[ubuntu-hardened] The patch package for util-linux in Ubuntu OVAL is incorrect

Eduardo Barretto eduardo.barretto at canonical.com
Thu May 9 08:45:40 UTC 2024 

Hi,

To clarify one thing first:
'util-linux' is the source package that generates a few binaries such as 'bsdutils',
therefore 'bsdutils' is not a dependency of 'util-linux' but rather a product of it.
Also 'util-linux' source package generates a 'util-linux' binary package, those have
the same versioning.
'bsdutils' is the only binary package that has a versioning different from the rest
of the other binary packages and from the source package itself.

You didn't mention which OVAL feed you are using, so I'm assuming this is the CVE-based
OVAL for jammy (Ubuntu 22.04).

For the CVE-2024-28085 that you mentioned, you can see the following:
<criterion test_ref="oval:com.ubuntu.jammy:tst:2024280850000000" comment="util-linux package in jammy was vulnerable but has been fixed (note: '2.37.2-4ubuntu3.3')."/>
<criterion test_ref="oval:com.ubuntu.jammy:tst:2024280850000010" comment="util-linux package in jammy was vulnerable but has been fixed (note: '2.37.2-4ubuntu3.3')."/>

You have two tests for 'util-linux' source package because of the different binaries
with different versions.

If you continue to go down in the structure, you will see:
<linux-def:dpkginfo_test id="oval:com.ubuntu.jammy:tst:2024280850000000" version="1" check_existence="at_least_one_exists" check="at least one" comment="Does the 'util-linux' package exist and is the version less than '2.37.2-4ubuntu3.3'?">
<linux-def:dpkginfo_test id="oval:com.ubuntu.jammy:tst:2024280850000010" version="1" check_existence="at_least_one_exists" check="at least one" comment="Does the 'util-linux' package exist and is the version less than '1:2.37.2-4ubuntu3.3'?">
Here we start to hint at the binary versions, because that's officially
what you will need to compare to.

and then:
<linux-def:dpkginfo_object id="oval:com.ubuntu.jammy:obj:2024280850000000" version="1" comment="The 'util-linux' package binaries">
<linux-def:dpkginfo_object id="oval:com.ubuntu.jammy:obj:2024280850000010" version="1" comment="The 'util-linux' package binary">

to the point you get to the list of binaries:
<constant_variable id="oval:com.ubuntu.jammy:var:2024280850000000" version="1" datatype="string" comment="The 'util-linux' package binaries">
  <value>bsdextrautils</value>
  <value>eject</value>
  <value>fdisk</value>
  <value>libblkid1</value>
  <value>libfdisk1</value>
  <value>libmount1</value>
  <value>libsmartcols1</value>
  <value>libuuid1</value>
  <value>mount</value>
  <value>rfkill</value>
  <value>util-linux</value>
  <value>util-linux-locales</value>
  <value>uuid-runtime</value>
</constant_variable>
<constant_variable id="oval:com.ubuntu.jammy:var:2024280850000010" version="1" datatype="string" comment="The 'util-linux' package binary">
  <value>bsdutils</value>
</constant_variable>

In the comments we only refer to the source package name and not to the binaries.
That means every time we say 'util-linux' in the comments, that's the source package
name.
We can certainly improve the text, but we wouldn't be listing all the binary
package names in the comments, as this would become too verbose, we would still
refer to the source package name.

Does that help clarify your doubt?

Regards,
Eduardo

On Thu, May 09, 2024 at 01:58:57PM +0900, 古好佑輔 wrote:
> I suspect that in Ubuntu OVAL, the version of bsdutils, which is a
> dependency package of util-linux, is mistakenly reported as the version of
> the util-linux patch package.
> 
> The following CVEs are relevant:
> CVE-2016-5011
> CVE-2018-7738
> CVE-2021-3995
> CVE-2021-3996
> CVE-2021-37600
> CVE-2024-28085
> https://security-metadata.canonical.com/oval/
> 
> For example, for CVE-2024-28085, the following are reported as the patch
> packages:
> util-linux 2.37.2-4ubuntu3.3 or higher
> util-linux 1:2.37.2-4ubuntu3.3 or higher
> 
> util-linux 1:2.37.2-4ubuntu3.3 is a version that does not exist in
> util-linux, could it be a version of bsdutils?
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: not available
URL: <https://lists.ubuntu.com/archives/ubuntu-hardened/attachments/20240509/6cc6433e/attachment.sig>

More information about the ubuntu-hardened mailing list