Skip to content

Ignore the minor target part of the revision for CentOS packages in VDT#6709

Merged
chemamartinez merged 6 commits intomasterfrom
6261-redhat-versions
Nov 27, 2020
Merged

Ignore the minor target part of the revision for CentOS packages in VDT#6709
chemamartinez merged 6 commits intomasterfrom
6261-redhat-versions

Conversation

@chemamartinez
Copy link
Copy Markdown
Contributor

@chemamartinez chemamartinez commented Nov 23, 2020
edited
Loading

Description

This pull request attempts to avoid false positives like the one reported at #6261.

It truncates the minor part of the package revision when the agent being analyzed is CentOS instead of RHEL. Following the case that @gary561 reported for a CentOS 6:

CVE-2013-0292

We can see the RHSA provided by RHEL which tells us, as the OVAL feed, that the fix for RHEL6 is provided in the package dbus-glib-0.86-6.el6_4.src.rpm and derivates.

<criterion comment="dbus-glib is earlier than 0:0.86-6.el6_4" test_ref="oval:com.redhat.rhsa:tst:20130568001"/>

When installing a RHEL6 we can see the dbus-glib package installed by default is the one that the feed points to.

[root@ip-172-31-2-240 ~]# rpm -qi dbus-glib
Name        : dbus-glib                    Relocations: (not relocatable)
Version     : 0.86                              Vendor: Red Hat, Inc.
Release     : 6.el6_4                       Build Date: Wed Feb 20 07:23:59 2013
Install Date: Tue Jul 14 09:33:56 2015         Build Host: x86-002.build.bos.redhat.com
Group       : System Environment/Libraries   Source RPM: dbus-glib-0.86-6.el6_4.src.rpm
Size        : 579611                           License: AFL and GPLv2+
Signature   : RSA/8, Mon Feb 25 07:38:06 2013, Key ID 199e2f91fd431d51
Packager    : Red Hat, Inc. <http://bugzilla.redhat.com/bugzilla>
URL         : http://www.freedesktop.org/software/dbus/
Summary     : GLib bindings for D-Bus

And the vulnerability is fixed:

[root@ip-172-31-2-240 ~]# rpm -q dbus-glib --changelog | head
* Mon Feb 20 2012 Colin Walters <walters@redhat.com> - 0.86-6
- Add patch from upstream for CVE-2013-0292
  Resolves: #913077
* Wed Jul 14 2010 Colin Walters <walters@redhat.com> - 0.86-5
- Add patch from upstream to fix shadow properties
  Resolves: #609628
* Wed Apr 28 2010 Colin Walters <walters@redhat.com> - 0.86-3
- Sync with F-13 (bugfix only release)

However, when installing a CentOS 6 we find the version installed is 0.86-6.el6:

[root@localhost ~]# rpm -qi dbus-glib
Name        : dbus-glib                    Relocations: (not relocatable)
Version     : 0.86                              Vendor: CentOS
Release     : 6.el6                         Build Date: Tue 26 Feb 2013 06:38:52 PM EST
Install Date: Tue 19 Nov 2020 12:01:39 PM EST         Build Host: c6b9.bsys.dev.centos.org
Group       : System Environment/Libraries   Source RPM: dbus-glib-0.86-6.el6.src.rpm
Size        : 579611                           License: AFL and GPLv2+
Signature   : RSA/SHA1, Wed 27 Feb 05:59:02 AM EST, Key ID 0946fca2c105b9de
Packager    : CentOS BuildSystem <http://bugs.centos.org>
URL         : http://www.freedesktop.org/software/dbus/
Summary     : GLib bindings for D-Bus

And the package has the same size, commits, description, etc. The only difference is the package builder, which is CentOS in this case.

To sum up, we cannot ensure that packages built by the CentOS team have the same lineage as the ones provided by the Red Hat team, at least for backports. So, facing the lack of a particular feed for CentOS vulnerabilities the best way to avoid these false positives is to not compare the minor target when scanning packages provided by CentOS.

Tests

  • Compilation without warnings in every supported platform
    • Linux
  • Source installation
  • Review logs syntax and correct language
  • Tested the added function manually
  • Running a scan for the affected OS

After running the scan for CentOS 6 we can see now the CVE-2013-0292 is not reported:

DEBUG: (5460): Package 'dbus-glib' not vulnerable to 'CVE-2013-0292'. Version (0.86-6.el6) not 'less than' '0.86-6.el6_4' (feed 'OVAL').
DEBUG: (5458): Package 'dbus-glib' inserted into the vulnerability 'CVE-2013-0292'. Version (0.86-6.el6) 'less than or equal' '0.100' (feed 'NVD').
DEBUG: (5458): Package 'dbus-glib' inserted into the vulnerability 'CVE-2013-0292'. Version (0.86-6.el6) 'equal' '0.86' (feed 'NVD').
DEBUG: (5462): Package 'dbus-glib' not vulnerable to 'CVE-2013-0292' since it is not affected (feed 'OVAL').

dbus-glib is marked as vulnerable by the NVD, but discarded in the correlation process due to the OVAL.

  • Memory tests for Linux

    • Scan-build report
    • Valgrind (memcheck and descriptor leaks check)

  • Added unit tests (for new features)

  • Stress test for affected components

@chemamartinez chemamartinez self-assigned this Nov 23, 2020
@chemamartinez chemamartinez mentioned this pull request Nov 23, 2020
Closed
@chemamartinez chemamartinez marked this pull request as ready for review November 24, 2020 17:07
danimegar
danimegar suggested changes Nov 25, 2020
View reviewed changes
Comment thread src/unit_tests/wazuh_modules/vulnerability_detector/test_wm_vuln_detector_evr.c Outdated
Comment thread src/wazuh_modules/vulnerability_detector/wm_vuln_detector.c Outdated
danimegar
danimegar approved these changes Nov 25, 2020
View reviewed changes
Copy link
Copy Markdown
Contributor

@danimegar danimegar left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM!

@chemamartinez chemamartinez merged commit 6c13c47 into master Nov 27, 2020
@chemamartinez chemamartinez deleted the 6261-redhat-versions branch November 27, 2020 17:55
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

1 more reviewer

@danimegar danimegar danimegar approved these changes

Reviewers whose approvals may not affect merge requirements

Assignees

@chemamartinez chemamartinez

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@chemamartinez @danimegar