CentOS multi package invalid result

[yas-ysd]

日本語ですみません
以下のようなChangeLogの場合、vulsの結果が不正となります

ChangeLog for: libreport-2.0.9-32.el6.centos.x86_64, libreport-cli-2.0.9-32.el6.centos.x86_64, libreport-compat-2.0.9-32.el6.centos.x86_64,
             : libreport-filesystem-2.0.9-32.el6.centos.x86_64, libreport-plugin-kerneloops-2.0.9-32.el6.centos.x86_64,
             : libreport-plugin-logger-2.0.9-32.el6.centos.x86_64, libreport-plugin-mailx-2.0.9-32.el6.centos.x86_64,
             : libreport-plugin-reportuploader-2.0.9-32.el6.centos.x86_64, libreport-plugin-rhtsupport-2.0.9-32.el6.centos.x86_64,
             : libreport-plugin-ureport-2.0.9-32.el6.centos.x86_64, libreport-python-2.0.9-32.el6.centos.x86_64
* Tue May 10 21:00:00 2016 Johnny Hughes <[email protected]> - 2.0.9-32

libreport関連なのにlibpngが脆弱有りのパッケージとなる

CVE-2015-5302           5.0  (Medium)   libreport 2.0.7 before 2.6.3 only saves changes to the first file when editing a
                                        crash report, which allows remote attackers to obtain sensitive information via
                                        :
                                        :
                                        https://access.redhat.com/security/cve/CVE-2015-5302
                                        libpng-1.2.49-1.el6_2 -> libpng-1.2.49-2.el6_7  <------- パッケージが誤っている
                                        Confidence: 95 / ChangelogExactMatch

ChangeLogを1ライン毎に処理しているようでしたので、強引ですが以下のように
変更して対応しました

diff --git a/scan/redhat.go b/scan/redhat.go
index 0d0bbbe..28200d4 100644
--- a/scan/redhat.go
+++ b/scan/redhat.go
@@ -466,6 +466,10 @@ func (o *redhat) parseAllChangelog(allChangelog string) (map[string]*string, err
        tmpline := ""
        var lines []string
        var prev, now bool
+
+       var changeLogForPattern = regexp.MustCompile(`^ChangeLog for: `)
+       var changeLogForEndPattern = regexp.MustCompile(`^\*\s`)
+
        for i := range orglines {
                if majorVersion == 5 {
                        /* for CentOS5 (yum-util < 1.1.20) */
@@ -497,7 +501,18 @@ func (o *redhat) parseAllChangelog(allChangelog string) (map[string]*string, err
                } else {
                        /* for CentOS6,7 (yum-util >= 1.1.20) */
                        line := orglines[i]
-                       line = o.regexpReplace(line, `^ChangeLog for: `, "")
+
+                       if changeLogForPattern.MatchString(line) {
+                               line = o.regexpReplace(line, `^ChangeLog for: `, "")
+                               for {
+                                       i = i + 1
+                                       if changeLogForEndPattern.MatchString(orglines[i]) {
+                                               break
+                                       }
+                                       line = line + o.regexpReplace(orglines[i], `^\s*: `, "")
+                               }
+                       }
+
                        line = o.regexpReplace(line, `^\*\*\sNo\sChangeLog\sfor:.*`, "")
                        lines = append(lines, line)
                }

これにより、以下のように正しい結果を取得出来ていることを確認しておりますが
自信がありません（とりあえず現状はこれで運用する予定）

CVE-2015-5302           5.0  (Medium)   libreport 2.0.7 before 2.6.3 only saves changes to the first file when editing a
                                        crash report, which allows remote attackers to obtain sensitive information via
                                        unspecified vectors related to the (1) backtrace, (2) cmdline, (3) environ, (4)
                                        open_fds, (5) maps, (6) smaps, (7) hostname, (8) remote, (9) ks.cfg, or (10)
                                        anaconda-tb file attachment included in a Red Hat Bugzilla bug report.
                                        http://www.cvedetails.com/cve/CVE-2015-5302
                                        https://access.redhat.com/security/cve/CVE-2015-5302
                                        libreport-2.0.9-24.el6.centos -> libreport-2.0.9-32.el6.centos
                                        libreport-cli-2.0.9-24.el6.centos -> libreport-cli-2.0.9-32.el6.centos
                                        libreport-compat-2.0.9-24.el6.centos -> libreport-compat-2.0.9-32.el6.centos
                                        libreport-filesystem-2.0.9-24.el6.centos ->
                                        libreport-filesystem-2.0.9-32.el6.centos
                                        libreport-plugin-kerneloops-2.0.9-24.el6.centos ->
                                        libreport-plugin-kerneloops-2.0.9-32.el6.centos
                                        libreport-plugin-logger-2.0.9-24.el6.centos ->
                                        libreport-plugin-logger-2.0.9-32.el6.centos
                                        libreport-plugin-mailx-2.0.9-24.el6.centos ->
                                        libreport-plugin-mailx-2.0.9-32.el6.centos
                                        libreport-plugin-reportuploader-2.0.9-24.el6.centos ->
                                        libreport-plugin-reportuploader-2.0.9-32.el6.centos
                                        libreport-plugin-rhtsupport-2.0.9-24.el6.centos ->
                                        libreport-plugin-rhtsupport-2.0.9-32.el6.centos
                                        libreport-plugin-ureport-2.0.9-24.el6.centos ->
                                        libreport-plugin-ureport-2.0.9-32.el6.centos
                                        libreport-python-2.0.9-24.el6.centos -> libreport-python-2.0.9-32.el6.centos
                                        Confidence: 95 / ChangelogExactMatch

[yas-ysd]

Pull request しようと思ったのですが

remote: Permission to future-architect/vuls.git denied to yas-ysd.
fatal: unable to access 'https://github.com/future-architect/vuls.git/': The requested URL returned error: 403

でコミット出来ませんでしたので、issuesにgit diff の結果を貼り付けさせて頂きました
※すみません、どうもgitが苦手なもので

後vulsのバージョンは以下の通りです
vuls v0.2.0 5581a5c

[kotakanbe]

Google Translate
https://translate.googleusercontent.com/translate_c?depth=1&hl=ja&ie=UTF8&prev=_t&rurl=translate.google.co.jp&sl=ja&sp=nmt1&tl=en&u=https://github.com/future-architect/vuls/issues/360&usg=ALkJrhhM3uk97YqwIjnay4B39K1zuDWHSg

[kotakanbe]

ありがとうございます。確認します。
GitHubのP/Rを頂けるとテストしやすくマージもしやすく、採用時に @yas-ysd さんがコントリビュータとして名前が残ります。お時間あれば、ぜひ頂けるとよいと思います。

また、VulsはSlackチームがあり、 #vulsjp では日本語で会話が可能です。ぜひご参加下さい。
http://goo.gl/forms/xm5KFo35tu

[takotakot]

@yas-ysd さん
横から失礼します。github での Pull request のためには

• リポジトリ画面の右上から Fork(自分の環境にコピー)
• Fork した自分のリポジトリに、適当なブランチで push
• 自分のリポジトリ(の、Pull request したいブランチ) を使って Pull request

といった感じになります。
future-architect/vuls.git ではなく、yas-ysd/vuls.git 等に push して公開しておいて、それを参照して取り込んでもらう形です。"github pull request" でいろいろな紹介記事があります。お時間あれば、参考にして下さい。

[knqyf263]

@yas-ysd Could you paste the executed command?
Are you using -ssh-external option?

/* scan時のコマンドを教えていだだけますでしょうか？ */

[yas-ysd]

vuls scan -cachedb-path=/var/lib/go/src/github.com/kotakanbe/go-cve-dictionary/cve.sqlite3 -config=xxxxxxx -results-dir=/home/xxxxxx/result_test

[servers]

[servers.xxxxxx]
host = "xxxxxx"
port = "22"
user = "xxxxxx"

[knqyf263]

@yas-ysd Thanks!
Could you fix the following line?
https://github.com/future-architect/vuls/blob/master/scan/executil.go#L225

Before:

if err = session.RequestPty("xterm", 400, 256, modes); err != nil {

After:

if err = session.RequestPty("xterm", 400, 1000, modes); err != nil {

After that, could you please try again?

/* 手元で上記コードを書き換えてうまくいくか試して頂けると幸いです */

[yas-ysd]

試してみます

$ git diff
diff --git a/scan/executil.go b/scan/executil.go
index 4673643..e4b0c4c 100644
--- a/scan/executil.go
+++ b/scan/executil.go
@@ -222,7 +222,7 @@ func sshExecNative(c conf.ServerInfo, cmd string, sudo bool) (result execResult)
                ssh.TTY_OP_ISPEED: 14400, // input speed = 14.4kbaud
                ssh.TTY_OP_OSPEED: 14400, // output speed = 14.4kbaud
        }
-       if err = session.RequestPty("xterm", 400, 256, modes); err != nil {
+       if err = session.RequestPty("xterm", 400, 1000, modes); err != nil {
                result.Error = fmt.Errorf(
                        "Failed to request for pseudo terminal. servername: %s, err: %s",
                        c.ServerName, err)

[yas-ysd]

以下のように正常に表示されたことを確認しました

CVE-2015-5302           5.0  (Medium)   libreport 2.0.7 before 2.6.3 only saves changes to the first file when editing a
                                        crash report, which allows remote attackers to obtain sensitive information via
                                        unspecified vectors related to the (1) backtrace, (2) cmdline, (3) environ, (4)
                                        open_fds, (5) maps, (6) smaps, (7) hostname, (8) remote, (9) ks.cfg, or (10)
                                        anaconda-tb file attachment included in a Red Hat Bugzilla bug report.
                                        http://www.cvedetails.com/cve/CVE-2015-5302
                                        https://access.redhat.com/security/cve/CVE-2015-5302
                                        libreport-2.0.9-24.el6.centos -> libreport-2.0.9-32.el6.centos
                                        libreport-cli-2.0.9-24.el6.centos -> libreport-cli-2.0.9-32.el6.centos
                                        libreport-compat-2.0.9-24.el6.centos -> libreport-compat-2.0.9-32.el6.centos
                                        libreport-filesystem-2.0.9-24.el6.centos ->
                                        libreport-filesystem-2.0.9-32.el6.centos
                                        libreport-plugin-kerneloops-2.0.9-24.el6.centos ->
                                        libreport-plugin-kerneloops-2.0.9-32.el6.centos
                                        libreport-plugin-logger-2.0.9-24.el6.centos ->
                                        libreport-plugin-logger-2.0.9-32.el6.centos
                                        libreport-plugin-mailx-2.0.9-24.el6.centos ->
                                        libreport-plugin-mailx-2.0.9-32.el6.centos
                                        libreport-plugin-reportuploader-2.0.9-24.el6.centos ->
                                        libreport-plugin-reportuploader-2.0.9-32.el6.centos
                                        libreport-plugin-rhtsupport-2.0.9-24.el6.centos ->
                                        libreport-plugin-rhtsupport-2.0.9-32.el6.centos
                                        libreport-plugin-ureport-2.0.9-24.el6.centos ->
                                        libreport-plugin-ureport-2.0.9-32.el6.centos
                                        libreport-python-2.0.9-24.el6.centos -> libreport-python-2.0.9-32.el6.centos
                                        Confidence: 95 / ChangelogExactMatch

また、こちらで試験用に作成したパッケージでも

CVE-2015-5302   5.0  (Medium)   libreport 2.0.7 before 2.6.3 only saves changes to the first file when editing a
                                crash report, which allows remote attackers to obtain sensitive information via
                                unspecified vectors related to the (1) backtrace, (2) cmdline, (3) environ, (4)
                                open_fds, (5) maps, (6) smaps, (7) hostname, (8) remote, (9) ks.cfg, or (10)
                                anaconda-tb file attachment included in a Red Hat Bugzilla bug report.
                                http://www.cvedetails.com/cve/CVE-2015-5302
                                https://access.redhat.com/security/cve/CVE-2015-5302
                                lib_test_multi-no_01-0.0.0-0 -> lib_test_multi-no_01-10.10.10-10
                                lib_test_multi-no_02-0.0.0-0 -> lib_test_multi-no_02-10.10.10-10
                                lib_test_multi-no_03-0.0.0-0 -> lib_test_multi-no_03-10.10.10-10
                                lib_test_multi-no_04-0.0.0-0 -> lib_test_multi-no_04-10.10.10-10
                                lib_test_multi-no_05-0.0.0-0 -> lib_test_multi-no_05-10.10.10-10
                                lib_test_multi-no_06-0.0.0-0 -> lib_test_multi-no_06-10.10.10-10
                                lib_test_multi-no_07-0.0.0-0 -> lib_test_multi-no_07-10.10.10-10
                                lib_test_multi-no_08-0.0.0-0 -> lib_test_multi-no_08-10.10.10-10
                                lib_test_multi-no_09-0.0.0-0 -> lib_test_multi-no_09-10.10.10-10
                                lib_test_multi-no_10-0.0.0-0 -> lib_test_multi-no_10-10.10.10-10
                                lib_test_multi-no_11-0.0.0-0 -> lib_test_multi-no_11-10.10.10-10
                                lib_test_multi-no_12-0.0.0-0 -> lib_test_multi-no_12-10.10.10-10
                                lib_test_multi-no_13-0.0.0-0 -> lib_test_multi-no_13-10.10.10-10
                                lib_test_multi-no_14-0.0.0-0 -> lib_test_multi-no_14-10.10.10-10
                                lib_test_multi-no_15-0.0.0-0 -> lib_test_multi-no_15-10.10.10-10
                                Confidence: 95 / ChangelogExactMatch

と出力されることを確認致しました

[knqyf263]

It's good!
I'll fix this issue.

Thanks!

[kotakanbe]

@knqyf263 @yas-ysd Merged!