[Open-scap] Fwd: evr

Simon Lukasik slukasik at redhat.com
Fri Nov 8 12:34:44 UTC 2013 

On 11/08/2013 12:34 PM, Maria Kedovskaya wrote:
> The specification has this string: / Note that a null epoch (or '(none)' as 
> returned by rpm) is equivalent to '0' and would hence have the form 
> 0:VERSION-RELEASE. /The correct epoch is 0:17.0.7+build1-0ubuntu0.12.04.1 and 
> according this note 
> http://oval.mitre.org/language/version5.10.1/ovaldefinition/documentation/oval-definitions-schema.html#EntityStateEVRStringType the 
> state could just have string 17.0.7+build1-0ubuntu0.12.04.1 and 0 should be 
> substituted. But this does not occur in openscap.
> 

I read it the other way around.

It is not clear to me that tools should assume epoch=0. But I might be
wrong. I am not used to the form used in OVAL spec.


I read the quoted text as a note for content authors (people or tools)
that when they encounter a package without epoch (or with epoch equal to
'(none)', they should still follow the form EPOCH:VERSION-RELEASE.

It just says that if there is not epoch they should use 0:VERSION-RELEASE.


Additionally, the dpkginfo_state/evr definition reads:

    This represents the epoch, version, and release fields as a single
    version string. It has the form "EPOCH:VERSION-RELEASE"

and your content does not full fill that.

I hope Tomas will correct me If I am going off the track.

All the best,
Šimon

> With Best Regards,
> Maria Mikhno (Kedovskaya)
> Altex-Soft
> kmn at altx-soft.ru | altx-soft.ru <http://www.altx-soft.ru/> | altex-soft.com 
> <http://www.altex-soft.com/>
> --------------------------------------------------------------------------------
> <http://www.altex-soft.com/>
> 
> --------------------------------------------------------------------------------
> *От: *"Simon Lukasik" <slukasik at redhat.com>
> *Кому: *"Maria Kedovskaya" <kmn at altx-soft.ru>, open-scap-list at redhat.com
> *Отправленные: *Пятница, 8 Ноябрь 2013 г 13:06:26
> *Тема: *Re: [Open-scap] evr
> 
> On 11/08/2013 10:00 AM, Simon Lukasik wrote:
>  > On 11/07/2013 01:59 PM, Maria Kedovskaya wrote:
>  >> Hello,
>  >> I have a question about parameter evr in dpkginfo_state and rpminfo_state. In
>  >> one of this states there is such caption: /This represents the epoch, version,
>  >> and release fields as a single version string. It has the form
>  >> "EPOCH:VERSION-RELEASE". Note that a null epoch (or '(none)' as returned by 
> rpm)
>  >> is equivalent to '0' and would hence have the form 0:VERSION-RELEASE.
>  >> Comparisons involving this datatype should follow the algorithm of librpm's
>  >> rpmvercmp() function.
>  >> 
> (/http://oval.mitre.org/language/version5.10.1/ovaldefinition/documentation/linux-definitions-schema.html). 
> 
>  >> My question is if absence of colon is should be replaced with 0: in both of 
> this
>  >> states in openscap. Now I have such result: for example the test which check
>  >> that httpd package is less than or equal to 17.0.7+build1-0ubuntu0.12.04.1
>  >> returns true if httpd version 1:24.1.0+build1-0ubuntu0.12.04.1 is installed.
>  >>
>  >
>  > Hello Maria,
>  >
>  > I am sorry that I don't have dpkg system around to test.
>  >
>  > However, I would first try to set a correct epoch in your content. I
>  > guess it should read like:
>  >
>  >     1:17.0.7+build1-0ubuntu0.12.04.1
>  >
>  > Then, if you still are getting a false positive, you might have hit a bug.
>  >
>  >
>  >
>  > Note that your evr string:
>  >
>  >     17.0.7+build1-0ubuntu0.12.04.1
>  >
>  > doesn't comply with specification which reads:
>  >
>  >     This represents the epoch, version, and release fields as a single
>  >     version string. It has the form "EPOCH:VERSION-RELEASE".
>  >
>  > In conclusion, the behavior for a not-well-defined item is unknown. As
>  > it is not specified well.
>  >
> 
> Here, one can argue. That the scanner should suppose epoch equal to zero
> (when the epoch is missing).
> 
> But you need to understand that such scanner would only hide the problem.
> 
> In you case, consider that you have installed
> 
>      1:17.0.7+build1-0ubuntu0.12.04.1
> 
> and you search for less than or equal to:
> 
>      17.0.7+build1-0ubuntu0.12.04.1
> 
> . If the scanner was assuming epoch 0. The version would not match. And
> you would never notice the vulnerability.
> 
> Best regards,
> 
> -- 
> Simon Lukasik
> Security Technologies
> 
> 
> 
> 
> _______________________________________________
> Open-scap-list mailing list
> Open-scap-list at redhat.com
> https://www.redhat.com/mailman/listinfo/open-scap-list
> 

-- 
Simon Lukasik
Security Technologies

More information about the Open-scap-list mailing list