[Bug 2004476] Re: [SRU] Allow openscap to be less strict about epoch digit and able to build security certification projects
Launchpad Bug Tracker
2004476 at bugs.launchpad.net
Thu Feb 16 08:43:11 UTC 2023
Status changed to 'Confirmed' because the bug affects multiple users.
** Changed in: openscap (Ubuntu Trusty)
Status: New => Confirmed
--
You received this bug notification because you are a member of Ubuntu
Sponsors Team, which is subscribed to the bug report.
https://bugs.launchpad.net/bugs/2004476
Title:
[SRU] Allow openscap to be less strict about epoch digit and able to
build security certification projects
Status in openscap package in Ubuntu:
Confirmed
Status in openscap source package in Trusty:
Confirmed
Status in openscap source package in Xenial:
Confirmed
Status in openscap source package in Bionic:
In Progress
Status in openscap source package in Focal:
In Progress
Status in openscap source package in Jammy:
In Progress
Status in openscap source package in Kinetic:
In Progress
Bug description:
[Impact]
Back in [1] where we added dpkg version comparison algorithm, we were too strict about the epoch number, where oscap would return an error message if no epoch number was provided. This SRU backports the fix provided to upstream [2] and released with openscap 1.3.7, meaning lunar is not affected by it.
This SRU also includes the fix for [3]. The Ubuntu Security Team needs
this fix to better provide support on ComplianceAsCode and Ubuntu
Security Guide (USG [4])
[Test Case]
Attached to this bug is a zip file that contains OVAL data for one package (expat) and data of one CVE (CVE-2022-43680). The OVAL data is in both OCI
and non-OCI format.
The test consists of comparing the installed version of the mentioned
packages, to different versions where the CVE could have been fixed.
Testing procedure (Bionic):
$ sudo apt update
$ sudo apt install libopenscap8
$ sudo apt install libexpat1
$ tar -xzf test-data.tar.gz
$ cd test-data/
$ ./run.sh
Here is the output of the test, with current openscap in jammy:
$ ./run.sh
oscap oval eval com.ubuntu.jammy.cve.oval.xml
Definition oval:com.ubuntu.jammy:def:2022436800000000: error
Definition oval:com.ubuntu.jammy:def:100: true
OpenSCAP Error: Invalid epoch. [../../../../src/OVAL/results/oval_cmp_evr_string.c:399]
oscap oval eval oci.com.ubuntu.jammy.cve.oval.xml
Definition oval:com.ubuntu.jammy:def:2022436800000000: error
OpenSCAP Error: Invalid epoch. [../../../../src/OVAL/results/oval_cmp_evr_string.c:399]
and the output of the test, with patched openscap in jammy:
$ ./run.sh
oscap oval eval com.ubuntu.jammy.cve.oval.xml
Definition oval:com.ubuntu.jammy:def:2022436800000000: false
Definition oval:com.ubuntu.jammy:def:100: true
Evaluation done.
oscap oval eval oci.com.ubuntu.jammy.cve.oval.xml
Definition oval:com.ubuntu.jammy:def:2022436800000000: false
Evaluation done.
[Where problems could occur]
The first patch touch the comparison algorithm, so any regressions
that it might have, might impact the comparison and scanning results.
The second patch allows the build of USG/ComplianceAsCode for other
platforms, which currently isn't possible.
[Other Info]
Both issues affect all releases from Bionic to Kinetic.
The epoch issue affects also Trusty ESM and Xenial ESM and we will be handling those in the ESM PPAs.
The versioning algorithm implemented is based on dpkg's algorithm.
Upstream accepted and merged the Debian epoch fix to its maint-1.3
branch and it already made into 1.3.7 version [5]
[1] https://bugs.launchpad.net/ubuntu/+source/openscap/+bug/1911791
[2] https://github.com/OpenSCAP/openscap/pull/1901
[3] https://bugs.launchpad.net/ubuntu/+source/openscap/+bug/2002551
[4] https://launchpad.net/usg
[5] https://github.com/OpenSCAP/openscap/releases/tag/1.3.7
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/openscap/+bug/2004476/+subscriptions
More information about the Ubuntu-sponsors
mailing list