[Bug 1911791] Please test proposed package

Brian Murray 1911791 at bugs.launchpad.net
Tue Jan 19 18:36:11 UTC 2021 

Hello Eduardo, or anyone else affected,

Accepted openscap into bionic-proposed. The package will build now and
be available at
https://launchpad.net/ubuntu/+source/openscap/1.2.15-1ubuntu0.3 in a few
hours, and then in the -proposed repository.

Please help us by testing this new package.  See
https://wiki.ubuntu.com/Testing/EnableProposed for documentation on how
to enable and use -proposed.  Your feedback will aid us getting this
update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug,
mentioning the version of the package you tested, what testing has been
performed on the package and change the tag from verification-needed-
bionic to verification-done-bionic. If it does not fix the bug for you,
please add a comment stating that, and change the tag to verification-
failed-bionic. In either case, without details of your testing we will
not be able to proceed.

Further information regarding the verification process can be found at
https://wiki.ubuntu.com/QATeam/PerformingSRUVerification .  Thank you in
advance for helping!

N.B. The updated package will be released to -updates after the bug(s)
fixed by this package have been verified and the package has been in
-proposed for a minimum of 7 days.

** Changed in: openscap (Ubuntu Xenial)
       Status: In Progress => Fix Committed

** Tags added: verification-needed-xenial

-- 
You received this bug notification because you are a member of Ubuntu
Sponsors Team, which is subscribed to the bug report.
https://bugs.launchpad.net/bugs/1911791

Title:
  Openscap can report false positives

Status in openscap package in Ubuntu:
  Fix Released
Status in openscap source package in Xenial:
  Fix Committed
Status in openscap source package in Bionic:
  Fix Committed
Status in openscap source package in Focal:
  Fix Committed
Status in openscap source package in Groovy:
  Fix Committed
Status in openscap source package in Hirsute:
  Fix Released

Bug description:
  [Impact]

  Openscap didn't implement Debian package version comparison algorithm.
  This can cause a user/client to get false positive results when running
  oscap.

  For example, we have a system running Bionic, with package "foo" version
  1.2.3-4ubuntu1~18.04.1 installed. Ubuntu fixed CVE-2020-XXXX on Bionic for
  "foo" on version 1.2.3-4ubuntu1. If oscap compares both version it would
  would return "false", meaning that "foo" is not vulnerable, which is not
  correct as 1.2.3-4ubuntu1 is greater than the installed version
  1.2.3-4ubuntu1~18.04.1.

  $ dpkg --compare-versions 1.2.3-4ubuntu1 gt 1.2.3-4ubuntu1~18.04.1 && echo TRUE || echo FALSE
  TRUE

  If a client relies on software like openscap to decide when to upgrade
  their system (especially for clients that need to have a downtime to
  upgrade packages), openscap could be giving the wrong information and
  causing unnecessary downtimes, or even showing the system as
  vulnerable, when it isn't or vice-versa.

  [Test Case]

  Attached to this bug is a zip file that contains oval data for 3 different
  packages (gdcm, gnutls28 and openssl) with specific CVE data for each (
  CVE-2016-5300, CVE-2018-10845 and CVE-2020-1968). This data* is for Bionic
  only.

  The test consists of comparing the installed version of the mentioned
  packages, to different versions where the CVE could have been fixed.

  For more info on the test data see:
  https://pastebin.ubuntu.com/p/cVp2xcq9fs/

  Testing procedure (Bionic):
  $ sudo apt update
  $ sudo apt install libopenscap8
  $ sudo apt install libgdcm2.8 openssl libgnutls30
  $ tar -xzf test-data.tar.gz
  $ cd test-data/
  $ ./run.sh

  Here is a diff between the results of the test, between current openscap
  and the openscap with the algorithm fix:
  https://pastebin.ubuntu.com/p/38N8GsgZnf/

  *PS: This data doesn't reflect the reality of those vulnerabilities and it
  should only be used for test purposes.

  [Where problems could occur]

  The patches only touch the comparison algorithm, so any regressions
  that it might have, might impact the comparison, generating false
  positives too.

  [Other Info]

  This affects all releases of Ubuntu, from Xenial to Hirsute.

  The versioning algorithm implemented is based on dpkg's algorithm.

  Upstream accepted and merged the Debian version comparison algorithm to
  its maint-1.3 branch and it should make it to 1.3.5 version whenever it
  gets released.

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/openscap/+bug/1911791/+subscriptions

More information about the Ubuntu-sponsors mailing list