[Open-scap] Fwd: evr
Simon Lukasik
slukasik at redhat.com
Fri Nov 8 12:34:44 UTC 2013
On 11/08/2013 12:34 PM, Maria Kedovskaya wrote:
> The specification has this string: / Note that a null epoch (or '(none)' as
> returned by rpm) is equivalent to '0' and would hence have the form
> 0:VERSION-RELEASE. /The correct epoch is 0:17.0.7+build1-0ubuntu0.12.04.1 and
> according this note
> http://oval.mitre.org/language/version5.10.1/ovaldefinition/documentation/oval-definitions-schema.html#EntityStateEVRStringType the
> state could just have string 17.0.7+build1-0ubuntu0.12.04.1 and 0 should be
> substituted. But this does not occur in openscap.
>
I read it the other way around.
It is not clear to me that tools should assume epoch=0. But I might be
wrong. I am not used to the form used in OVAL spec.
I read the quoted text as a note for content authors (people or tools)
that when they encounter a package without epoch (or with epoch equal to
'(none)', they should still follow the form EPOCH:VERSION-RELEASE.
It just says that if there is not epoch they should use 0:VERSION-RELEASE.
Additionally, the dpkginfo_state/evr definition reads:
This represents the epoch, version, and release fields as a single
version string. It has the form "EPOCH:VERSION-RELEASE"
and your content does not full fill that.
I hope Tomas will correct me If I am going off the track.
All the best,
Šimon
> With Best Regards,
> Maria Mikhno (Kedovskaya)
> Altex-Soft
> kmn at altx-soft.ru | altx-soft.ru <http://www.altx-soft.ru/> | altex-soft.com
> <http://www.altex-soft.com/>
> --------------------------------------------------------------------------------
> <http://www.altex-soft.com/>
>
> --------------------------------------------------------------------------------
> *От: *"Simon Lukasik" <slukasik at redhat.com>
> *Кому: *"Maria Kedovskaya" <kmn at altx-soft.ru>, open-scap-list at redhat.com
> *Отправленные: *Пятница, 8 Ноябрь 2013 г 13:06:26
> *Тема: *Re: [Open-scap] evr
>
> On 11/08/2013 10:00 AM, Simon Lukasik wrote:
> > On 11/07/2013 01:59 PM, Maria Kedovskaya wrote:
> >> Hello,
> >> I have a question about parameter evr in dpkginfo_state and rpminfo_state. In
> >> one of this states there is such caption: /This represents the epoch, version,
> >> and release fields as a single version string. It has the form
> >> "EPOCH:VERSION-RELEASE". Note that a null epoch (or '(none)' as returned by
> rpm)
> >> is equivalent to '0' and would hence have the form 0:VERSION-RELEASE.
> >> Comparisons involving this datatype should follow the algorithm of librpm's
> >> rpmvercmp() function.
> >>
> (/http://oval.mitre.org/language/version5.10.1/ovaldefinition/documentation/linux-definitions-schema.html).
>
> >> My question is if absence of colon is should be replaced with 0: in both of
> this
> >> states in openscap. Now I have such result: for example the test which check
> >> that httpd package is less than or equal to 17.0.7+build1-0ubuntu0.12.04.1
> >> returns true if httpd version 1:24.1.0+build1-0ubuntu0.12.04.1 is installed.
> >>
> >
> > Hello Maria,
> >
> > I am sorry that I don't have dpkg system around to test.
> >
> > However, I would first try to set a correct epoch in your content. I
> > guess it should read like:
> >
> > 1:17.0.7+build1-0ubuntu0.12.04.1
> >
> > Then, if you still are getting a false positive, you might have hit a bug.
> >
> >
> >
> > Note that your evr string:
> >
> > 17.0.7+build1-0ubuntu0.12.04.1
> >
> > doesn't comply with specification which reads:
> >
> > This represents the epoch, version, and release fields as a single
> > version string. It has the form "EPOCH:VERSION-RELEASE".
> >
> > In conclusion, the behavior for a not-well-defined item is unknown. As
> > it is not specified well.
> >
>
> Here, one can argue. That the scanner should suppose epoch equal to zero
> (when the epoch is missing).
>
> But you need to understand that such scanner would only hide the problem.
>
> In you case, consider that you have installed
>
> 1:17.0.7+build1-0ubuntu0.12.04.1
>
> and you search for less than or equal to:
>
> 17.0.7+build1-0ubuntu0.12.04.1
>
> . If the scanner was assuming epoch 0. The version would not match. And
> you would never notice the vulnerability.
>
> Best regards,
>
> --
> Simon Lukasik
> Security Technologies
>
>
>
>
> _______________________________________________
> Open-scap-list mailing list
> Open-scap-list at redhat.com
> https://www.redhat.com/mailman/listinfo/open-scap-list
>
--
Simon Lukasik
Security Technologies
More information about the Open-scap-list
mailing list