Is there a way to improve the CVE reporting for kernel packages?

[ereshetova]

We all know how important are kernel CVEs and how many of them usually produced every year.
This was post showing just 2015 kernel CVEs: http://www.openwall.com/lists/kernel-hardening/2016/01/19/1

However, currently cve-check-tool isn't doing very well on kernel CVEs particularly since many are just reported as "Linux kernel" and without package name.

Can we somehow improve the situation? Linux kernel is a special case, so maybe having a way to specify common linux kernel package names via some input to cve-check-tool and then instruct the tool to search CVEs with some keywords "linux kernel" and package specified version?

[ikeydoherty]

yeah I was just looking at the same thing myself, along with the embargoed 2016 CVE

So this example annoys me quite explicitly:

  <entry id="CVE-2015-8543">
    <vuln:vulnerable-configuration id="http://nvd.nist.gov/">
      <cpe-lang:logical-test operator="OR" negate="false">
        <cpe-lang:fact-ref name="cpe:/o:linux:linux_kernel:4.3.2"/>
      </cpe-lang:logical-test>
    </vuln:vulnerable-configuration>
    <vuln:vulnerable-software-list>
      <vuln:product>cpe:/o:linux:linux_kernel:4.3.2</vuln:product>
    </vuln:vulnerable-software-list>

Quite clearly we can see this is inaccurate. But according to the NVD, the only affected version is 4.3.2..

[ikeydoherty]

Another example here: CVE-2015-7550

Still technically embargoed: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7550

[ikeydoherty]

What we need is more data sources :)

[ereshetova]

I was actually talking about very simple cases, not even these special ones. Currently I don't see a way to make cve-check-tool report me any CVEs on kernel. What package name should I use?

[ikeydoherty]

Are you not using the mapping feature?

https://git.solus-project.com/common/tree/mapping#n3

linux_kernel = kernel

Thus cve-check-tool evaluates the kernel package against linux_kernel vulnerabilities. Let's see how that goes for you - and if we can expand that!

[ereshetova]

Hm.. I haven't used it indeed. Maybe you should adverstize it with the cve-check-tool for all other users also :) I will try on Monday and see how it goes.

[ikeydoherty]

Yeah we could do with an Integration wiki page

[ereshetova]

Still not sure what I am doing wrongly: I now supply as input "linux_kernel", but get this kind of output:

linux_kernel,4.1.15,,,0

[ereshetova]

@ikeydoherty, could you please suggest what I am doing wrongly?

[ikeydoherty]

Please drop me a mail with your test data, expectations, etc, so I can validate them personally and commit any relevant fixes

[ikeydoherty]

OK so here's what I'm now getting in git for version 4.3.2:

 ikey@solus-bdw  ~/Projects/cve-check-tool   master  cve-check-tool -u -c -a -t faux tst_file -M mapping
linux_kernel,4.3.2,CVE-2013-7446 CVE-2015-7884 CVE-2015-7885 CVE-2015-7990 CVE-2015-8374 CVE-2015-8543 CVE-2015-8569 CVE-2015-8660,,0
linux,4.3.2,CVE-2013-7446 CVE-2015-7884 CVE-2015-7885 CVE-2015-7990 CVE-2015-8374 CVE-2015-8543 CVE-2015-8569 CVE-2015-8660,,0

tst_file

linux,4.3.2,,
linux_kernel,4.3.2,,

mapping

[Mapping]
linux_kernel = linux

[ikeydoherty]

For 4.1.5:

linux_kernel,4.1.5,CVE-2013-7445 CVE-2015-3290 CVE-2015-3291 CVE-2015-5157 CVE-2015-5697,,0
linux,4.1.5,CVE-2013-7445 CVE-2015-3290 CVE-2015-3291 CVE-2015-5157 CVE-2015-5697,,0

For 4.1.15:

linux_kernel,4.1.15,,,0
linux,4.1.15,,,0

[ereshetova]

So, did you find the issue? Can I try with latest cve-check-tool release or where did you merge the commit fixes?

[mcfrisk]

Note that many kernel CVE's are affecting multiple kernel versions which can be seen from CPE statements like cpe:2.3:o:linux:linux_kernel:4.11.5:*:*:*:*:*:*:* and previous versions, but NVD XML 2.0 data does not include this information. NVD XML 1.2.1 does have the 'and previous' flag which can be used to do version comparisons and then decide if the current kernel version is affected by it (according to CVE data only). I've requested for this support in: #64