Merge ~litios/ubuntu-cve-tracker:oval_fix_tests_usn into ubuntu-cve-tracker:master
- Git
- lp:~litios/ubuntu-cve-tracker
- oval_fix_tests_usn
- Merge into master
Proposed by
David Fernandez Gonzalez
Status: | Merged |
---|---|
Merged at revision: | 58138567f8674c1ab7b241f30073e15c2b819dd9 |
Proposed branch: | ~litios/ubuntu-cve-tracker:oval_fix_tests_usn |
Merge into: | ubuntu-cve-tracker:master |
Diff against target: |
339 lines (+90/-66) 2 files modified
scripts/oval_lib.py (+10/-9) test/test_oval_lib_unit.py (+80/-57) |
Related bugs: |
Reviewer | Review Type | Date Requested | Status |
---|---|---|---|
Eduardo Barretto | Approve | ||
Review via email: mp+442817@code.launchpad.net |
Commit message
Description of the change
Recent changes to OVAL USN generation vary the format, making the tests not work anymore.
This PR address this issue by including the following changes:
* Pocket added
* Ref_id and Ref_url reordered
* CVE tags added
To post a comment you must log in.
Preview Diff
[H/L] Next/Prev Comment, [J/K] Next/Prev File, [N/P] Next/Prev Hunk
1 | diff --git a/scripts/oval_lib.py b/scripts/oval_lib.py |
2 | index 668c447..44e37a5 100644 |
3 | --- a/scripts/oval_lib.py |
4 | +++ b/scripts/oval_lib.py |
5 | @@ -124,16 +124,17 @@ def debug(message): |
6 | def generate_cve_tag(cve): |
7 | cve_ref = '<cve href="https://ubuntu.com/security/{0}" severity="{1}" public="{2}"'.format(cve['Candidate'], cve['Priority'], cve['PublicDate'].split(' ')[0].replace('-', '')) |
8 | |
9 | - if cve['CVSS']: |
10 | + if 'CVSS' in cve: |
11 | cve_ref += ' cvss_score="{0}" cvss_vector="{1}"'.format(cve['CVSS'][0]['baseScore'], cve['CVSS'][0]['vector']) |
12 | |
13 | cve_ref_usns = False |
14 | - for ref in cve['References']: |
15 | - if 'https://ubuntu.com/security/notices/USN' in ref: |
16 | - if not cve_ref_usns: |
17 | - cve_ref_usns = True |
18 | - cve_ref += ' usns="' |
19 | - cve_ref += '{0},'.format(ref[40:]) |
20 | + if 'References' in cve: |
21 | + for ref in cve['References']: |
22 | + if 'https://ubuntu.com/security/notices/USN' in ref: |
23 | + if not cve_ref_usns: |
24 | + cve_ref_usns = True |
25 | + cve_ref += ' usns="' |
26 | + cve_ref += '{0},'.format(ref[40:]) |
27 | |
28 | if cve_ref_usns: |
29 | cve_ref = '{0}"'.format(cve_ref[:-1]) |
30 | @@ -2060,7 +2061,7 @@ class OvalGeneratorUSN(): |
31 | return bugs.strip() |
32 | |
33 | def generate_cve_ref(self, cve): |
34 | - return '<reference source="CVE" ref_id="{0}" ref_url="{1}" />'.format(cve['Candidate'], cve['CVE_URL']) |
35 | + return '<reference source="CVE" ref_id="{0}" ref_url="{1}"/>'.format(cve['Candidate'], cve['CVE_URL']) |
36 | |
37 | def create_cves_elements(self, cves): |
38 | cve_tags = "" |
39 | @@ -2151,7 +2152,7 @@ class OvalGeneratorUSN(): |
40 | <affected family="unix"> |
41 | <platform>{platform}</platform> |
42 | </affected> |
43 | - <reference source="USN" ref_url="{usn_url}" ref_id="{usn_id}"/> |
44 | + <reference source="USN" ref_id="{usn_id}" ref_url="{usn_url}"/> |
45 | {cves_references} |
46 | <description>{description}</description> |
47 | <advisory from="security@ubuntu.com"> |
48 | diff --git a/test/test_oval_lib_unit.py b/test/test_oval_lib_unit.py |
49 | index 2c6dd8f..5b5c9a8 100644 |
50 | --- a/test/test_oval_lib_unit.py |
51 | +++ b/test/test_oval_lib_unit.py |
52 | @@ -53,7 +53,7 @@ class TestOvalLibUnit: |
53 | id_base_mock = 43881000000 |
54 | test_cve_file = "CVE-TEST" |
55 | usn_object_mock['id'] = "USN-" + usn_mock |
56 | - |
57 | + pocket = 'security' |
58 | |
59 | bin_dict_mock = collections.defaultdict(list) |
60 | bin_dict_mock = {'5.0.0.1042.27': ['linux-image-gke-5.0'], '5.0.0-1059.64': |
61 | @@ -68,14 +68,14 @@ class TestOvalLibUnit: |
62 | test_ref_mock = [({'version': '5.0.0-1059.64', |
63 | 'pkgs': ['linux-image-5.0.0-1059-oem-osp1'], |
64 | 'testref_id': '438810000000', |
65 | - 'kernel': '5.0.0-\d+(-oem-osp1)'}, |
66 | + 'kernel': r'5.0.0-\d+(-oem-osp1)'}, |
67 | {'version': '5.0.0-1059.64', |
68 | 'pkgs': ['linux-image-5.0.0-1059-oem-osp1'], |
69 | 'testref_id': '438810000010'}), |
70 | ({'version': '5.0.0-1042.43', |
71 | 'pkgs': ['linux-image-5.0.0-1042-gke'], |
72 | 'testref_id': '438810000020', |
73 | - 'kernel': '5.0.0-\d+(-gke)'}, |
74 | + 'kernel': r'5.0.0-\d+(-gke)'}, |
75 | {'version': '5.0.0-1042.43', |
76 | 'pkgs': ['linux-image-5.0.0-1042-gke'], |
77 | 'testref_id': '438810000030'})] |
78 | @@ -89,17 +89,23 @@ class TestOvalLibUnit: |
79 | <affected family="unix"> |
80 | <platform>Ubuntu 18.04 LTS</platform> |
81 | </affected> |
82 | - <reference source="USN" ref_url="https://ubuntu.com/security/notices/USN-4388-1" ref_id="USN-4388-1"/> |
83 | - <reference source="CVE" ref_url="https://ubuntu.com/security/CVE-2020-0067" ref_id="CVE-2020-0067"/> |
84 | - <reference source="CVE" ref_url="https://ubuntu.com/security/CVE-2020-0543" ref_id="CVE-2020-0543"/> |
85 | - <reference source="CVE" ref_url="https://ubuntu.com/security/CVE-2020-12114" ref_id="CVE-2020-12114"/> |
86 | - <reference source="CVE" ref_url="https://ubuntu.com/security/CVE-2020-12464" ref_id="CVE-2020-12464"/> |
87 | - <reference source="CVE" ref_url="https://ubuntu.com/security/CVE-2020-12659" ref_id="CVE-2020-12659"/> |
88 | - <reference source="CVE" ref_url="https://ubuntu.com/security/CVE-2020-1749" ref_id="CVE-2020-1749"/> |
89 | + <reference source="USN" ref_id="USN-4388-1" ref_url="https://ubuntu.com/security/notices/USN-4388-1"/> |
90 | + <reference source="CVE" ref_id="CVE-2020-0067" ref_url="https://ubuntu.com/security/CVE-2020-0067"/> |
91 | + <reference source="CVE" ref_id="CVE-2020-0543" ref_url="https://ubuntu.com/security/CVE-2020-0543"/> |
92 | + <reference source="CVE" ref_id="CVE-2020-12114" ref_url="https://ubuntu.com/security/CVE-2020-12114"/> |
93 | + <reference source="CVE" ref_id="CVE-2020-12464" ref_url="https://ubuntu.com/security/CVE-2020-12464"/> |
94 | + <reference source="CVE" ref_id="CVE-2020-12659" ref_url="https://ubuntu.com/security/CVE-2020-12659"/> |
95 | + <reference source="CVE" ref_id="CVE-2020-1749" ref_url="https://ubuntu.com/security/CVE-2020-1749"/> |
96 | <description>It was discovered that the F2FS file system implementation in the Linux kernel did not properly perform bounds checking on xattrs in some situations. A local attacker could possibly use this to expose sensitive information (kernel memory). (CVE-2020-0067) It was discovered that memory contents previously stored in microarchitectural special registers after RDRAND, RDSEED, and SGX EGETKEY read operations on Intel client and Xeon E3 processors may be briefly exposed to processes on the same or different processor cores. A local attacker could use this to expose sensitive information. (CVE-2020-0543) Piotr Krysiuk discovered that race conditions existed in the file system implementation in the Linux kernel. A local attacker could use this to cause a denial of service (system crash). (CVE-2020-12114) It was discovered that the USB susbsystem's scatter-gather implementation in the Linux kernel did not properly take data references in some situations, leading to a use-after-free. A physically proximate attacker could use this to cause a denial of service (system crash) or possibly execute arbitrary code. (CVE-2020-12464) Bui Quang Minh discovered that the XDP socket implementation in the Linux kernel did not properly validate meta-data passed from user space, leading to an out-of-bounds write vulnerability. A local attacker with the CAP_NET_ADMIN capability could use this to cause a denial of service (system crash) or possibly execute arbitrary code. (CVE-2020-12659) Xiumei Mu discovered that the IPSec implementation in the Linux kernel did not properly encrypt IPv6 traffic in some situations. An attacker could use this to expose sensitive information. (CVE-2020-1749) Update Instructions: Run `sudo pro fix USN-4388-1` to fix the vulnerability. The problem can be corrected by updating your system to the following package versions: linux-image-5.0.0-1042-gke - 5.0.0-1042.43 No subscription required linux-image-5.0.0-1059-oem-osp1 - 5.0.0-1059.64 No subscription required</description> |
97 | <advisory from="security@ubuntu.com"> |
98 | <severity>Medium</severity> |
99 | <issued date="2020-06-09"/> |
100 | + <cve href="https://ubuntu.com/security/CVE-2020-0067" severity="medium" public="20200417" cvss_score="4.4" cvss_vector="CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N">CVE-2020-0067</cve> |
101 | + <cve href="https://ubuntu.com/security/CVE-2020-0543" severity="medium" public="20200609" cvss_score="5.5" cvss_vector="CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N">CVE-2020-0543</cve> |
102 | + <cve href="https://ubuntu.com/security/CVE-2020-12114" severity="medium" public="20200504" cvss_score="4.7" cvss_vector="CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H">CVE-2020-12114</cve> |
103 | + <cve href="https://ubuntu.com/security/CVE-2020-12464" severity="medium" public="20200429" cvss_score="6.7" cvss_vector="CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H">CVE-2020-12464</cve> |
104 | + <cve href="https://ubuntu.com/security/CVE-2020-12659" severity="low" public="20200505" cvss_score="6.7" cvss_vector="CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H">CVE-2020-12659</cve> |
105 | + <cve href="https://ubuntu.com/security/CVE-2020-1749" severity="medium" public="20200304">CVE-2020-1749</cve> |
106 | <ref>https://wiki.ubuntu.com/SecurityTeam/KnowledgeBase/SRBDS</ref> |
107 | </advisory> |
108 | </metadata> |
109 | @@ -115,14 +121,22 @@ class TestOvalLibUnit: |
110 | </criteria> |
111 | </definition>""" |
112 | |
113 | - references_mock = """<reference source="CVE" ref_url="https://ubuntu.com/security/CVE-2020-0067" ref_id="CVE-2020-0067"/> |
114 | - <reference source="CVE" ref_url="https://ubuntu.com/security/CVE-2020-0543" ref_id="CVE-2020-0543"/> |
115 | - <reference source="CVE" ref_url="https://ubuntu.com/security/CVE-2020-12114" ref_id="CVE-2020-12114"/> |
116 | - <reference source="CVE" ref_url="https://ubuntu.com/security/CVE-2020-12464" ref_id="CVE-2020-12464"/> |
117 | - <reference source="CVE" ref_url="https://ubuntu.com/security/CVE-2020-12659" ref_id="CVE-2020-12659"/> |
118 | - <reference source="CVE" ref_url="https://ubuntu.com/security/CVE-2020-1749" ref_id="CVE-2020-1749"/>""" |
119 | - |
120 | - test_mock = [""" |
121 | + references_mock = """<reference source="CVE" ref_id="CVE-2020-0067" ref_url="https://ubuntu.com/security/CVE-2020-0067"/> |
122 | + <reference source="CVE" ref_id="CVE-2020-0543" ref_url="https://ubuntu.com/security/CVE-2020-0543"/> |
123 | + <reference source="CVE" ref_id="CVE-2020-12114" ref_url="https://ubuntu.com/security/CVE-2020-12114"/> |
124 | + <reference source="CVE" ref_id="CVE-2020-12464" ref_url="https://ubuntu.com/security/CVE-2020-12464"/> |
125 | + <reference source="CVE" ref_id="CVE-2020-12659" ref_url="https://ubuntu.com/security/CVE-2020-12659"/> |
126 | + <reference source="CVE" ref_id="CVE-2020-1749" ref_url="https://ubuntu.com/security/CVE-2020-1749"/>""" |
127 | + |
128 | + cve_tags_mock = """<cve href="https://ubuntu.com/security/CVE-2020-0067" severity="medium" public="20200417" cvss_score="4.4" cvss_vector="CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N">CVE-2020-0067</cve> |
129 | + <cve href="https://ubuntu.com/security/CVE-2020-0543" severity="medium" public="20200609" cvss_score="5.5" cvss_vector="CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N">CVE-2020-0543</cve> |
130 | + <cve href="https://ubuntu.com/security/CVE-2020-12114" severity="medium" public="20200504" cvss_score="4.7" cvss_vector="CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H">CVE-2020-12114</cve> |
131 | + <cve href="https://ubuntu.com/security/CVE-2020-12464" severity="medium" public="20200429" cvss_score="6.7" cvss_vector="CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H">CVE-2020-12464</cve> |
132 | + <cve href="https://ubuntu.com/security/CVE-2020-12659" severity="low" public="20200505" cvss_score="6.7" cvss_vector="CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H">CVE-2020-12659</cve> |
133 | + <cve href="https://ubuntu.com/security/CVE-2020-1749" severity="medium" public="20200304">CVE-2020-1749</cve>""" |
134 | + |
135 | + |
136 | + test_mock = [r""" |
137 | <unix:uname_test check="at least one" comment="Is kernel 5.0.0-\d+(-oem-osp1) currently running?" id="oval:com.ubuntu.bionic:tst:438810000000" version="1"> |
138 | <unix:object object_ref="oval:com.ubuntu.bionic:obj:438810000000"/> |
139 | <unix:state state_ref="oval:com.ubuntu.bionic:ste:438810000000"/> |
140 | @@ -173,7 +187,7 @@ class TestOvalLibUnit: |
141 | <ind:instance operation="greater than or equal" datatype="int">1</ind:instance> |
142 | </ind:textfilecontent54_object>""" |
143 | |
144 | - state_mock = [""" |
145 | + state_mock = [r""" |
146 | <unix:uname_state id="oval:com.ubuntu.bionic:ste:438810000000" version="1"> |
147 | <unix:os_release operation="pattern match">5.0.0-\d+(-oem-osp1)</unix:os_release> |
148 | </unix:uname_state>""", |
149 | @@ -211,7 +225,7 @@ class TestOvalLibUnit: |
150 | <value>linux-image-5.0.0-1042-gke</value> |
151 | </constant_variable>"""] |
152 | |
153 | - var_oci_mock = """ |
154 | + var_oci_mock = r""" |
155 | <constant_variable id="oval:com.ubuntu.bionic:var:438810000010" version="1" datatype="string" comment="Long Term Support"> |
156 | <value>^linux-image-5.0.0-1059-oem-osp1(?::\w+|)\s+(.*)$</value> |
157 | </constant_variable>""" |
158 | @@ -237,44 +251,42 @@ class TestOvalLibUnit: |
159 | url_ref_mock = \ |
160 | "<ref>https://wiki.ubuntu.com/SecurityTeam/KnowledgeBase/SRBDS</ref>" |
161 | cves_info_mock = [{'Candidate': 'CVE-2020-0067', |
162 | - 'PublicDate': '2020-04-17 19:15:00 UTC', 'Priority': 'medium', 'CVSS': |
163 | - 'CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N', 'CVSS_SEVERITY_LEVEL': |
164 | - 'MEDIUM', 'CVSS_SCORE': '4.4', 'CVE_URL': |
165 | - 'https://ubuntu.com/security/CVE-2020-0067', |
166 | + 'PublicDate': '2020-04-17 19:15:00 UTC', 'Priority': 'medium', 'CVSS': [{ |
167 | + 'vector': 'CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N', 'baseScore': '4.4', |
168 | + 'baseSeverity': 'MEDIUM'}], 'CVE_URL': 'https://ubuntu.com/security/CVE-2020-0067', |
169 | 'MITRE_URL': 'https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-0067'}, |
170 | {'Candidate': 'CVE-2020-0543', 'PublicDate': '2020-06-09 17:00:00 UTC', |
171 | - 'Priority': 'medium', 'CVSS': 'CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N', |
172 | - 'CVSS_SEVERITY_LEVEL': 'MEDIUM', 'CVSS_SCORE': '5.5', 'CVE_URL': |
173 | + 'Priority': 'medium', 'CVSS': [{'vector':'CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N', |
174 | + 'baseSeverity': 'MEDIUM', 'baseScore': '5.5'}], 'CVE_URL': |
175 | 'https://ubuntu.com/security/CVE-2020-0543', |
176 | 'MITRE_URL': 'https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-0543'}, |
177 | {'Candidate': 'CVE-2020-12114', 'PublicDate': '2020-05-04 12:15:00 UTC', |
178 | - 'Priority': 'medium', 'CVSS': 'CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H', |
179 | - 'CVSS_SEVERITY_LEVEL': 'MEDIUM', 'CVSS_SCORE': '4.7', 'CVE_URL': |
180 | + 'Priority': 'medium', 'CVSS': [{'vector':'CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H', |
181 | + 'baseSeverity': 'MEDIUM', 'baseScore': '4.7'}], 'CVE_URL': |
182 | 'https://ubuntu.com/security/CVE-2020-12114', |
183 | 'MITRE_URL': 'https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-12114'}, |
184 | {'Candidate': 'CVE-2020-12464', 'PublicDate': '2020-04-29 18:15:00 UTC', |
185 | - 'Priority': 'medium', 'CVSS': 'CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H', |
186 | - 'CVSS_SEVERITY_LEVEL': 'MEDIUM', 'CVSS_SCORE': '6.7', 'CVE_URL': |
187 | + 'Priority': 'medium', 'CVSS': [{'vector':'CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H', |
188 | + 'baseSeverity': 'MEDIUM', 'baseScore': '6.7'}], 'CVE_URL': |
189 | 'https://ubuntu.com/security/CVE-2020-12464', |
190 | 'MITRE_URL': 'https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-12464'}, |
191 | {'Candidate': 'CVE-2020-12659', 'PublicDate': '2020-05-05 07:15:00 UTC', |
192 | - 'Priority': 'low', 'CVSS': 'CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H', |
193 | - 'CVSS_SEVERITY_LEVEL': 'MEDIUM', 'CVSS_SCORE': '6.7', 'CVE_URL': |
194 | + 'Priority': 'low', 'CVSS': [{'vector':'CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H', |
195 | + 'baseSeverity': 'MEDIUM', 'baseScore': '6.7'}], 'CVE_URL': |
196 | 'https://ubuntu.com/security/CVE-2020-12659', |
197 | 'MITRE_URL': 'https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-12659'}, |
198 | {'Candidate': 'CVE-2020-1749', 'PublicDate': '2020-03-04 08:53:00 UTC', |
199 | - 'Priority': 'medium', 'CVSS': None, 'CVSS_SEVERITY_LEVEL': None, 'CVSS_SCORE': |
200 | - None, 'CVE_URL': |
201 | + 'Priority': 'medium', 'CVE_URL': |
202 | 'https://ubuntu.com/security/CVE-2020-1749', |
203 | 'MITRE_URL': 'https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-1749'}] |
204 | |
205 | invalid_priority_cve_mock = [{'Candidate': 'CVE-2020-0067', |
206 | - 'PublicDate': '2020-04-17 19:15:00 UTC', 'Priority': 'untriaged', 'CVSS': |
207 | - 'CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N', 'CVSS_SEVERITY_LEVEL': |
208 | - 'MEDIUM', 'CVSS_SCORE': '4.4', 'CVE_URL': |
209 | + 'PublicDate': '2020-04-17 19:15:00 UTC', 'Priority': 'untriaged', 'CVSS':[{ |
210 | + 'vector': 'CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N', 'baseSeverity': |
211 | + 'MEDIUM', 'baseScore': '4.4' }], 'CVE_URL': |
212 | 'https://ubuntu.com/security/CVE-2020-0067', |
213 | 'MITRE_URL': 'https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-0067'}] |
214 | - invalid_priority_references_mock = """<reference source="CVE" ref_url="https://ubuntu.com/security/CVE-2020-0067" ref_id="CVE-2020-0067"/>""" |
215 | + invalid_priority_references_mock = """<reference source="CVE" ref_id="CVE-2020-0067" ref_url="https://ubuntu.com/security/CVE-2020-0067"/>""" |
216 | invalid_priority_ret = """ |
217 | <definition id="oval:com.ubuntu.bionic:def:43881000000" version="1" class="patch"> |
218 | <metadata> |
219 | @@ -282,12 +294,13 @@ class TestOvalLibUnit: |
220 | <affected family="unix"> |
221 | <platform>Ubuntu 18.04 LTS</platform> |
222 | </affected> |
223 | - <reference source="USN" ref_url="https://ubuntu.com/security/notices/USN-4388-1" ref_id="USN-4388-1"/> |
224 | - <reference source="CVE" ref_url="https://ubuntu.com/security/CVE-2020-0067" ref_id="CVE-2020-0067"/> |
225 | + <reference source="USN" ref_id="USN-4388-1" ref_url="https://ubuntu.com/security/notices/USN-4388-1"/> |
226 | + <reference source="CVE" ref_id="CVE-2020-0067" ref_url="https://ubuntu.com/security/CVE-2020-0067"/> |
227 | <description>It was discovered that the F2FS file system implementation in the Linux kernel did not properly perform bounds checking on xattrs in some situations. A local attacker could possibly use this to expose sensitive information (kernel memory). (CVE-2020-0067) It was discovered that memory contents previously stored in microarchitectural special registers after RDRAND, RDSEED, and SGX EGETKEY read operations on Intel client and Xeon E3 processors may be briefly exposed to processes on the same or different processor cores. A local attacker could use this to expose sensitive information. (CVE-2020-0543) Piotr Krysiuk discovered that race conditions existed in the file system implementation in the Linux kernel. A local attacker could use this to cause a denial of service (system crash). (CVE-2020-12114) It was discovered that the USB susbsystem's scatter-gather implementation in the Linux kernel did not properly take data references in some situations, leading to a use-after-free. A physically proximate attacker could use this to cause a denial of service (system crash) or possibly execute arbitrary code. (CVE-2020-12464) Bui Quang Minh discovered that the XDP socket implementation in the Linux kernel did not properly validate meta-data passed from user space, leading to an out-of-bounds write vulnerability. A local attacker with the CAP_NET_ADMIN capability could use this to cause a denial of service (system crash) or possibly execute arbitrary code. (CVE-2020-12659) Xiumei Mu discovered that the IPSec implementation in the Linux kernel did not properly encrypt IPv6 traffic in some situations. An attacker could use this to expose sensitive information. (CVE-2020-1749) Update Instructions: Run `sudo pro fix USN-4388-1` to fix the vulnerability. The problem can be corrected by updating your system to the following package versions: linux-image-5.0.0-1042-gke - 5.0.0-1042.43 No subscription required linux-image-5.0.0-1059-oem-osp1 - 5.0.0-1059.64 No subscription required</description> |
228 | <advisory from="security@ubuntu.com"> |
229 | <severity>Medium</severity> |
230 | <issued date="2020-06-09"/> |
231 | + <cve href="https://ubuntu.com/security/CVE-2020-0067" severity="medium" public="20200417" cvss_score="4.4" cvss_vector="CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N" usns="4387-1,4389-1,4390-1,4388-1,4527-1">CVE-2020-0067</cve> |
232 | <ref>https://wiki.ubuntu.com/SecurityTeam/KnowledgeBase/SRBDS</ref> |
233 | </advisory> |
234 | </metadata> |
235 | @@ -356,7 +369,7 @@ No subscription required""" |
236 | assert test_ret == release_test_mock |
237 | |
238 | def test_create_release_obj(self): |
239 | - release_obj_mock = """ |
240 | + release_obj_mock = r""" |
241 | <ind:textfilecontent54_object id="oval:com.ubuntu.bionic:obj:100" version="1"> |
242 | <ind:filepath datatype="string">/etc/lsb-release</ind:filepath> |
243 | <ind:pattern operation="pattern match">^[\s\S]*DISTRIB_CODENAME=([a-z]+)$</ind:pattern> |
244 | @@ -408,11 +421,17 @@ No subscription required""" |
245 | 'Priority': 'high', |
246 | 'PublicDate': '2012-05-25', |
247 | 'Candidate': self.test_cve_file, |
248 | - 'CVSS_SCORE': '9.8', |
249 | + 'CVSS': [{ |
250 | + 'baseScore': '9.8', |
251 | + 'vector': 'CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H', |
252 | + 'baseSeverity': 'CRITICAL', |
253 | + 'source': 'nvd' |
254 | + }], |
255 | 'CVE_URL': 'https://ubuntu.com/security/CVE-TEST', |
256 | 'MITRE_URL': 'https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-TEST', |
257 | - 'CVSS': 'CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H', |
258 | - 'CVSS_SEVERITY_LEVEL': 'Critical' |
259 | + 'References': ['', |
260 | + 'http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-9999', |
261 | + 'http://www.openwall.com/lists/oss-security/foo'] |
262 | } |
263 | |
264 | cve_info = oval_lib.OvalGeneratorUSN.get_cve_info_from_file( |
265 | @@ -460,9 +479,10 @@ No subscription required""" |
266 | assert test_urls == self.urls_mock |
267 | |
268 | def test_create_cves_references(self): |
269 | - refs_test = oval_lib.OvalGeneratorUSN.create_cves_references( |
270 | + refs_test, tags_test = oval_lib.OvalGeneratorUSN.create_cves_elements( |
271 | self.oval_gen_mock, self.cves_info_mock) |
272 | |
273 | + assert tags_test == self.cve_tags_mock |
274 | assert refs_test == self.references_mock |
275 | |
276 | @pytest.mark.parametrize("url,url_mock", [(urls_mock, url_ref_mock), |
277 | @@ -486,20 +506,20 @@ No subscription required""" |
278 | assert ret_test == mock_ret |
279 | |
280 | @mock.patch("oval_lib.OvalGeneratorUSN.format_cves_info", autospec=True) |
281 | - @mock.patch("oval_lib.OvalGeneratorUSN.create_cves_references", |
282 | + @mock.patch("oval_lib.OvalGeneratorUSN.create_cves_elements", |
283 | autospec=True) |
284 | @mock.patch("oval_lib.OvalGeneratorUSN.create_bug_references", |
285 | autospec=True) |
286 | @mock.patch("oval_lib.OvalGeneratorUSN.get_usn_severity", autospec=True) |
287 | - def test_create_usn_definition(self, get_usn_severity_mock, |
288 | - create_bug_ref_mock, create_cve_ref_mock, format_cves_info_mock): |
289 | - format_cves_info_mock.return_value = (self.urls_mock, |
290 | - self.cves_info_mock) |
291 | - create_cve_ref_mock.return_value = self.references_mock |
292 | + @mock.patch("oval_lib.OvalGeneratorUSN.pocket", create=True) |
293 | + def test_create_usn_definition(self, pocket_mock, get_usn_severity_mock, |
294 | + create_bug_ref_mock, create_cves_elements_mock, format_cves_info_mock): |
295 | + format_cves_info_mock.return_value = (self.urls_mock, self.cves_info_mock) |
296 | + create_cves_elements_mock.return_value = (self.references_mock, self.cve_tags_mock) |
297 | create_bug_ref_mock.return_value = self.url_ref_mock |
298 | get_usn_severity_mock.return_value = self.avg_severity_mock |
299 | + pocket_mock.return_value = self.pocket |
300 | |
301 | - print(self.usn_object_mock) |
302 | definition_ret = oval_lib.OvalGeneratorUSN.create_usn_definition( |
303 | self.oval_gen_mock, self.usn_object_mock, self.usn_mock, |
304 | self.id_base_mock, self.test_refs_mock, rel_test_path, |
305 | @@ -507,7 +527,7 @@ No subscription required""" |
306 | |
307 | format_cves_info_mock.assert_called_with(self.oval_gen_mock, |
308 | self.cves_url_both_mock, rel_test_path) |
309 | - create_cve_ref_mock.assert_called_with(self.oval_gen_mock, |
310 | + create_cves_elements_mock.assert_called_with(self.oval_gen_mock, |
311 | self.cves_info_mock) |
312 | get_usn_severity_mock.assert_called_with(self.oval_gen_mock, |
313 | self.cve_severity_mock) |
314 | @@ -517,18 +537,21 @@ No subscription required""" |
315 | assert definition_ret == self.definition_mock |
316 | |
317 | @mock.patch("oval_lib.OvalGeneratorUSN.format_cves_info", autospec=True) |
318 | - @mock.patch("oval_lib.OvalGeneratorUSN.create_cves_references", |
319 | + @mock.patch("oval_lib.OvalGeneratorUSN.create_cves_elements", |
320 | autospec=True) |
321 | @mock.patch("oval_lib.OvalGeneratorUSN.create_bug_references", |
322 | autospec=True) |
323 | @mock.patch("oval_lib.OvalGeneratorUSN.get_usn_severity", autospec=True) |
324 | - def test_invalid_priority_usn_definition(self, get_usn_severity_mock, |
325 | - create_bug_ref_mock, create_cve_ref_mock, format_cves_info_mock): |
326 | + @mock.patch("oval_lib.OvalGeneratorUSN.pocket", create=True) |
327 | + def test_invalid_priority_usn_definition(self, pocket_mock, get_usn_severity_mock, |
328 | + create_bug_ref_mock, create_cves_elements_mock, format_cves_info_mock): |
329 | format_cves_info_mock.return_value = (self.urls_mock, |
330 | self.invalid_priority_cve_mock) |
331 | - create_cve_ref_mock.return_value = self.invalid_priority_references_mock |
332 | + create_cves_elements_mock.return_value = (self.invalid_priority_references_mock, |
333 | + '<cve href="https://ubuntu.com/security/CVE-2020-0067" severity="medium" public="20200417" cvss_score="4.4" cvss_vector="CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N" usns="4387-1,4389-1,4390-1,4388-1,4527-1">CVE-2020-0067</cve>') |
334 | create_bug_ref_mock.return_value = self.url_ref_mock |
335 | get_usn_severity_mock.return_value = self.avg_severity_mock |
336 | + pocket_mock.return_value = self.pocket |
337 | |
338 | definition_ret = oval_lib.OvalGeneratorUSN.create_usn_definition( |
339 | self.oval_gen_mock, self.usn_object_mock, self.usn_mock, |
lgtm, thanks!