  Here is a diff between the results of the test, between current openscap
  and the openscap with the algorithm fix:
  https://pastebin.ubuntu.com/p/38N8GsgZnf/

  *PS: This data doesn't reflect the reality of those vulnerabilities and it
  should only be used for test purposes.

  [Where problems could occur]

  Whenever a user or client relies on software like openscap to decide when
  to update (and reboot it if needed) their system because it is vulnerable
  to a CVE. Specially for clients that need to have a downtime to upgrade
  packages, openscap could be giving them wrong information and causing
  unnecessary downtimes.

  Clients could also be vulnerable to a CVE and not know about it because of
  a wrong openscap report.

  [Other Info]

  This affects all releases of Ubuntu, from Xenial to Hirsute.

  The versioning algorithm implemented is based on dpkg's algorithm.

  Upstream accepted and merged the Debian version comparison algorithm to
  its maint-1.3 branch and it should make it to 1.3.5 version whenever it
  gets released.

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/openscap/+bug/1911791/+subscriptions

More information about the Ubuntu-sponsors mailing list