[Bug 2062389] Re: [SRU] Fix segfault in systemdunitdependency probe
Eduardo Barretto
2062389 at bugs.launchpad.net
Thu Apr 18 16:06:38 UTC 2024
** Patch added: "openscap_1.2.17-0.1ubuntu7.22.04.2.debdiff"
https://bugs.launchpad.net/ubuntu/+source/openscap/+bug/2062389/+attachment/5767559/+files/openscap_1.2.17-0.1ubuntu7.22.04.2.debdiff
** Description changed:
[ Impact ]
- * This issue causes a crash in openscap when there's a circular
+ * This issue causes a crash in openscap when there's a circular
dependency in systemd services, and currently affects both Ubuntu 20.04
and 22.04.
- * This indirectly is affecting the usage of USG (Ubuntu Security Guide)
+ * This indirectly is affecting the usage of USG (Ubuntu Security Guide)
for CIS auditing in systems with ceph-mds. See LP: #2060345.
- * This issue was reported to upstream here:
+ * This issue was reported to upstream here:
https://bugzilla.redhat.com/show_bug.cgi?id=1478285 and later fixed in
openscap upstream git repo
https://github.com/OpenSCAP/openscap/pull/1474. This SRU is a backport
of the mentioned pull request.
[ Test Plan ]
- * There are a few ways to reproduce this issue, as you can see some notes on LP: #2060345.
- But for simplicity, the easiest way to reproduce this issue is to run the following commands.
- Without the patch on Ubuntu 20.04:
+ * There are a few ways to reproduce this issue, as you can see some notes on LP: #2060345.
+ But for simplicity, the easiest way to reproduce this issue is to run the following commands.
+ Without the patch on Ubuntu 20.04:
```
- $ oscap oval eval --id "oval:ssg-service_rsyslog_enabled:def:1" ssg-ubuntu2004-oval.xml
+ $ oscap oval eval --id "oval:ssg-service_rsyslog_enabled:def:1" ssg-ubuntu2004-oval.xml
+ Definition oval:ssg-service_rsyslog_enabled:def:1: true
+ Evaluation done.
+ $ sudo apt install ceph-mds
+ $ oscap oval eval --id "oval:ssg-service_rsyslog_enabled:def:1" ssg-ubuntu2004-oval.xml
W: oscap: Can't receive message: 103, Software caused connection abort.
W: oscap: Can't receive message: 103, Software caused connection abort.
OpenSCAP Error: Probe with PID=1522 has been killed with signal 11 [../../../../../src/OVAL/probes/SEAP/sch_pipe.c:178]
Probe with PID=1522 has core dumped. [../../../../../src/OVAL/probes/SEAP/sch_pipe.c:182]
Item corresponding to object 'oval:ssg-object_multi_user_target_for_rsyslog_enabled:obj:1' from test 'oval:ssg-test_multi_user_wants_rsyslog:tst:1' has an unknown flag. This may indicate a bug in OpenSCAP. [../../../../src/OVAL/results/oval_resultTest.c:913]
Probe with PID=1531 has been killed with signal 11 [../../../../../src/OVAL/probes/SEAP/sch_pipe.c:178]
Probe with PID=1531 has core dumped. [../../../../../src/OVAL/probes/SEAP/sch_pipe.c:182]
Item corresponding to object 'oval:ssg-object_multi_user_target_for_rsyslog_socket_enabled:obj:1' from test 'oval:ssg-test_multi_user_wants_rsyslog_socket:tst:1' has an unknown flag. This may indicate a bug in OpenSCAP. [../../../../src/OVAL/results/oval_resultTest.c:913]
```
- With the patch on Ubuntu 20.04:
+ With the patch on Ubuntu 20.04:
```
$ sudo apt install libopenscap8=1.2.16-2ubuntu3.4
- $ oscap oval eval --id "oval:ssg-service_rsyslog_enabled:def:1" ssg-ubuntu2004-oval.xml
+ $ oscap oval eval --id "oval:ssg-service_rsyslog_enabled:def:1" ssg-ubuntu2004-oval.xml
Definition oval:ssg-service_rsyslog_enabled:def:1: true
Evaluation done.
```
- Without the patch on Ubuntu 22.04:
+ Without the patch on Ubuntu 22.04:
```
+ $ oscap oval eval --id "oval:ssg-service_rsyslog_enabled:def:1" ssg-ubuntu2204-oval.xml
+ Definition oval:ssg-service_rsyslog_enabled:def:1: true
+ Evaluation done.
+ $ sudo apt install ceph-mds
$ oscap oval eval --id "oval:ssg-service_rsyslog_enabled:def:1" ssg-ubuntu2204-oval.xml
W: oscap: Can't receive message: 103, Software caused connection abort.
W: oscap: Can't receive message: 103, Software caused connection abort.
OpenSCAP Error: Probe with PID=1421 has been killed with signal 11 [../../../../../src/OVAL/probes/SEAP/sch_pipe.c:178]
Probe with PID=1421 has core dumped. [../../../../../src/OVAL/probes/SEAP/sch_pipe.c:182]
Item corresponding to object 'oval:ssg-object_multi_user_target_for_rsyslog_enabled:obj:1' from test 'oval:ssg-test_multi_user_wants_rsyslog:tst:1' has an unknown flag. This may indicate a bug in OpenSCAP. [../../../../src/OVAL/results/oval_resultTest.c:982]
Probe with PID=1431 has been killed with signal 11 [../../../../../src/OVAL/probes/SEAP/sch_pipe.c:178]
Probe with PID=1431 has core dumped. [../../../../../src/OVAL/probes/SEAP/sch_pipe.c:182]
Item corresponding to object 'oval:ssg-object_multi_user_target_for_rsyslog_socket_enabled:obj:1' from test 'oval:ssg-test_multi_user_wants_rsyslog_socket:tst:1' has an unknown flag. This may indicate a bug in OpenSCAP. [../../../../src/OVAL/results/oval_resultTest.c:982]
```
- With the patch on Ubuntu 22.04:
+ With the patch on Ubuntu 22.04:
```
$ sudo apt install libopenscap8=1.2.17-0.1ubuntu7.22.04.2
$ oscap oval eval --id "oval:ssg-service_rsyslog_enabled:def:1" ssg-ubuntu2204-oval.xml
Definition oval:ssg-service_rsyslog_enabled:def:1: true
Evaluation done.
```
- * The other tests we will do is to run full usg fix and audit and
+ * The other tests we will do is to run full usg fix and audit and
report if the output is as expected.
[ Where problems could occur ]
- * This fix was never backported to version 1.2 in upstream git repo, but was applied to openscap 1.2 in
- RHEL-based distros, it is unclear if the backport ever created another issue with the
- systemdunitdependency probe. If that is the case we expect to see some other tests in usg failing,
- for example.
+ * This fix was never backported to version 1.2 in upstream git repo, but was applied to openscap 1.2 in
+ RHEL-based distros, it is unclear if the backport ever created another issue with the
+ systemdunitdependency probe. If that is the case we expect to see some other tests in usg failing,
+ for example.
[ Other Info ]
-
- * This issue affects both Ubuntu 20.04 and 22.04.
+
+ * This issue affects both Ubuntu 20.04 and 22.04.
** Description changed:
[ Impact ]
* This issue causes a crash in openscap when there's a circular
dependency in systemd services, and currently affects both Ubuntu 20.04
and 22.04.
* This indirectly is affecting the usage of USG (Ubuntu Security Guide)
for CIS auditing in systems with ceph-mds. See LP: #2060345.
* This issue was reported to upstream here:
https://bugzilla.redhat.com/show_bug.cgi?id=1478285 and later fixed in
openscap upstream git repo
https://github.com/OpenSCAP/openscap/pull/1474. This SRU is a backport
of the mentioned pull request.
[ Test Plan ]
* There are a few ways to reproduce this issue, as you can see some notes on LP: #2060345.
But for simplicity, the easiest way to reproduce this issue is to run the following commands.
- Without the patch on Ubuntu 20.04:
+ On Ubuntu 20.04:
```
$ oscap oval eval --id "oval:ssg-service_rsyslog_enabled:def:1" ssg-ubuntu2004-oval.xml
Definition oval:ssg-service_rsyslog_enabled:def:1: true
Evaluation done.
+
$ sudo apt install ceph-mds
+
$ oscap oval eval --id "oval:ssg-service_rsyslog_enabled:def:1" ssg-ubuntu2004-oval.xml
W: oscap: Can't receive message: 103, Software caused connection abort.
W: oscap: Can't receive message: 103, Software caused connection abort.
OpenSCAP Error: Probe with PID=1522 has been killed with signal 11 [../../../../../src/OVAL/probes/SEAP/sch_pipe.c:178]
Probe with PID=1522 has core dumped. [../../../../../src/OVAL/probes/SEAP/sch_pipe.c:182]
Item corresponding to object 'oval:ssg-object_multi_user_target_for_rsyslog_enabled:obj:1' from test 'oval:ssg-test_multi_user_wants_rsyslog:tst:1' has an unknown flag. This may indicate a bug in OpenSCAP. [../../../../src/OVAL/results/oval_resultTest.c:913]
Probe with PID=1531 has been killed with signal 11 [../../../../../src/OVAL/probes/SEAP/sch_pipe.c:178]
Probe with PID=1531 has core dumped. [../../../../../src/OVAL/probes/SEAP/sch_pipe.c:182]
Item corresponding to object 'oval:ssg-object_multi_user_target_for_rsyslog_socket_enabled:obj:1' from test 'oval:ssg-test_multi_user_wants_rsyslog_socket:tst:1' has an unknown flag. This may indicate a bug in OpenSCAP. [../../../../src/OVAL/results/oval_resultTest.c:913]
- ```
- With the patch on Ubuntu 20.04:
- ```
$ sudo apt install libopenscap8=1.2.16-2ubuntu3.4
+
$ oscap oval eval --id "oval:ssg-service_rsyslog_enabled:def:1" ssg-ubuntu2004-oval.xml
Definition oval:ssg-service_rsyslog_enabled:def:1: true
Evaluation done.
```
- Without the patch on Ubuntu 22.04:
+ On Ubuntu 22.04:
```
$ oscap oval eval --id "oval:ssg-service_rsyslog_enabled:def:1" ssg-ubuntu2204-oval.xml
Definition oval:ssg-service_rsyslog_enabled:def:1: true
Evaluation done.
+
$ sudo apt install ceph-mds
+
$ oscap oval eval --id "oval:ssg-service_rsyslog_enabled:def:1" ssg-ubuntu2204-oval.xml
W: oscap: Can't receive message: 103, Software caused connection abort.
W: oscap: Can't receive message: 103, Software caused connection abort.
OpenSCAP Error: Probe with PID=1421 has been killed with signal 11 [../../../../../src/OVAL/probes/SEAP/sch_pipe.c:178]
Probe with PID=1421 has core dumped. [../../../../../src/OVAL/probes/SEAP/sch_pipe.c:182]
Item corresponding to object 'oval:ssg-object_multi_user_target_for_rsyslog_enabled:obj:1' from test 'oval:ssg-test_multi_user_wants_rsyslog:tst:1' has an unknown flag. This may indicate a bug in OpenSCAP. [../../../../src/OVAL/results/oval_resultTest.c:982]
Probe with PID=1431 has been killed with signal 11 [../../../../../src/OVAL/probes/SEAP/sch_pipe.c:178]
Probe with PID=1431 has core dumped. [../../../../../src/OVAL/probes/SEAP/sch_pipe.c:182]
Item corresponding to object 'oval:ssg-object_multi_user_target_for_rsyslog_socket_enabled:obj:1' from test 'oval:ssg-test_multi_user_wants_rsyslog_socket:tst:1' has an unknown flag. This may indicate a bug in OpenSCAP. [../../../../src/OVAL/results/oval_resultTest.c:982]
- ```
- With the patch on Ubuntu 22.04:
- ```
$ sudo apt install libopenscap8=1.2.17-0.1ubuntu7.22.04.2
+
$ oscap oval eval --id "oval:ssg-service_rsyslog_enabled:def:1" ssg-ubuntu2204-oval.xml
Definition oval:ssg-service_rsyslog_enabled:def:1: true
Evaluation done.
```
* The other tests we will do is to run full usg fix and audit and
report if the output is as expected.
[ Where problems could occur ]
* This fix was never backported to version 1.2 in upstream git repo, but was applied to openscap 1.2 in
RHEL-based distros, it is unclear if the backport ever created another issue with the
systemdunitdependency probe. If that is the case we expect to see some other tests in usg failing,
for example.
[ Other Info ]
* This issue affects both Ubuntu 20.04 and 22.04.
+ * Another way to mitigate this issue would be altering systemd services to not have a circular dependency. This can get tricky and might require a lot of change.
--
You received this bug notification because you are a member of Ubuntu
Sponsors, which is subscribed to the bug report.
https://bugs.launchpad.net/bugs/2062389
Title:
[SRU] Fix segfault in systemdunitdependency probe
Status in openscap package in Ubuntu:
New
Status in openscap source package in Focal:
New
Status in openscap source package in Jammy:
New
Bug description:
[ Impact ]
* This issue causes a crash in openscap when there's a circular
dependency in systemd services, and currently affects both Ubuntu
20.04 and 22.04.
* This indirectly is affecting the usage of USG (Ubuntu Security
Guide) for CIS auditing in systems with ceph-mds. See LP: #2060345.
* This issue was reported to upstream here:
https://bugzilla.redhat.com/show_bug.cgi?id=1478285 and later fixed in
openscap upstream git repo
https://github.com/OpenSCAP/openscap/pull/1474. This SRU is a backport
of the mentioned pull request.
[ Test Plan ]
* There are a few ways to reproduce this issue, as you can see some notes on LP: #2060345.
But for simplicity, the easiest way to reproduce this issue is to run the following commands.
On Ubuntu 20.04:
```
$ oscap oval eval --id "oval:ssg-service_rsyslog_enabled:def:1" ssg-ubuntu2004-oval.xml
Definition oval:ssg-service_rsyslog_enabled:def:1: true
Evaluation done.
$ sudo apt install ceph-mds
$ oscap oval eval --id "oval:ssg-service_rsyslog_enabled:def:1" ssg-ubuntu2004-oval.xml
W: oscap: Can't receive message: 103, Software caused connection abort.
W: oscap: Can't receive message: 103, Software caused connection abort.
OpenSCAP Error: Probe with PID=1522 has been killed with signal 11 [../../../../../src/OVAL/probes/SEAP/sch_pipe.c:178]
Probe with PID=1522 has core dumped. [../../../../../src/OVAL/probes/SEAP/sch_pipe.c:182]
Item corresponding to object 'oval:ssg-object_multi_user_target_for_rsyslog_enabled:obj:1' from test 'oval:ssg-test_multi_user_wants_rsyslog:tst:1' has an unknown flag. This may indicate a bug in OpenSCAP. [../../../../src/OVAL/results/oval_resultTest.c:913]
Probe with PID=1531 has been killed with signal 11 [../../../../../src/OVAL/probes/SEAP/sch_pipe.c:178]
Probe with PID=1531 has core dumped. [../../../../../src/OVAL/probes/SEAP/sch_pipe.c:182]
Item corresponding to object 'oval:ssg-object_multi_user_target_for_rsyslog_socket_enabled:obj:1' from test 'oval:ssg-test_multi_user_wants_rsyslog_socket:tst:1' has an unknown flag. This may indicate a bug in OpenSCAP. [../../../../src/OVAL/results/oval_resultTest.c:913]
$ sudo apt install libopenscap8=1.2.16-2ubuntu3.4
$ oscap oval eval --id "oval:ssg-service_rsyslog_enabled:def:1" ssg-ubuntu2004-oval.xml
Definition oval:ssg-service_rsyslog_enabled:def:1: true
Evaluation done.
```
On Ubuntu 22.04:
```
$ oscap oval eval --id "oval:ssg-service_rsyslog_enabled:def:1" ssg-ubuntu2204-oval.xml
Definition oval:ssg-service_rsyslog_enabled:def:1: true
Evaluation done.
$ sudo apt install ceph-mds
$ oscap oval eval --id "oval:ssg-service_rsyslog_enabled:def:1" ssg-ubuntu2204-oval.xml
W: oscap: Can't receive message: 103, Software caused connection abort.
W: oscap: Can't receive message: 103, Software caused connection abort.
OpenSCAP Error: Probe with PID=1421 has been killed with signal 11 [../../../../../src/OVAL/probes/SEAP/sch_pipe.c:178]
Probe with PID=1421 has core dumped. [../../../../../src/OVAL/probes/SEAP/sch_pipe.c:182]
Item corresponding to object 'oval:ssg-object_multi_user_target_for_rsyslog_enabled:obj:1' from test 'oval:ssg-test_multi_user_wants_rsyslog:tst:1' has an unknown flag. This may indicate a bug in OpenSCAP. [../../../../src/OVAL/results/oval_resultTest.c:982]
Probe with PID=1431 has been killed with signal 11 [../../../../../src/OVAL/probes/SEAP/sch_pipe.c:178]
Probe with PID=1431 has core dumped. [../../../../../src/OVAL/probes/SEAP/sch_pipe.c:182]
Item corresponding to object 'oval:ssg-object_multi_user_target_for_rsyslog_socket_enabled:obj:1' from test 'oval:ssg-test_multi_user_wants_rsyslog_socket:tst:1' has an unknown flag. This may indicate a bug in OpenSCAP. [../../../../src/OVAL/results/oval_resultTest.c:982]
$ sudo apt install libopenscap8=1.2.17-0.1ubuntu7.22.04.2
$ oscap oval eval --id "oval:ssg-service_rsyslog_enabled:def:1" ssg-ubuntu2204-oval.xml
Definition oval:ssg-service_rsyslog_enabled:def:1: true
Evaluation done.
```
* The other tests we will do is to run full usg fix and audit and
report if the output is as expected.
[ Where problems could occur ]
* This fix was never backported to version 1.2 in upstream git repo, but was applied to openscap 1.2 in
RHEL-based distros, it is unclear if the backport ever created another issue with the
systemdunitdependency probe. If that is the case we expect to see some other tests in usg failing,
for example.
[ Other Info ]
* This issue affects both Ubuntu 20.04 and 22.04.
* Another way to mitigate this issue would be altering systemd services to not have a circular dependency. This can get tricky and might require a lot of change.
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/openscap/+bug/2062389/+subscriptions
More information about the Ubuntu-sponsors
mailing list