[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [opensuse-security] CVE OVAL Files

On Fri, Jan 10, 2014 at 07:33:53PM +0000, Jason McFadyen wrote:
> Hi,
> I have some concerns with the OVAL files on the OpenSUSE site at:
> http://ftp.suse.com/pub/projects/security/oval/
> It seems like there is conflicting information in some of the information provided. The criteria that specifies packages have duplicates with different versions.
> For example, the following is a snippet from the OVAL file: http://ftp.suse.com/pub/projects/security/oval/opensuse.11.1.xml

Well, this is not from this opensuse.11.1.xml  ... its either from full.xml or from

> <definition id="oval:org.opensuse.security:def:20130160" version="1" class="vulnerability">
>   ...
>   <criteria operator="OR">
>     ...
>     <!-- 23807efa0fda2554a9635e4fffacead3 -->
>     <criteria operator="AND">
>       <criterion test_ref="oval:org.opensuse.security:tst:2009073673" comment="sles11-sp2 is installed"/>
>       <criteria operator="OR">
>         <criterion test_ref="oval:org.opensuse.security:tst:2009077426" comment="kernel-default less than 3.0.80-0.5.1"/> 
>         ...
>       </criteria>
>     </criteria>
>     <!-- 2f736fd60525e237201b485f497a314b -->
>     <criteria operator="OR">
>       <criteria operator="AND">
>         <criterion test_ref="oval:org.opensuse.security:tst:2009073673" comment="sles11-sp2 is installed"/>
>         <criteria operator="OR">
>           <criterion test_ref="oval:org.opensuse.security:tst:2009077162" comment="kernel-default less than 3.0.74-"/>
>           ...
>         </criteria>
>       </criteria>
> If I am reading this correctly, it specifies the package kernel-default less than version 3.0.80-0.5.1 OR version 3.0.74- This effectively specifies the kernel-package version less than 3.0.80-0.5.1.

We tracked this CVE fix for CVE-2013-0160 in both updates. 

Reason here is that the 3.0.74 update fixed it too strict, causing some issues with /dev/ptmx users.
3.0.80 then had an improved fix on the same problem.

This having the same CVE appear in two updates can occasionaly happen.
Perhaps to avoid double mentioning some filtering on OVAL generation could be done.

The final result of the OVAL logic should however amount to "< 3.0.80-0.5.1" so we are good.

> On a similar note, this CVE (CVE-2013-0160) appears to be affecting SUSE Linux Enterprise Server 11 SP2, based off the OVAL snippet above. However, SLES 11SP2 is not listed on the announcement, here: http://lists.opensuse.org/opensuse-security-announce/2013-04/msg00018.html

The kernels usually get one update notice per code stream. The SLES 11 SP2 ones are here:

(both together give the 3.0.74 update)

Note addendum to CVE-2013-0160 entry:
"This has been fixed again by updating accessed/modified time on the pty devices
 in resolution of 8 seconds, so that idle time detection can
 still work."

> Am I understanding this correctly? If this is not in error, could someone please explain the logic behind this?

It is not that big a problem I think.

Ciao, Marcus
To unsubscribe, e-mail: opensuse-security+unsubscribe@xxxxxxxxxxxx
To contact the owner, e-mail: opensuse-security+owner@xxxxxxxxxxxx