search

intel / cve-bin-tool

The CVE Binary Tool helps you determine if your system includes known vulnerabilities. You can scan binaries for over 200 common, vulnerable components (openssl, libpng, libxml2, expat and others), or if you know the components used, you can get a list of known vulnerabilities associated with an SBOM or a list of components and versions.
https://cve-bin-tool.readthedocs.io/en/latest/
GNU General Public License v3.0
1.14k stars 444 forks source link

fix: "file" package version 5.45 breaks core funcionality #4199

Open gvozzolo opened 2 weeks ago

gvozzolo commented 2 weeks ago

Description

I've been scanning the same file (a .yaffs2 file) on 2 different machines having 2 very different outputs; one giving more than 1.5k CVEs and the other 0. I've tracked down the bug to a different version of the package "file";

Using "file" version < 5.45 the output of file <filename> is: : data Using "file" version = 5.45 the output if the same command is: YAFFS filesystem root entry (little endian), type root or directory, object entry (name: "fonts")

this different output make it so the if not is_exec and not is_linux_kernel: is true and the function returns None, skipping the file.

To reproduce

Steps to reproduce the behaviour:

  1. scan a file
  2. Upgrade to "file" version = 5.45
  3. try scanning the same file
  4. compare the results

Expected behaviour: same results Actual behaviour: different results

Version/platform info

Version of CVE-bin-tool( e.g. output of cve-bin-tool --version): Installed from pypi or github? Operating system: Linux endevour 6.9.3-arch1-1 #1 SMP PREEMPT_DYNAMIC Fri, 31 May 2024 15:14:45 +0000 x86_64 GNU/Linux Python version (e.g. python3 --version): 3.11

terriko commented 2 weeks ago

That is fascinating and definitely a bug. Sounds fixable but someone will need to do some research to figure out how to use the new expected output, I guess?