info
Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss
"Version less than 0.0" in OVAL definitions
30 views
Skip to first unread message
Serkan Özkan
May 16, 2021, 10:40:02 AM5/16/21
to
Hello,
We are using Debian OVAL definitions but there are many tests, and states, that test for dpkg versions being less than 0.0 which is impossible in practice (right?).
We are using Debian OVAL definitions but there are many tests, and states, that test for dpkg versions being less than 0.0 which is impossible in practice (right?).
How should we handle these tests/definitions? Should we ignore them or does 0.0 have a special meaning in this case?
<dpkginfo_test check="all" check_existence="at_least_one_exists" comment="linux is earlier than 0" id="oval:org.debian.oval:tst:22144" version="1" xmlns="http://oval.mitre.org/XMLSchema/oval-definitions-5#linux">
<object object_ref="oval:org.debian.oval:obj:195"/>
<state state_ref="oval:org.debian.oval:ste:14430"/>
</dpkginfo_test>
<dpkginfo_test check="all" check_existence="at_least_one_exists" comment="jhead is earlier than 0" id="oval:org.debian.oval:tst:22145" version="1" xmlns="http://oval.mitre.org/XMLSchema/oval-definitions-5#linux">
<object object_ref="oval:org.debian.oval:obj:740"/>
<state state_ref="oval:org.debian.oval:ste:14430"/>
</dpkginfo_test>
...
<dpkginfo_state id="oval:org.debian.oval:ste:14430" version="1" xmlns="http://oval.mitre.org/XMLSchema/oval-definitions-5#linux">
<evr datatype="debian_evr_string" operation="less than">0:0</evr>
</dpkginfo_state>
<dpkginfo_state id="oval:org.debian.oval:ste:14431" version="1" xmlns="http://oval.mitre.org/XMLSchema/oval-definitions-5#linux">
<evr datatype="debian_evr_string" operation="less than">0:1.14.4-1+deb10u1</evr>
</dpkginfo_state>
<dpkginfo_state id="oval:org.debian.oval:ste:14432" version="1" xmlns="http://oval.mitre.org/XMLSchema/oval-definitions-5#linux">
<evr datatype="debian_evr_string" operation="less than">0:0</evr>
</dpkginfo_state>
Thanks in advance,
Serkan Özkan
Holger Levsen
May 17, 2021, 2:50:02 AM5/17/21
to
On Sun, May 16, 2021 at 05:21:50PM +0300, Serkan Özkan wrote:
> We are using Debian OVAL definitions but there are many tests, and states,
> that test for dpkg versions being less than 0.0 which is impossible in
> practice (right?).
no, it's possible:
> We are using Debian OVAL definitions but there are many tests, and states,
> that test for dpkg versions being less than 0.0 which is impossible in
> practice (right?).
0~1 is a valid version. It's smaller than zero, yet it's not a negative
number.
It's usually used for versions like 1.0~0alpha1-1 to allow the next
version to be 1.0-1... but 0~1 is a legal and valid version too.
--
cheers,
Holger
⢀⣴⠾⠻⢶⣦⠀
⣾⠁⢠⠒⠀⣿⡁ holger@(debian|reproducible-builds|layer-acht).org
⢿⡄⠘⠷⠚⠋⠀ OpenPGP: B8BF54137B09D35CF026FE9D 091AB856069AAA1C
⠈⠳⣄
I'm looking forward to Corona being a beer again and Donald a duck.
Serkan Özkan
May 17, 2021, 4:00:03 AM5/17/21
to
Hello,
In theory, from version number numbering point of view only, yes less than 0.0 is valid. But in practice, as they are used in Debian OVAL definitions, I don't think they are. I think these state values might be incorrect, probably unintentionally. And there are many, thousands, of these less than 0.0 versions, I don't think they are actually intended to test for pre version 0 releases.
For example, who could be using a pre version 0 release of glibc?
<dpkginfo_test check="all" check_existence="at_least_one_exists" comment="glibc is earlier than 0" id="oval:org.debian.oval:tst:22102" version="1" xmlns="http://oval.mitre.org/XMLSchema/oval-definitions-5#linux">
<object object_ref="oval:org.debian.oval:obj:3"/>
<state state_ref="oval:org.debian.oval:ste:14418"/>
</dpkginfo_test>
...
<dpkginfo_test check="all" check_existence="at_least_one_exists" comment="golang-1.11 is earlier than 0" id="oval:org.debian.oval:tst:22067" version="1" xmlns="http://oval.mitre.org/XMLSchema/oval-definitions-5#linux">
<object object_ref="oval:org.debian.oval:obj:2202"/>
<state state_ref="oval:org.debian.oval:ste:14410"/>
</dpkginfo_test>
...
<dpkginfo_test check="all" check_existence="at_least_one_exists" comment="rustc is earlier than 0" id="oval:org.debian.oval:tst:22068" version="1" xmlns="http://oval.mitre.org/XMLSchema/oval-definitions-5#linux">
<object object_ref="oval:org.debian.oval:obj:1670"/>
<state state_ref="oval:org.debian.oval:ste:14410"/>
</dpkginfo_test>
...
<dpkginfo_test check="all" check_existence="at_least_one_exists" comment="sqlcipher is earlier than 0" id="oval:org.debian.oval:tst:22069" version="1" xmlns="http://oval.mitre.org/XMLSchema/oval-definitions-5#linux">
<object object_ref="oval:org.debian.oval:obj:2614"/>
<state state_ref="oval:org.debian.oval:ste:14410"/>
</dpkginfo_test>
Javier Fernandez-Sanguino
May 17, 2021, 5:20:02 AM5/17/21
to
On Mon, 17 May 2021 at 09:58, Serkan Özkan <ser...@vulniq.com> wrote:
Hello,In theory, from version number numbering point of view only, yes less than 0.0 is valid. But in practice, as they are used in Debian OVAL definitions, I don't think they are. I think these state values might be incorrect, probably unintentionally. And there are many, thousands, of these less than 0.0 versions, I don't think they are actually intended to test for pre version 0 releases.
Dear Serkan,
There is a problem with the OVAL definitions published in the website. The definitions are generated from the information available (in webwml files) in the source code of the website but this is missing version information in a way that can be properly interpreted by the scripts.
As a consequence, the output (the definitions) does not include an accurate value for the version. To implement this properly we would need to re-engineer the script that was created in 2010. Help here would be appreciated, I can point you to the script + setup if you could help.
Hope above clarifies. Best regards,
Javier
Sébastien Delafond
May 17, 2021, 7:00:02 AM5/17/21
to
Hi,
the Debian Security team periodically gets requests and/or bug reports
about the OVAL exports, and our general stance is that although we can't
provide support for them, I'll gladly review and accept PRs on the OVAL
generation code if people are interested in fixing whatever issues they
find on their end.
Cheers,
--
Seb
Serkan Özkan
May 17, 2021, 2:20:03 PM5/17/21
to
Hello Seb,
For some reason I didn't receive your email but saw it on the mailing list archive page.
OVAL definitions are important for us and we would like to fix them if possible. Can you please let me know where the code is?
Thank you,
Serkan
On Mon, 17 May 2021 at 12:22, Serkan Özkan <ser...@vulniq.com> wrote:
Hello,Thanks for the information Javier. Not promising anything, but I can try to fix the script if you can point me to the script + setup.Thank you,Serkan
Javier Fernandez-Sanguino
May 17, 2021, 4:00:02 PM5/17/21
to
On Mon, 17 May 2021 at 19:58, Serkan Özkan <ser...@vulniq.com> wrote:
Hello Seb,For some reason I didn't receive your email but saw it on the mailing list archive page.OVAL definitions are important for us and we would like to fix them if possible. Can you please let me know where the code is?
Hi Serkan,
I believe the latest version of the code for the OVAL definitions generation is in the source code of the website, more specifically in this directory: https://salsa.debian.org/webmaster-team/webwml/-/blob/master/english/security/oval/generate.py. An older version was the Perl script I developed (at https://salsa.debian.org/webmaster-team/webwml/-/blob/master/english/security/parse-wml-oval.pl) which is not functional anymore.
To generate the definitions, you need to have a copy of all the Debian Security Advisories, which is available in the web source repository (at https://salsa.debian.org/webmaster-team/webwml/-/tree/master/english/security).
Hope the above helps.
Javier
0 new messages