[opensuse-security] CVE OVAL Files
Hi, I have some concerns with the OVAL files on the OpenSUSE site at: http://ftp.suse.com/pub/projects/security/oval/ It seems like there is conflicting information in some of the information provided. The criteria that specifies packages have duplicates with different versions. For example, the following is a snippet from the OVAL file: http://ftp.suse.com/pub/projects/security/oval/opensuse.11.1.xml <definition id="oval:org.opensuse.security:def:20130160" version="1" class="vulnerability"> ... <criteria operator="OR"> ... <!-- 23807efa0fda2554a9635e4fffacead3 --> <criteria operator="AND"> <criterion test_ref="oval:org.opensuse.security:tst:2009073673" comment="sles11-sp2 is installed"/> <criteria operator="OR"> <criterion test_ref="oval:org.opensuse.security:tst:2009077426" comment="kernel-default less than 3.0.80-0.5.1"/> ... </criteria> </criteria> <!-- 2f736fd60525e237201b485f497a314b --> <criteria operator="OR"> <criteria operator="AND"> <criterion test_ref="oval:org.opensuse.security:tst:2009073673" comment="sles11-sp2 is installed"/> <criteria operator="OR"> <criterion test_ref="oval:org.opensuse.security:tst:2009077162" comment="kernel-default less than 3.0.74-0.6.6.2"/> ... </criteria> </criteria> If I am reading this correctly, it specifies the package kernel-default less than version 3.0.80-0.5.1 OR version 3.0.74-0.6.6.2. This effectively specifies the kernel-package version less than 3.0.80-0.5.1. On a similar note, this CVE (CVE-2013-0160) appears to be affecting SUSE Linux Enterprise Server 11 SP2, based off the OVAL snippet above. However, SLES 11SP2 is not listed on the announcement, here: http://lists.opensuse.org/opensuse-security-announce/2013-04/msg00018.html Am I understanding this correctly? If this is not in error, could someone please explain the logic behind this? Thanks, Jason McFadyen Security Researcher | Rapid7 | Toronto, ON (416) 531-3180 This electronic message contains information which may be confidential or privileged. The information is intended for the use of the individual or entity named above. If you are not the intended recipient, be aware that any disclosure, copying, distribution or use of the contents of this information is prohibited. If you have received this electronic transmission in error, please notify us by e-mail at (postmaster@rapid7.com) immediately. -- To unsubscribe, e-mail: opensuse-security+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-security+owner@opensuse.org
Hi, On Fri, Jan 10, 2014 at 07:33:53PM +0000, Jason McFadyen wrote:
Hi,
I have some concerns with the OVAL files on the OpenSUSE site at:
http://ftp.suse.com/pub/projects/security/oval/
It seems like there is conflicting information in some of the information provided. The criteria that specifies packages have duplicates with different versions. For example, the following is a snippet from the OVAL file: http://ftp.suse.com/pub/projects/security/oval/opensuse.11.1.xml
Well, this is not from this opensuse.11.1.xml ... its either from full.xml or from suse.linux.enterprise.server.11.xml
<definition id="oval:org.opensuse.security:def:20130160" version="1" class="vulnerability"> ... <criteria operator="OR"> ... <!-- 23807efa0fda2554a9635e4fffacead3 --> <criteria operator="AND"> <criterion test_ref="oval:org.opensuse.security:tst:2009073673" comment="sles11-sp2 is installed"/> <criteria operator="OR"> <criterion test_ref="oval:org.opensuse.security:tst:2009077426" comment="kernel-default less than 3.0.80-0.5.1"/> ... </criteria> </criteria> <!-- 2f736fd60525e237201b485f497a314b --> <criteria operator="OR"> <criteria operator="AND"> <criterion test_ref="oval:org.opensuse.security:tst:2009073673" comment="sles11-sp2 is installed"/> <criteria operator="OR"> <criterion test_ref="oval:org.opensuse.security:tst:2009077162" comment="kernel-default less than 3.0.74-0.6.6.2"/> ... </criteria> </criteria>
If I am reading this correctly, it specifies the package kernel-default less than version 3.0.80-0.5.1 OR version 3.0.74-0.6.6.2. This effectively specifies the kernel-package version less than 3.0.80-0.5.1.
We tracked this CVE fix for CVE-2013-0160 in both updates. Reason here is that the 3.0.74 update fixed it too strict, causing some issues with /dev/ptmx users. 3.0.80 then had an improved fix on the same problem. This having the same CVE appear in two updates can occasionaly happen. Perhaps to avoid double mentioning some filtering on OVAL generation could be done. The final result of the OVAL logic should however amount to "< 3.0.80-0.5.1" so we are good.
On a similar note, this CVE (CVE-2013-0160) appears to be affecting SUSE Linux Enterprise Server 11 SP2, based off the OVAL snippet above. However, SLES 11SP2 is not listed on the announcement, here: http://lists.opensuse.org/opensuse-security-announce/2013-04/msg00018.html
The kernels usually get one update notice per code stream. The SLES 11 SP2 ones are here: http://lists.opensuse.org/opensuse-security-announce/2013-05/msg00000.html http://lists.opensuse.org/opensuse-security-announce/2013-05/msg00001.html (both together give the 3.0.74 update) http://lists.opensuse.org/opensuse-security-announce/2013-06/msg00014.html Note addendum to CVE-2013-0160 entry: "This has been fixed again by updating accessed/modified time on the pty devices in resolution of 8 seconds, so that idle time detection can still work."
Am I understanding this correctly? If this is not in error, could someone please explain the logic behind this?
It is not that big a problem I think. Ciao, Marcus -- To unsubscribe, e-mail: opensuse-security+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-security+owner@opensuse.org
participants (2)
-
Jason McFadyen -
Marcus Meissner