I created a test OVAL file to dig into this a little bit more.
$ cat com.ubuntu.test.cve.oval.xml
<oval_definitions
xmlns="http://oval.mitre.org/XMLSchema/oval-definitions-5";
xmlns:ind-def="http://oval.mitre.org/XMLSchema/oval-definitions-5#independent";
xmlns:oval="http://oval.mitre.org/XMLSchema/oval-common-5";
xmlns:unix-def="http://oval.mitre.org/XMLSchema/oval-definitions-5#unix";
xmlns:linux-def="http://oval.mitre.org/XMLSchema/oval-definitions-5#linux";
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance";
xsi:schemaLocation="http://oval.mitre.org/XMLSchema/oval-common-5
oval-common-schema.xsd http://oval.mitre.org/XMLSchema/oval-definitions-5
oval-definitions-schema.xsd
http://oval.mitre.org/XMLSchema/oval-definitions-5#independent
independent-definitions-schema.xsd
http://oval.mitre.org/XMLSchema/oval-definitions-5#unix
unix-definitions-schema.xsd
http://oval.mitre.org/XMLSchema/oval-definitions-5#macos
linux-definitions-schema.xsd">
<generator>
<oval:product_name>Canonical CVE OVAL Generator</oval:product_name>
<oval:product_version>1.1</oval:product_version>
<oval:schema_version>5.11.1</oval:schema_version>
<oval:timestamp>2020-03-03T10:37:20</oval:timestamp>
</generator>
<definitions>
<definition class="vulnerability" id="oval:com.ubuntu.test:def:200"
version="1">
<metadata>
<title>CVE-1970-0200 on Ubuntu - high.</title>
<description>OVAL TEST
To simulate a vunlerable package with no
available patch being installed on the system.
Checks for the 'linux-doesnotexist-base'
package to be installed on the system.
There is no 'linux-doesnotexist-base' package
so it will never be installed.
This test should always return false (not
vulnerable) and appear green in the report.</description>
<affected family="unix">
<platform>Ubuntu</platform>
</affected>
<advisory>
<severity>High</severity>
<rights>Copyright (C) 2018 Canonical Ltd.</rights>
<public_date>2018-01-24 10:29:00 UTC</public_date>
</advisory>
</metadata>
<criteria>
<criterion test_ref="oval:com.ubuntu.test:tst:200"
comment="linux-doesnotexist-base package is affected and needs fixing." />
</criteria>
</definition>
<definition class="vulnerability" id="oval:com.ubuntu.test:def:300"
version="1">
<metadata>
<title>CVE-1970-0300 on Ubuntu - high.</title>
<description>OVAL TEST
This is the opposite of the previous test, just
to confirm that oscap correct detects the installed package
Checks for the 'linux-base' package to be
installed on the system.
There should always be a 'linux-base' package
installed.
This test should always return true
(vulnerable) and appear red/orange in the report.</description>
<affected family="unix">
<platform>Ubuntu</platform>
</affected>
<advisory>
<severity>High</severity>
<rights>Copyright (C) 2018 Canonical Ltd.</rights>
<public_date>2018-01-24 10:29:00 UTC</public_date>
</advisory>
</metadata>
<criteria>
<criterion test_ref="oval:com.ubuntu.test:tst:300"
comment="linux-base package in xenial is affected and needs fixing." />
</criteria>
</definition>
<definition class="vulnerability" id="oval:com.ubuntu.test:def:400"
version="1">
<metadata>
<title>CVE-1907-0400 on Ubuntu - high.</title>
<description>OVAL TEST
To simulate an installed package that is
vulnerable when there is an available version to fix the CVE.
Checks for version less than
'99:99.9.9+dfsg-9ubuntu9.9' of the 'linux-base' package to be installed on the
system.
There should always be a 'linux-base' package
installed and the version will be less than '99:99.9.9+dfsg-9ubuntu9.9'.
This test should always return true
(vulnerable) and appear red/orange in the report.</description>
<affected family="unix">
<platform>Ubuntu</platform>
</affected>
<advisory>
<severity>High</severity>
<rights>Copyright (C) 2017 Canonical Ltd.</rights>
<public_date>2017-03-27 17:59:00 UTC</public_date>
<public_date_at_usn>2017-03-27</public_date_at_usn>
</advisory>
</metadata>
<criteria>
<criterion test_ref="oval:com.ubuntu.test:tst:400"
comment="linux-base package in xenial was vulnerable but has been fixed (note:
'99:99.9.9p9+dfsg-9ubuntu9.9')." />
</criteria>
</definition>
<definition class="vulnerability" id="oval:com.ubuntu.test:def:500"
version="1">
<metadata>
<title>CVE-1907-0500 on Ubuntu - high.</title>
<description>OVAL TEST
To simulate an installed package that is
updated to a patched version and not vulnerable to CVE.
Checks for version less than
'00:00.0.0+dfsg-0ubuntu0.0' of the 'linux-base' package to be installed on the
system.
There should always be a 'linux-base' package
installed and the version will be greater than '00:00.0.0+dfsg-0ubuntu0.0'.
This test should always return false (not
vulnerable) and appear green in the report.</description>
<affected family="unix">
<platform>Ubuntu</platform>
</affected>
<reference source="CVE" ref_id="CVE-2017-6458"
ref_url="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-6458"; />
<advisory>
<severity>High</severity>
<rights>Copyright (C) 2017 Canonical Ltd.</rights>
<public_date>2017-03-27 17:59:00 UTC</public_date>
<public_date_at_usn>2017-03-27</public_date_at_usn>
</advisory>
</metadata>
<criteria>
<criterion test_ref="oval:com.ubuntu.test:tst:500"
comment="linux-base package in xenial was vulnerable but has been fixed (note:
'0:00.0.0p0+dfsg-0ubuntu0.0')." />
</criteria>
</definition>
</definitions>
<tests>
<linux-def:dpkginfo_test id="oval:com.ubuntu.test:tst:200" version="1"
check_existence="at_least_one_exists" check="at least one" comment="Does the
'linux-doesnotexist-base' package exist?">
<linux-def:object object_ref="oval:com.ubuntu.test:obj:200"/>
</linux-def:dpkginfo_test>
<linux-def:dpkginfo_test id="oval:com.ubuntu.test:tst:300" version="1"
check_existence="at_least_one_exists" check="at least one" comment="Does the
'linux-base' package exist?">
<linux-def:object object_ref="oval:com.ubuntu.test:obj:300"/>
</linux-def:dpkginfo_test>
<linux-def:dpkginfo_test id="oval:com.ubuntu.test:tst:400" version="1"
check_existence="at_least_one_exists" check="at least one" comment="Does the
'linux-base' package exist and is the version less than
'99:99.9.9p9+dfsg-9ubuntu9.9'?">
<linux-def:object object_ref="oval:com.ubuntu.test:obj:400"/>
<linux-def:state state_ref="oval:com.ubuntu.test:ste:400" />
</linux-def:dpkginfo_test>
<linux-def:dpkginfo_test id="oval:com.ubuntu.test:tst:500" version="1"
check_existence="at_least_one_exists" check="at least one" comment="Does the
'linux-base' package exist and is the version less than
'0:00.0.0p0+dfsg-0ubuntu0.0'?">
<linux-def:object object_ref="oval:com.ubuntu.test:obj:500"/>
<linux-def:state state_ref="oval:com.ubuntu.test:ste:500" />
</linux-def:dpkginfo_test>
</tests>
<objects>
<linux-def:dpkginfo_object id="oval:com.ubuntu.test:obj:200"
version="1" comment="The 'linux-doesnotexist-base' package binaries.">
<linux-def:name var_ref="oval:com.ubuntu.test:var:200"
var_check="at least one" />
</linux-def:dpkginfo_object>
<linux-def:dpkginfo_object id="oval:com.ubuntu.test:obj:300"
version="1" comment="The 'linux-base' package binaries.">
<linux-def:name var_ref="oval:com.ubuntu.test:var:300"
var_check="at least one" />
</linux-def:dpkginfo_object>
<linux-def:dpkginfo_object id="oval:com.ubuntu.test:obj:400"
version="1" comment="The 'linux-base' package binaries.">
<linux-def:name var_ref="oval:com.ubuntu.test:var:400"
var_check="at least one" />
</linux-def:dpkginfo_object>
<linux-def:dpkginfo_object id="oval:com.ubuntu.test:obj:500"
version="1" comment="The 'linux-base' package binaries.">
<linux-def:name var_ref="oval:com.ubuntu.test:var:500"
var_check="at least one" />
</linux-def:dpkginfo_object>
</objects>
<states>
<linux-def:dpkginfo_state id="oval:com.ubuntu.test:ste:400" version="1"
comment="The package version is less than '99:99.9.9p9+dfsg-9ubuntu9.9'.">
<linux-def:evr datatype="debian_evr_string" operation="less
than">99:99.9.9p9+dfsg-9ubuntu9.9</linux-def:evr>
</linux-def:dpkginfo_state>
<linux-def:dpkginfo_state id="oval:com.ubuntu.test:ste:500" version="1"
comment="The package version is less than '0:00.0.0p0+dfsg-0ubuntu0.0'.">
<linux-def:evr datatype="debian_evr_string" operation="less
than">0:00.0.0p0+dfsg-0ubuntu0.0</linux-def:evr>
</linux-def:dpkginfo_state>
</states>
<variables>
<constant_variable id="oval:com.ubuntu.test:var:200" version="1"
datatype="string" comment="'linux-doesnotexist-base' package binaries">
<value>linux-doesnotexist-base</value>
</constant_variable>
<constant_variable id="oval:com.ubuntu.test:var:300" version="1"
datatype="string" comment="'linux-base' package binaries">
<value>linux-base</value>
</constant_variable>
<constant_variable id="oval:com.ubuntu.test:var:400" version="1"
datatype="string" comment="'linux-base' package binaries">
<value>linux-base</value>
</constant_variable>
<constant_variable id="oval:com.ubuntu.test:var:500" version="1"
datatype="string" comment="'linux-base' package binaries">
<value>linux-base</value>
</constant_variable>
</variables>
</oval_definitions>
I can run oscap against that test oval file successfully on trusty,
xenial and bionic VMs with the same results:
markmorlino@sec-bionic-amd64:~$ oscap oval eval --report report.html
com.ubuntu.test.cve.oval.xml
Definition oval:com.ubuntu.test:def:500: false
Definition oval:com.ubuntu.test:def:400: true
Definition oval:com.ubuntu.test:def:300: true
Definition oval:com.ubuntu.test:def:200: false
Evaluation done.
I see very similar looking errors when I attempt to run the same oscap
command on eoan and focal:
markmorlino@sec-eoan-amd64:~$ oscap oval eval --report report.html
com.ubuntu.test.cve.oval.xml
W: oscap: Can't receive message: 103, Software caused connection abort.
Definition oval:com.ubuntu.test:def:500: error
W: oscap: Can't receive message: 103, Software caused connection abort.
Definition oval:com.ubuntu.test:def:400: error
W: oscap: Can't receive message: 103, Software caused connection abort.
Definition oval:com.ubuntu.test:def:300: error
Definition oval:com.ubuntu.test:def:200: false
OpenSCAP Error: Probe with PID=21031 has been killed with signal 11
[../../../../../src/OVAL/probes/SEAP/sch_pipe.c:178]
Probe with PID=21031 has core dumped.
[../../../../../src/OVAL/probes/SEAP/sch_pipe.c:182]
Item corresponding to object 'oval:com.ubuntu.test:obj:500' from test
'oval:com.ubuntu.test:tst:500' has an unknown flag. This may indicate a bug in
OpenSCAP. [../../../../src/OVAL/results/oval_resultTest.c:914]
Probe with PID=21047 has been killed with signal 11
[../../../../../src/OVAL/probes/SEAP/sch_pipe.c:178]
Probe with PID=21047 has core dumped.
[../../../../../src/OVAL/probes/SEAP/sch_pipe.c:182]
Item corresponding to object 'oval:com.ubuntu.test:obj:400' from test
'oval:com.ubuntu.test:tst:400' has an unknown flag. This may indicate a bug in
OpenSCAP. [../../../../src/OVAL/results/oval_resultTest.c:914]
Probe with PID=21062 has been killed with signal 11
[../../../../../src/OVAL/probes/SEAP/sch_pipe.c:178]
Probe with PID=21062 has core dumped.
[../../../../../src/OVAL/probes/SEAP/sch_pipe.c:182]
Item corresponding to object 'oval:com.ubuntu.test:obj:300' from test
'oval:com.ubuntu.test:tst:300' has an unknown flag. This may indicate a bug in
OpenSCAP. [../../../../src/OVAL/results/oval_resultTest.c:914]
I also see these in /var/log/syslog:
Mar 4 09:13:50 sec-eoan-amd64 kernel: [12899.335657] traps:
probe_worker[21104] general protection fault ip:7f44012cdc31 sp:7f43f9443138
error:0 in libc-2.30.so[7f44011f4000+178000]
Mar 4 09:13:51 sec-eoan-amd64 kernel: [12899.427120] traps:
probe_worker[21114] general protection fault ip:7fb6b97f0c31 sp:7fb6b1966138
error:0 in libc-2.30.so[7fb6b9717000+178000]
Mar 4 09:13:51 sec-eoan-amd64 kernel: [12899.519719] traps:
probe_worker[21124] general protection fault ip:7effa7110c31 sp:7eff9f286138
error:0 in libc-2.30.so[7effa7037000+178000]
My test
** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=1907-0400
** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=1907-0500
** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=1970-0200
** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=1970-0300
** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2017-6458
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1851682
Title:
oscap is broken in ubuntu 19.10
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/openscap/+bug/1851682/+subscriptions
--
ubuntu-bugs mailing list
[email protected]
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
