[Bug 2004476] [NEW] Allow openscap to be less strict about epoch digit and able to build security certification projects

Launchpad Bug Tracker 2004476 at bugs.launchpad.net
Wed Feb 1 17:47:11 UTC 2023 

You have been subscribed to a public bug by Eduardo Barretto (ebarretto):

[Impact]
Back in [1] where we added dpkg version comparison algorithm, we were too strict about the epoch number, where oscap would return an error message if no epoch number was provided. This SRU backports the fix provided to upstream [2] and released with openscap 1.3.7, meaning lunar is not affected by it.

This SRU also includes the fix for [3]. The Ubuntu Security Team needs
this fix to better provide support on ComplianceAsCode and Ubuntu
Security Guide (USG [4])

[Test Case]
Attached to this bug is a zip file that contains OVAL data for one package (expat) and data of one CVE (CVE-2022-43680). The OVAL data is in both OCI
and non-OCI format.

The test consists of comparing the installed version of the mentioned
packages, to different versions where the CVE could have been fixed.

Testing procedure (Bionic):
$ sudo apt update
$ sudo apt install libopenscap8
$ sudo apt install libexpat1
$ tar -xzf test-data.tar.gz
$ cd test-data/
$ ./run.sh

Here is the output of the test, with current openscap in jammy:
$ ./run.sh 
oscap oval eval com.ubuntu.jammy.cve.oval.xml
Definition oval:com.ubuntu.jammy:def:2022436800000000: error
Definition oval:com.ubuntu.jammy:def:100: true
OpenSCAP Error: Invalid epoch. [../../../../src/OVAL/results/oval_cmp_evr_string.c:399]
oscap oval eval oci.com.ubuntu.jammy.cve.oval.xml
Definition oval:com.ubuntu.jammy:def:2022436800000000: error
OpenSCAP Error: Invalid epoch. [../../../../src/OVAL/results/oval_cmp_evr_string.c:399]

and the output of the test, with patched openscap in jammy:
$ ./run.sh 
oscap oval eval com.ubuntu.jammy.cve.oval.xml
Definition oval:com.ubuntu.jammy:def:2022436800000000: false
Definition oval:com.ubuntu.jammy:def:100: true
Evaluation done.
oscap oval eval oci.com.ubuntu.jammy.cve.oval.xml
Definition oval:com.ubuntu.jammy:def:2022436800000000: false
Evaluation done.


[Where problems could occur]

The first patch touch the comparison algorithm, so any regressions that
it might have, might impact the comparison and scanning results. The
second patch allows the build of USG/ComplianceAsCode for other
platforms, which currently isn't possible.

[Other Info]

Both issues affect all releases from Bionic to Kinetic.
The epoch issue affects also Trusty ESM and Xenial ESM and we will be handling those in the ESM PPAs.

The versioning algorithm implemented is based on dpkg's algorithm.

Upstream accepted and merged the Debian epoch fix to its maint-1.3
branch and it already made into 1.3.7 version [5]

[1] https://bugs.launchpad.net/ubuntu/+source/openscap/+bug/1911791
[2] https://github.com/OpenSCAP/openscap/pull/1901
[3] https://bugs.launchpad.net/ubuntu/+source/openscap/+bug/2002551
[4] https://launchpad.net/usg
[5] https://github.com/OpenSCAP/openscap/releases/tag/1.3.7

** Affects: openscap (Ubuntu)
     Importance: Undecided
         Status: New

** Affects: openscap (Ubuntu Trusty)
     Importance: Undecided
         Status: New

** Affects: openscap (Ubuntu Xenial)
     Importance: Undecided
         Status: New

** Affects: openscap (Ubuntu Bionic)
     Importance: Undecided
         Status: New

** Affects: openscap (Ubuntu Focal)
     Importance: Undecided
         Status: New

** Affects: openscap (Ubuntu Jammy)
     Importance: Undecided
         Status: New

** Affects: openscap (Ubuntu Kinetic)
     Importance: Undecided
         Status: New

-- 
Allow openscap to be less strict about epoch digit and able to build security certification projects
https://bugs.launchpad.net/bugs/2004476
You received this bug notification because you are a member of Ubuntu Sponsors Team, which is subscribed to the bug report.

More information about the Ubuntu-sponsors mailing list