Closed
Description
日本語ですみません
以下のようなChangeLogの場合、vulsの結果が不正となります
ChangeLog for: libreport-2.0.9-32.el6.centos.x86_64, libreport-cli-2.0.9-32.el6.centos.x86_64, libreport-compat-2.0.9-32.el6.centos.x86_64,
: libreport-filesystem-2.0.9-32.el6.centos.x86_64, libreport-plugin-kerneloops-2.0.9-32.el6.centos.x86_64,
: libreport-plugin-logger-2.0.9-32.el6.centos.x86_64, libreport-plugin-mailx-2.0.9-32.el6.centos.x86_64,
: libreport-plugin-reportuploader-2.0.9-32.el6.centos.x86_64, libreport-plugin-rhtsupport-2.0.9-32.el6.centos.x86_64,
: libreport-plugin-ureport-2.0.9-32.el6.centos.x86_64, libreport-python-2.0.9-32.el6.centos.x86_64
* Tue May 10 21:00:00 2016 Johnny Hughes <johnny@centos.org> - 2.0.9-32
libreport関連なのにlibpngが脆弱有りのパッケージとなる
CVE-2015-5302 5.0 (Medium) libreport 2.0.7 before 2.6.3 only saves changes to the first file when editing a
crash report, which allows remote attackers to obtain sensitive information via
:
:
https://access.redhat.com/security/cve/CVE-2015-5302
libpng-1.2.49-1.el6_2 -> libpng-1.2.49-2.el6_7 <------- パッケージが誤っている
Confidence: 95 / ChangelogExactMatch
ChangeLogを1ライン毎に処理しているようでしたので、強引ですが以下のように
変更して対応しました
diff --git a/scan/redhat.go b/scan/redhat.go
index 0d0bbbe..28200d4 100644
--- a/scan/redhat.go
+++ b/scan/redhat.go
@@ -466,6 +466,10 @@ func (o *redhat) parseAllChangelog(allChangelog string) (map[string]*string, err
tmpline := ""
var lines []string
var prev, now bool
+
+ var changeLogForPattern = regexp.MustCompile(`^ChangeLog for: `)
+ var changeLogForEndPattern = regexp.MustCompile(`^\*\s`)
+
for i := range orglines {
if majorVersion == 5 {
/* for CentOS5 (yum-util < 1.1.20) */
@@ -497,7 +501,18 @@ func (o *redhat) parseAllChangelog(allChangelog string) (map[string]*string, err
} else {
/* for CentOS6,7 (yum-util >= 1.1.20) */
line := orglines[i]
- line = o.regexpReplace(line, `^ChangeLog for: `, "")
+
+ if changeLogForPattern.MatchString(line) {
+ line = o.regexpReplace(line, `^ChangeLog for: `, "")
+ for {
+ i = i + 1
+ if changeLogForEndPattern.MatchString(orglines[i]) {
+ break
+ }
+ line = line + o.regexpReplace(orglines[i], `^\s*: `, "")
+ }
+ }
+
line = o.regexpReplace(line, `^\*\*\sNo\sChangeLog\sfor:.*`, "")
lines = append(lines, line)
}
これにより、以下のように正しい結果を取得出来ていることを確認しておりますが
自信がありません(とりあえず現状はこれで運用する予定)
CVE-2015-5302 5.0 (Medium) libreport 2.0.7 before 2.6.3 only saves changes to the first file when editing a
crash report, which allows remote attackers to obtain sensitive information via
unspecified vectors related to the (1) backtrace, (2) cmdline, (3) environ, (4)
open_fds, (5) maps, (6) smaps, (7) hostname, (8) remote, (9) ks.cfg, or (10)
anaconda-tb file attachment included in a Red Hat Bugzilla bug report.
http://www.cvedetails.com/cve/CVE-2015-5302
https://access.redhat.com/security/cve/CVE-2015-5302
libreport-2.0.9-24.el6.centos -> libreport-2.0.9-32.el6.centos
libreport-cli-2.0.9-24.el6.centos -> libreport-cli-2.0.9-32.el6.centos
libreport-compat-2.0.9-24.el6.centos -> libreport-compat-2.0.9-32.el6.centos
libreport-filesystem-2.0.9-24.el6.centos ->
libreport-filesystem-2.0.9-32.el6.centos
libreport-plugin-kerneloops-2.0.9-24.el6.centos ->
libreport-plugin-kerneloops-2.0.9-32.el6.centos
libreport-plugin-logger-2.0.9-24.el6.centos ->
libreport-plugin-logger-2.0.9-32.el6.centos
libreport-plugin-mailx-2.0.9-24.el6.centos ->
libreport-plugin-mailx-2.0.9-32.el6.centos
libreport-plugin-reportuploader-2.0.9-24.el6.centos ->
libreport-plugin-reportuploader-2.0.9-32.el6.centos
libreport-plugin-rhtsupport-2.0.9-24.el6.centos ->
libreport-plugin-rhtsupport-2.0.9-32.el6.centos
libreport-plugin-ureport-2.0.9-24.el6.centos ->
libreport-plugin-ureport-2.0.9-32.el6.centos
libreport-python-2.0.9-24.el6.centos -> libreport-python-2.0.9-32.el6.centos
Confidence: 95 / ChangelogExactMatch