* [PATCH 1/3] cve-check: use Version for "=" operator
@ 2021-03-04 14:44 Lee Chee Yang
2021-03-04 14:44 ` [PATCH 2/3] cve-update-db-native: consider version suffix when update CVE db Lee Chee Yang
` (2 more replies)
0 siblings, 3 replies; 5+ messages in thread
From: Lee Chee Yang @ 2021-03-04 14:44 UTC (permalink / raw)
To: openembedded-core
From: Lee Chee Yang <Chee.Yang.Lee@intel.com>
version string from NVD might not constant all the time, cast them to
Version whenever possible while compare for equal operator.
CVE-2010-0426
"cpe23Uri" : "cpe:2.3:a:todd_miller:sudo:1.6.3_p1:*:*:*:*:*:*:*"
CVE-2010-1646
"cpe23Uri" : "cpe:2.3:a:todd_miller:sudo:1.6.3p1:*:*:*:*:*:*:*"
Signed-off-by: Lee Chee Yang <Chee.Yang.Lee@intel.com>
---
meta/classes/cve-check.bbclass | 9 ++++++++-
1 file changed, 8 insertions(+), 1 deletion(-)
diff --git a/meta/classes/cve-check.bbclass b/meta/classes/cve-check.bbclass
index 112ee3379d..e0c8321e99 100644
--- a/meta/classes/cve-check.bbclass
+++ b/meta/classes/cve-check.bbclass
@@ -269,8 +269,15 @@ def check_cves(d, patched_cves):
(_, _, _, version_start, operator_start, version_end, operator_end) = row
#bb.debug(2, "Evaluating row " + str(row))
- if (operator_start == '=' and pv == version_start) or version_start == '-':
+ if version_start == '-':
+ # '-' can be any version
vulnerable = True
+ elif operator_start == '=':
+ # it could be unexpected version string which cannot be parse, compare them string to string only in such case
+ try:
+ vulnerable = (Version(pv,suffix) == Version(version_start,suffix))
+ except:
+ vulnerable = (pv == version_start)
else:
if operator_start:
try:
--
2.17.1
^ permalink raw reply related [flat|nested] 5+ messages in thread
* [PATCH 2/3] cve-update-db-native: consider version suffix when update CVE db
2021-03-04 14:44 [PATCH 1/3] cve-check: use Version for "=" operator Lee Chee Yang
@ 2021-03-04 14:44 ` Lee Chee Yang
2021-03-04 14:44 ` [PATCH 3/3] cve-check: CVE_VERSION_SUFFIX to work with patched release Lee Chee Yang
2021-03-04 15:06 ` [OE-core] [PATCH 1/3] cve-check: use Version for "=" operator Steve Sakoman
2 siblings, 0 replies; 5+ messages in thread
From: Lee Chee Yang @ 2021-03-04 14:44 UTC (permalink / raw)
To: openembedded-core
From: Lee Chee Yang <chee.yang.lee@intel.com>
some record from NVD can merge or split suffix from version, for
example:
CVE-2017-15906
"cpe23Uri" : "cpe:2.3:a:openbsd:openssh:5.0:p1:*:*:*:*:*:*"
"cpe23Uri" : "cpe:2.3:a:openbsd:openssh:4.7p1:*:*:*:*:*:*:*"
in such case include the suffix into version when update local CVE db.
Signed-off-by: Lee Chee Yang <chee.yang.lee@intel.com>
---
meta/recipes-core/meta/cve-update-db-native.bb | 7 ++++++-
1 file changed, 6 insertions(+), 1 deletion(-)
diff --git a/meta/recipes-core/meta/cve-update-db-native.bb b/meta/recipes-core/meta/cve-update-db-native.bb
index cf62e1e32c..b3dc33734d 100644
--- a/meta/recipes-core/meta/cve-update-db-native.bb
+++ b/meta/recipes-core/meta/cve-update-db-native.bb
@@ -143,9 +143,14 @@ def parse_node_and_insert(c, node, cveId):
product = cpe23[4]
version = cpe23[5]
+ if cpe23[6] == '*' or cpe23[6] == '-':
+ version_suffix = ""
+ else:
+ version_suffix = "_" + cpe23[6]
+
if version != '*' and version != '-':
# Version is defined, this is a '=' match
- yield [cveId, vendor, product, version, '=', '', '']
+ yield [cveId, vendor, product, version + version_suffix, '=', '', '']
elif version == '-':
# no version information is available
yield [cveId, vendor, product, version, '', '', '']
--
2.17.1
^ permalink raw reply related [flat|nested] 5+ messages in thread
* [PATCH 3/3] cve-check: CVE_VERSION_SUFFIX to work with patched release
2021-03-04 14:44 [PATCH 1/3] cve-check: use Version for "=" operator Lee Chee Yang
2021-03-04 14:44 ` [PATCH 2/3] cve-update-db-native: consider version suffix when update CVE db Lee Chee Yang
@ 2021-03-04 14:44 ` Lee Chee Yang
2021-03-04 15:06 ` [OE-core] [PATCH 1/3] cve-check: use Version for "=" operator Steve Sakoman
2 siblings, 0 replies; 5+ messages in thread
From: Lee Chee Yang @ 2021-03-04 14:44 UTC (permalink / raw)
To: openembedded-core
From: Lee Chee Yang <chee.yang.lee@intel.com>
CVE_VERSION_SUFFIX in "patch" to treat version string with suffix "pX"
or "patchX" as patched release.
also update testcases to cover this changes and set CVE_VERSION_SUFFIX
for sudo.
Signed-off-by: Lee Chee Yang <chee.yang.lee@intel.com>
---
meta/lib/oe/cve_check.py | 7 ++++++-
meta/lib/oeqa/selftest/cases/cve_check.py | 8 ++++++++
meta/recipes-extended/sudo/sudo.inc | 2 ++
3 files changed, 16 insertions(+), 1 deletion(-)
diff --git a/meta/lib/oe/cve_check.py b/meta/lib/oe/cve_check.py
index ce755f940a..a1d7c292af 100644
--- a/meta/lib/oe/cve_check.py
+++ b/meta/lib/oe/cve_check.py
@@ -11,8 +11,13 @@ _Version = collections.namedtuple(
class Version():
def __init__(self, version, suffix=None):
+
+ suffixes = ["alphabetical", "patch"]
+
if str(suffix) == "alphabetical":
version_pattern = r"""r?v?(?:(?P<release>[0-9]+(?:[-\.][0-9]+)*)(?P<patch>[-_\.]?(?P<patch_l>[a-z]))?(?P<pre>[-_\.]?(?P<pre_l>(rc|alpha|beta|pre|preview|dev))[-_\.]?(?P<pre_v>[0-9]+)?)?)(.*)?"""
+ elif str(suffix) == "patch":
+ version_pattern = r"""r?v?(?:(?P<release>[0-9]+(?:[-\.][0-9]+)*)(?P<patch>[-_\.]?(p|patch)(?P<patch_l>[0-9]+))?(?P<pre>[-_\.]?(?P<pre_l>(rc|alpha|beta|pre|preview|dev))[-_\.]?(?P<pre_v>[0-9]+)?)?)(.*)?"""
else:
version_pattern = r"""r?v?(?:(?P<release>[0-9]+(?:[-\.][0-9]+)*)(?P<pre>[-_\.]?(?P<pre_l>(rc|alpha|beta|pre|preview|dev))[-_\.]?(?P<pre_v>[0-9]+)?)?)(.*)?"""
regex = re.compile(r"^\s*" + version_pattern + r"\s*$", re.VERBOSE | re.IGNORECASE)
@@ -23,7 +28,7 @@ class Version():
self._version = _Version(
release=tuple(int(i) for i in match.group("release").replace("-",".").split(".")),
- patch_l=match.group("patch_l") if str(suffix) == "alphabetical" and match.group("patch_l") else "",
+ patch_l=match.group("patch_l") if str(suffix) in suffixes and match.group("patch_l") else "",
pre_l=match.group("pre_l"),
pre_v=match.group("pre_v")
)
diff --git a/meta/lib/oeqa/selftest/cases/cve_check.py b/meta/lib/oeqa/selftest/cases/cve_check.py
index 3f343a2841..d1947baffc 100644
--- a/meta/lib/oeqa/selftest/cases/cve_check.py
+++ b/meta/lib/oeqa/selftest/cases/cve_check.py
@@ -34,3 +34,11 @@ class CVECheck(OESelftestTestCase):
self.assertTrue( result ,msg="Failed to compare version with suffix '1.0b' < '1.0r'")
result = Version("1.0b","alphabetical") > Version("1.0","alphabetical")
self.assertTrue( result ,msg="Failed to compare version with suffix '1.0b' > '1.0'")
+
+ # consider the trailing "p" and "patch" as patched released when comparing
+ result = Version("1.0","patch") < Version("1.0p1","patch")
+ self.assertTrue( result ,msg="Failed to compare version with suffix '1.0' < '1.0p1'")
+ result = Version("1.0p2","patch") > Version("1.0p1","patch")
+ self.assertTrue( result ,msg="Failed to compare version with suffix '1.0p2' > '1.0p1'")
+ result = Version("1.0_patch2","patch") < Version("1.0_patch3","patch")
+ self.assertTrue( result ,msg="Failed to compare version with suffix '1.0_patch2' < '1.0_patch3'")
diff --git a/meta/recipes-extended/sudo/sudo.inc b/meta/recipes-extended/sudo/sudo.inc
index 97ecabe0fc..0bea35a0a3 100644
--- a/meta/recipes-extended/sudo/sudo.inc
+++ b/meta/recipes-extended/sudo/sudo.inc
@@ -49,3 +49,5 @@ do_compile_prepend () {
do_install_prepend (){
mkdir -p ${D}/${localstatedir}/lib
}
+
+CVE_VERSION_SUFFIX = "patch"
--
2.17.1
^ permalink raw reply related [flat|nested] 5+ messages in thread
* Re: [OE-core] [PATCH 1/3] cve-check: use Version for "=" operator
2021-03-04 14:44 [PATCH 1/3] cve-check: use Version for "=" operator Lee Chee Yang
2021-03-04 14:44 ` [PATCH 2/3] cve-update-db-native: consider version suffix when update CVE db Lee Chee Yang
2021-03-04 14:44 ` [PATCH 3/3] cve-check: CVE_VERSION_SUFFIX to work with patched release Lee Chee Yang
@ 2021-03-04 15:06 ` Steve Sakoman
2021-03-17 12:07 ` Ross Burton
2 siblings, 1 reply; 5+ messages in thread
From: Steve Sakoman @ 2021-03-04 15:06 UTC (permalink / raw)
To: Lee Chee Yang
Cc: Patches and discussions about the oe-core layer, Richard Purdie,
Ross Burton
On Thu, Mar 4, 2021 at 4:44 AM Lee Chee Yang <chee.yang.lee@intel.com> wrote:
>
> From: Lee Chee Yang <Chee.Yang.Lee@intel.com>
>
> version string from NVD might not constant all the time, cast them to
> Version whenever possible while compare for equal operator.
>
> CVE-2010-0426
> "cpe23Uri" : "cpe:2.3:a:todd_miller:sudo:1.6.3_p1:*:*:*:*:*:*:*"
>
> CVE-2010-1646
> "cpe23Uri" : "cpe:2.3:a:todd_miller:sudo:1.6.3p1:*:*:*:*:*:*:*"
>
> Signed-off-by: Lee Chee Yang <Chee.Yang.Lee@intel.com>
> ---
> meta/classes/cve-check.bbclass | 9 ++++++++-
> 1 file changed, 8 insertions(+), 1 deletion(-)
>
> diff --git a/meta/classes/cve-check.bbclass b/meta/classes/cve-check.bbclass
> index 112ee3379d..e0c8321e99 100644
> --- a/meta/classes/cve-check.bbclass
> +++ b/meta/classes/cve-check.bbclass
> @@ -269,8 +269,15 @@ def check_cves(d, patched_cves):
> (_, _, _, version_start, operator_start, version_end, operator_end) = row
> #bb.debug(2, "Evaluating row " + str(row))
>
> - if (operator_start == '=' and pv == version_start) or version_start == '-':
> + if version_start == '-':
> + # '-' can be any version
I had an extended email exchange with the database maintainers about
the use/meaning of '-'
Here is their final word (which left me quite unsatisfied in its ambiguity)
"In general, the '-' is used when affected versions of a product are
unknown. If affected versions are stated, and there is no fix
available, the configuration would be up to (including) the latest
stated affected version. I would also like to add that '-' also means
N/A, so not necessarily only when affected versions are unknown, which
may help to clear your confusion."
Using '-' to signify either "we don't know" or "not applicable" seems
quite wrong to me :-( But that's the way it is.
> vulnerable = True
> + elif operator_start == '=':
> + # it could be unexpected version string which cannot be parse, compare them string to string only in such case
> + try:
> + vulnerable = (Version(pv,suffix) == Version(version_start,suffix))
> + except:
> + vulnerable = (pv == version_start)
> else:
> if operator_start:
> try:
> --
> 2.17.1
>
>
>
>
^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: [OE-core] [PATCH 1/3] cve-check: use Version for "=" operator
2021-03-04 15:06 ` [OE-core] [PATCH 1/3] cve-check: use Version for "=" operator Steve Sakoman
@ 2021-03-17 12:07 ` Ross Burton
0 siblings, 0 replies; 5+ messages in thread
From: Ross Burton @ 2021-03-17 12:07 UTC (permalink / raw)
To: Steve Sakoman
Cc: Lee Chee Yang, Patches and discussions about the oe-core layer,
Richard Purdie
Right, as Steve said the semantics here are somewhat vague, and we
should err on the side of caution.
Changes like this make me think that we *really* need to expand the
test suite with every change. Add in some CVEs to the suite that
demonstrate the problem, with comments explaining what should happen,
so that we don't regress as the logic gets more convoluted.
The other patches in the series are fine, but this one I think does
need some test cases.
Ross
On Thu, 4 Mar 2021 at 15:07, Steve Sakoman <steve@sakoman.com> wrote:
>
> On Thu, Mar 4, 2021 at 4:44 AM Lee Chee Yang <chee.yang.lee@intel.com> wrote:
> >
> > From: Lee Chee Yang <Chee.Yang.Lee@intel.com>
> >
> > version string from NVD might not constant all the time, cast them to
> > Version whenever possible while compare for equal operator.
> >
> > CVE-2010-0426
> > "cpe23Uri" : "cpe:2.3:a:todd_miller:sudo:1.6.3_p1:*:*:*:*:*:*:*"
> >
> > CVE-2010-1646
> > "cpe23Uri" : "cpe:2.3:a:todd_miller:sudo:1.6.3p1:*:*:*:*:*:*:*"
> >
> > Signed-off-by: Lee Chee Yang <Chee.Yang.Lee@intel.com>
> > ---
> > meta/classes/cve-check.bbclass | 9 ++++++++-
> > 1 file changed, 8 insertions(+), 1 deletion(-)
> >
> > diff --git a/meta/classes/cve-check.bbclass b/meta/classes/cve-check.bbclass
> > index 112ee3379d..e0c8321e99 100644
> > --- a/meta/classes/cve-check.bbclass
> > +++ b/meta/classes/cve-check.bbclass
> > @@ -269,8 +269,15 @@ def check_cves(d, patched_cves):
> > (_, _, _, version_start, operator_start, version_end, operator_end) = row
> > #bb.debug(2, "Evaluating row " + str(row))
> >
> > - if (operator_start == '=' and pv == version_start) or version_start == '-':
> > + if version_start == '-':
> > + # '-' can be any version
>
> I had an extended email exchange with the database maintainers about
> the use/meaning of '-'
>
> Here is their final word (which left me quite unsatisfied in its ambiguity)
>
> "In general, the '-' is used when affected versions of a product are
> unknown. If affected versions are stated, and there is no fix
> available, the configuration would be up to (including) the latest
> stated affected version. I would also like to add that '-' also means
> N/A, so not necessarily only when affected versions are unknown, which
> may help to clear your confusion."
>
> Using '-' to signify either "we don't know" or "not applicable" seems
> quite wrong to me :-( But that's the way it is.
>
> > vulnerable = True
> > + elif operator_start == '=':
> > + # it could be unexpected version string which cannot be parse, compare them string to string only in such case
> > + try:
> > + vulnerable = (Version(pv,suffix) == Version(version_start,suffix))
> > + except:
> > + vulnerable = (pv == version_start)
> > else:
> > if operator_start:
> > try:
> > --
> > 2.17.1
> >
> >
> >
> >
^ permalink raw reply [flat|nested] 5+ messages in thread
end of thread, other threads:[~2021-03-17 12:07 UTC | newest]
Thread overview: 5+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2021-03-04 14:44 [PATCH 1/3] cve-check: use Version for "=" operator Lee Chee Yang
2021-03-04 14:44 ` [PATCH 2/3] cve-update-db-native: consider version suffix when update CVE db Lee Chee Yang
2021-03-04 14:44 ` [PATCH 3/3] cve-check: CVE_VERSION_SUFFIX to work with patched release Lee Chee Yang
2021-03-04 15:06 ` [OE-core] [PATCH 1/3] cve-check: use Version for "=" operator Steve Sakoman
2021-03-17 12:07 ` Ross Burton
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.