Closed MaineK00n closed 6 months ago
There is no binary package called vim
, but it seems to be a source package name for a binary package such as vim-common
.
[vagrant@rhel8 ~]$ rpm -qa --queryformat "%{NAME} %{EPOCHNUM} %{VERSION} %{RELEASE} %{ARCH} %{MODULARITYLABEL} %{SOURCERPM}\n" | grep vim
vim-minimal 2 8.0.1763 19.el8_6.4 x86_64 (none) vim-8.0.1763-19.el8_6.4.src.rpm
vim-filesystem 2 8.0.1763 19.el8_6.4 noarch (none) vim-8.0.1763-19.el8_6.4.src.rpm
vim-common 2 8.0.1763 19.el8_6.4 x86_64 (none) vim-8.0.1763-19.el8_6.4.src.rpm
vim-enhanced 2 8.0.1763 19.el8_6.4 x86_64 (none) vim-8.0.1763-19.el8_6.4.src.rpm
In gost, it seems that vulnerabilities are tied to source package names. https://github.com/aquasecurity/vuln-list-redhat/blob/8784a9f6a915cead963851da1111342e9e7224a8/api/2020/CVE-2020-20703.json#L5-L10
OVAL includes a binary package and, for some reason, a source package. It seems that only unpatched ones contain the source package? (As far as I verified with vim package) https://access.redhat.com/security/data/oval/v2/RHEL8/rhel-8-including-unpatched.oval.xml.bz2
<definition class="vulnerability" id="oval:com.redhat.cve:def:202020703" version="636">
<metadata>
<title>vim: buffer overflow (low)</title>
<reference ref_id="CVE-2020-20703" ref_url="https://access.redhat.com/security/cve/CVE-2020-20703" source="CVE"/>
<description>DOCUMENTATION: A use-after-free flaw was found in Vim. This issue allows a heap buffer overflow leading to a write access violation. This flaw allows the attacker to possibly have control over the write address and value, which may lead to an application crash.
STATEMENT: Red Hat Product Security has rated this issue as having a Low security impact, because the "victim" has to run an untrusted file IN SCRIPT MODE. Someone who is running untrusted files in script mode is equivalent to someone just taking a random python script and running it.
For additional information, refer to the Issue Severity Classification: https://access.redhat.com/security/updates/classification/
MITIGATION: Untrusted vim scripts with -s [scriptin] are not recommended to run.</description>
<advisory from="secalert@redhat.com">
<severity>Low</severity>
<updated date="2024-02-07"/>
<cve cvss3="5.5/CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H" cwe="CWE-416->CWE-119" href="https://access.redhat.com/security/cve/CVE-2020-20703" impact="low" public="20230620">CVE-2020-20703</cve>
<affected>
<resolution state="Affected">
<component>vim</component>
<component>vim-X11</component>
<component>vim-common</component>
<component>vim-enhanced</component>
<component>vim-filesystem</component>
<component>vim-minimal</component>
</resolution>
</affected>
<affected_cpe_list>
<cpe>cpe:/a:redhat:enterprise_linux:8</cpe>
<cpe>cpe:/a:redhat:enterprise_linux:8::appstream</cpe>
<cpe>cpe:/a:redhat:enterprise_linux:8::crb</cpe>
<cpe>cpe:/a:redhat:enterprise_linux:8::highavailability</cpe>
<cpe>cpe:/a:redhat:enterprise_linux:8::nfv</cpe>
<cpe>cpe:/a:redhat:enterprise_linux:8::realtime</cpe>
<cpe>cpe:/a:redhat:enterprise_linux:8::resilientstorage</cpe>
<cpe>cpe:/a:redhat:enterprise_linux:8::sap</cpe>
<cpe>cpe:/a:redhat:enterprise_linux:8::sap_hana</cpe>
<cpe>cpe:/a:redhat:enterprise_linux:8::supplementary</cpe>
<cpe>cpe:/o:redhat:enterprise_linux:8</cpe>
<cpe>cpe:/o:redhat:enterprise_linux:8::baseos</cpe>
</affected_cpe_list>
</advisory>
</metadata>
<criteria operator="OR">
<criterion comment="Red Hat Enterprise Linux must be installed" test_ref="oval:com.redhat.cve:tst:20052541004"/>
<criteria operator="AND">
<criterion comment="Red Hat Enterprise Linux 8 is installed" test_ref="oval:com.redhat.cve:tst:20052541003"/>
<criteria operator="OR">
<criteria operator="AND">
<criterion comment="vim-minimal is installed" test_ref="oval:com.redhat.cve:tst:201820786009"/>
<criterion comment="vim-minimal is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.cve:tst:201820786010"/>
</criteria>
<criteria operator="AND">
<criterion comment="vim is installed" test_ref="oval:com.redhat.cve:tst:201820786011"/>
<criterion comment="vim is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.cve:tst:201820786012"/>
</criteria>
<criteria operator="AND">
<criterion comment="vim-common is installed" test_ref="oval:com.redhat.cve:tst:201820786003"/>
<criterion comment="vim-common is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.cve:tst:201820786004"/>
</criteria>
<criteria operator="AND">
<criterion comment="vim-X11 is installed" test_ref="oval:com.redhat.cve:tst:201820786013"/>
<criterion comment="vim-X11 is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.cve:tst:201820786014"/>
</criteria>
<criteria operator="AND">
<criterion comment="vim-enhanced is installed" test_ref="oval:com.redhat.cve:tst:201820786007"/>
<criterion comment="vim-enhanced is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.cve:tst:201820786008"/>
</criteria>
<criteria operator="AND">
<criterion comment="vim-filesystem is installed" test_ref="oval:com.redhat.cve:tst:201820786005"/>
<criterion comment="vim-filesystem is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.cve:tst:201820786006"/>
</criteria>
</criteria>
</criteria>
</criteria>
</definition>
In the case of a modular package, it must be specified as <module name>:<stream>/<source package name>
if it is a gost.
https://github.com/aquasecurity/vuln-list-redhat/blob/e235751d3cb68756b4c4dd873170b694df8b1417/api/2024/CVE-2024-20984.json#L24-L29
There are two possible corrections.
In case 1, as before, OVAL is in charge of Patched, and gost is in charge of Unpatched, but you must update vuls scanner. In case 2, no scanner update is required, but since unpatched is not provided for OVALs under RHRL 5, the detection of unpatched vulnerabilities is not possible with the cessation of gost use.
What did you do? (required. The issue will be closed when not provided.)
Unpatched vulnerabilities are supposed to be detected by gost, but in the gost data source, vulnerabilities are linked to source packages. Therefore, there is a possibility of false positives or missed positives.
What did you expect to happen?
Accurately detect unpatched vulnerabilities.
What happened instead?
I have installed vim-common and others, but an unpatched vulnerability in vim: CVE-2020-20703 is not detected. https://access.redhat.com/security/cve/CVE-2020-20703
Steps to reproduce the behaviour
vuls scan json: vagrant.json
Configuration (MUST fill this out):
Go version (
go version
): go version go1.22.0 linux/amd64Go environment (
go env
):Vuls environment:
Hash : f3f6671
config.toml:
command: