Skip Menu |

This queue is for tickets about the NIST-NVD CPAN distribution.

Report information
The Basics
Id: 116109
Status: new
Priority: 0/
Queue: NIST-NVD
People
Owner: Nobody in particular
Requestors: QIANGZHAO [...] cpan.org
Cc:
AdminCc:
Bug Information
Severity: (no value)
Broken in: (no value)
Fixed in: (no value)

History Show all quoted text
  Wed Jul 13 08:16:01 2016 QIANGZHAO [...] cpan.org - Ticket created
Subject: CVE index-records for same CPE from different feed-in files are partially lost when they are imported into one DB file.
The problem is about the module(.pm) instead of convert-nvdcve script. When the feed-in XML files are to imported into the same db file, if the CPE key is already existing in db, the CVE records with the CPE key can't be indexed correctly into xxx.idx_cpe.db. step1: Prepare the test feed-in files and check the CVE records. CVE-2016-4998, CVE-2016-6130 has same cpe: cpe:/o:linux:linux_kernel:4.5.5 nvdcve-2.0-test-merge1.xml: <entry id="CVE-2016-4998"> nvdcve-2.0-test-merge2.xml: <entry id="CVE-2016-6130"> ... <entry id="CVE-2016-6170"> $grep -E 'product.*cpe' nvdcve-2.0-test-merge*.xml nvdcve-2.0-test-merge1.xml: <vuln:product>cpe:/o:linux:linux_kernel:4.5.5</vuln:product> nvdcve-2.0-test-merge2.xml: <vuln:product>cpe:/o:linux:linux_kernel:4.5.5</vuln:product> nvdcve-2.0-test-merge2.xml: <vuln:product>cpe:/a:isc:bind:9.10.4</vuln:product> nvdcve-2.0-test-merge2.xml: <vuln:product>cpe:/a:isc:bind:9.4.3</vuln:product> step2: import one feed-in file: perl convert-nvdcve nvdcve-2.0-test-merge1.xml step3: import the second feed-in file perl convert-nvdcve nvdcve-2.0-test-merge2.xml step4: query the CVE records from second feed-in file perl get_cve_by_cpe.pl nvdcve-2.0-test-merge.db nvdcve-2.0-test-merge.idx_cpe.db cpe:/o:linux:linux_kernel:4.5.5 Only 1 CVE is showed: CVE-2016-4988. CVE-2016-6130 can be retrieved by it's cpe.
Subject: get_cve_by_cpe.pl
use NIST::NVD::Query; use Data::Dumper; my ( $path_to_db, $path_to_idx_cpe, $cpe_condition ) = @ARGV; my $q = NIST::NVD::Query->new( database => $path_to_db, idx_cpe => $path_to_idx_cpe ); my $cve_id_list = $q->cve_for_cpe( cpe => $cpe_condition ); my @entry; foreach my $cve_id (@$cve_id_list) { my $entry = $q->cve( cve_id => $cve_id ); push( @entry, $entry ); print "$entry->{'vuln:cve-id'}\n"; print "$entry->{'vuln:summary'}\n"; }
Subject: nvdcve-2.0-test-merge1.xml
<?xml version='1.0' encoding='UTF-8'?> <nvd xmlns:scap-core="http://scap.nist.gov/schema/scap-core/0.1" xmlns:cvss="http://scap.nist.gov/schema/cvss-v2/0.2" xmlns:vuln="http://scap.nist.gov/schema/vulnerability/0.4" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:patch="http://scap.nist.gov/schema/patch/0.1" xmlns="http://scap.nist.gov/schema/feed/vulnerability/2.0" xmlns:cpe-lang="http://cpe.mitre.org/language/2.0" nvd_xml_version="2.0" pub_date="2016-07-11T01:00:15" xsi:schemaLocation="http://scap.nist.gov/schema/patch/0.1 http://nvd.nist.gov/schema/patch_0.1.xsd http://scap.nist.gov/schema/feed/vulnerability/2.0 http://nvd.nist.gov/schema/nvd-cve-feed_2.0.xsd http://scap.nist.gov/schema/scap-core/0.1 http://nvd.nist.gov/schema/scap-core_0.1.xsd"> <entry id="CVE-2016-4998"> <vuln:vulnerable-configuration id="http://nvd.nist.gov/"> <cpe-lang:logical-test operator="OR" negate="false"> <cpe-lang:fact-ref name="cpe:/o:linux:linux_kernel:4.5.5"/> </cpe-lang:logical-test> </vuln:vulnerable-configuration> <vuln:vulnerable-software-list> <vuln:product>cpe:/o:linux:linux_kernel:4.5.5</vuln:product> </vuln:vulnerable-software-list> <vuln:cve-id>CVE-2016-4998</vuln:cve-id> <vuln:published-datetime>2016-07-03T17:59:17.167-04:00</vuln:published-datetime> <vuln:last-modified-datetime>2016-07-06T07:24:32.857-04:00</vuln:last-modified-datetime> <vuln:cvss> <cvss:base_metrics> <cvss:score>5.6</cvss:score> <cvss:access-vector>LOCAL</cvss:access-vector> <cvss:access-complexity>LOW</cvss:access-complexity> <cvss:authentication>NONE</cvss:authentication> <cvss:confidentiality-impact>PARTIAL</cvss:confidentiality-impact> <cvss:integrity-impact>NONE</cvss:integrity-impact> <cvss:availability-impact>COMPLETE</cvss:availability-impact> <cvss:source>http://nvd.nist.gov</cvss:source> <cvss:generated-on-datetime>2016-07-05T13:45:43.437-04:00</cvss:generated-on-datetime> </cvss:base_metrics> </vuln:cvss> <vuln:cwe id="CWE-119"/> <vuln:references xml:lang="en" reference_type="VENDOR_ADVISORY"> <vuln:source>CONFIRM</vuln:source> <vuln:reference href="https://github.com/torvalds/linux/commit/6e94e0cfb0887e4013b3b930fa6ab1fe6bb6ba91" xml:lang="en">https://github.com/torvalds/linux/commit/6e94e0cfb0887e4013b3b930fa6ab1fe6bb6ba91</vuln:reference> </vuln:references> <vuln:references xml:lang="en" reference_type="UNKNOWN"> <vuln:source>CONFIRM</vuln:source> <vuln:reference href="https://bugzilla.redhat.com/show_bug.cgi?id=1349886" xml:lang="en">https://bugzilla.redhat.com/show_bug.cgi?id=1349886</vuln:reference> </vuln:references> <vuln:references xml:lang="en" reference_type="UNKNOWN"> <vuln:source>MLIST</vuln:source> <vuln:reference href="http://www.openwall.com/lists/oss-security/2016/06/24/5" xml:lang="en">[oss-security] 20160624 Linux CVE-2016-4997 (local privilege escalation) and CVE-2016-4998 (out of bounds memory access)</vuln:reference> </vuln:references> <vuln:references xml:lang="en" reference_type="UNKNOWN"> <vuln:source>CONFIRM</vuln:source> <vuln:reference href="http://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=6e94e0cfb0887e4013b3b930fa6ab1fe6bb6ba91" xml:lang="en">http://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=6e94e0cfb0887e4013b3b930fa6ab1fe6bb6ba91</vuln:reference> </vuln:references> <vuln:summary>The IPT_SO_SET_REPLACE setsockopt implementation in the netfilter subsystem in the Linux kernel before 4.6 allows local users to cause a denial of service (out-of-bounds read) or possibly obtain sensitive information from kernel heap memory by leveraging in-container root access to provide a crafted offset value that leads to crossing a ruleset blob boundary.</vuln:summary> </entry> </nvd>
Subject: nvdcve-2.0-test-merge2.xml
<?xml version='1.0' encoding='UTF-8'?> <nvd xmlns:scap-core="http://scap.nist.gov/schema/scap-core/0.1" xmlns:cvss="http://scap.nist.gov/schema/cvss-v2/0.2" xmlns:vuln="http://scap.nist.gov/schema/vulnerability/0.4" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:patch="http://scap.nist.gov/schema/patch/0.1" xmlns="http://scap.nist.gov/schema/feed/vulnerability/2.0" xmlns:cpe-lang="http://cpe.mitre.org/language/2.0" nvd_xml_version="2.0" pub_date="2016-07-11T01:00:15" xsi:schemaLocation="http://scap.nist.gov/schema/patch/0.1 http://nvd.nist.gov/schema/patch_0.1.xsd http://scap.nist.gov/schema/feed/vulnerability/2.0 http://nvd.nist.gov/schema/nvd-cve-feed_2.0.xsd http://scap.nist.gov/schema/scap-core/0.1 http://nvd.nist.gov/schema/scap-core_0.1.xsd"> <entry id="CVE-2016-6130"> <vuln:vulnerable-configuration id="http://nvd.nist.gov/"> <cpe-lang:logical-test operator="OR" negate="false"> <cpe-lang:fact-ref name="cpe:/o:linux:linux_kernel:4.5.5"/> </cpe-lang:logical-test> </vuln:vulnerable-configuration> <vuln:vulnerable-software-list> <vuln:product>cpe:/o:linux:linux_kernel:4.5.5</vuln:product> </vuln:vulnerable-software-list> <vuln:cve-id>CVE-2016-6130</vuln:cve-id> <vuln:published-datetime>2016-07-03T17:59:18.040-04:00</vuln:published-datetime> <vuln:last-modified-datetime>2016-07-06T07:16:08.113-04:00</vuln:last-modified-datetime> <vuln:cvss> <cvss:base_metrics> <cvss:score>1.9</cvss:score> <cvss:access-vector>LOCAL</cvss:access-vector> <cvss:access-complexity>MEDIUM</cvss:access-complexity> <cvss:authentication>NONE</cvss:authentication> <cvss:confidentiality-impact>PARTIAL</cvss:confidentiality-impact> <cvss:integrity-impact>NONE</cvss:integrity-impact> <cvss:availability-impact>NONE</cvss:availability-impact> <cvss:source>http://nvd.nist.gov</cvss:source> <cvss:generated-on-datetime>2016-07-05T13:39:01.737-04:00</cvss:generated-on-datetime> </cvss:base_metrics> </vuln:cvss> <vuln:cwe id="CWE-362"/> <vuln:references xml:lang="en" reference_type="VENDOR_ADVISORY"> <vuln:source>CONFIRM</vuln:source> <vuln:reference href="https://github.com/torvalds/linux/commit/532c34b5fbf1687df63b3fcd5b2846312ac943c6" xml:lang="en">https://github.com/torvalds/linux/commit/532c34b5fbf1687df63b3fcd5b2846312ac943c6</vuln:reference> </vuln:references> <vuln:references xml:lang="en" reference_type="UNKNOWN"> <vuln:source>CONFIRM</vuln:source> <vuln:reference href="https://bugzilla.kernel.org/show_bug.cgi?id=116741" xml:lang="en">https://bugzilla.kernel.org/show_bug.cgi?id=116741</vuln:reference> </vuln:references> <vuln:references xml:lang="en" reference_type="UNKNOWN"> <vuln:source>BUGTRAQ</vuln:source> <vuln:reference href="http://www.securityfocus.com/archive/1/538803/30/0/threaded" xml:lang="en">20160630 [CVE-2016-6130] Double-Fetch Vulnerability in Linux-4.5/drivers/s390/char/sclp_ctl.c</vuln:reference> </vuln:references> <vuln:references xml:lang="en" reference_type="UNKNOWN"> <vuln:source>CONFIRM</vuln:source> <vuln:reference href="http://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=532c34b5fbf1687df63b3fcd5b2846312ac943c6" xml:lang="en">http://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=532c34b5fbf1687df63b3fcd5b2846312ac943c6</vuln:reference> </vuln:references> <vuln:summary>Race condition in the sclp_ctl_ioctl_sccb function in drivers/s390/char/sclp_ctl.c in the Linux kernel before 4.6 allows local users to obtain sensitive information from kernel memory by changing a certain length value, aka a "double fetch" vulnerability.</vuln:summary> </entry> <entry id="CVE-2016-6170"> <vuln:vulnerable-configuration id="http://nvd.nist.gov/"> <cpe-lang:logical-test operator="OR" negate="false"> <cpe-lang:fact-ref name="cpe:/a:isc:bind:9.10.4"/> <cpe-lang:fact-ref name="cpe:/a:isc:bind:9.4.3"/> <cpe-lang:fact-ref name="cpe:/a:isc:bind:9.4.0"/> <cpe-lang:fact-ref name="cpe:/a:isc:bind:9.4"/> </cpe-lang:logical-test> </vuln:vulnerable-configuration> <vuln:vulnerable-software-list> <vuln:product>cpe:/a:isc:bind:9.10.4</vuln:product> <vuln:product>cpe:/a:isc:bind:9.4.3</vuln:product> </vuln:vulnerable-software-list> <vuln:cve-id>CVE-2016-6170</vuln:cve-id> <vuln:published-datetime>2016-07-06T10:59:05.597-04:00</vuln:published-datetime> <vuln:last-modified-datetime>2016-07-09T21:59:01.293-04:00</vuln:last-modified-datetime> <vuln:cvss> <cvss:base_metrics> <cvss:score>4.0</cvss:score> <cvss:access-vector>NETWORK</cvss:access-vector> <cvss:access-complexity>LOW</cvss:access-complexity> <cvss:authentication>SINGLE_INSTANCE</cvss:authentication> <cvss:confidentiality-impact>NONE</cvss:confidentiality-impact> <cvss:integrity-impact>NONE</cvss:integrity-impact> <cvss:availability-impact>PARTIAL</cvss:availability-impact> <cvss:source>http://nvd.nist.gov</cvss:source> <cvss:generated-on-datetime>2016-07-07T19:02:30.127-04:00</cvss:generated-on-datetime> </cvss:base_metrics> </vuln:cvss> <vuln:cwe id="CWE-20"/> <vuln:references xml:lang="en" reference_type="UNKNOWN"> <vuln:source>MLIST</vuln:source> <vuln:reference href="https://lists.dns-oarc.net/pipermail/dns-operations/2016-July/015075.html" xml:lang="en">[dns-operations] 20160706 DNS activities in Japan</vuln:reference> </vuln:references> <vuln:references xml:lang="en" reference_type="UNKNOWN"> <vuln:source>MLIST</vuln:source> <vuln:reference href="https://lists.dns-oarc.net/pipermail/dns-operations/2016-July/015073.html" xml:lang="en">[dns-operations] 20160706 DNS activities in Japan</vuln:reference> </vuln:references> <vuln:references xml:lang="en" reference_type="UNKNOWN"> <vuln:source>MLIST</vuln:source> <vuln:reference href="https://lists.dns-oarc.net/pipermail/dns-operations/2016-July/015058.html" xml:lang="en">[dns-operations] 20160704 DNS activities in Japan</vuln:reference> </vuln:references> <vuln:references xml:lang="en" reference_type="UNKNOWN"> <vuln:source>MISC</vuln:source> <vuln:reference href="https://github.com/sischkg/xfer-limit/blob/master/README.md" xml:lang="en">https://github.com/sischkg/xfer-limit/blob/master/README.md</vuln:reference> </vuln:references> <vuln:references xml:lang="en" reference_type="UNKNOWN"> <vuln:source>CONFIRM</vuln:source> <vuln:reference href="https://bugzilla.redhat.com/show_bug.cgi?id=1353563" xml:lang="en">https://bugzilla.redhat.com/show_bug.cgi?id=1353563</vuln:reference> </vuln:references> <vuln:references xml:lang="en" reference_type="UNKNOWN"> <vuln:source>MLIST</vuln:source> <vuln:reference href="http://www.openwall.com/lists/oss-security/2016/07/06/3" xml:lang="en">[oss-security] 20160706 Malicious primary DNS servers can crash secondaries</vuln:reference> </vuln:references> <vuln:summary>ISC BIND through 9.10.4-P1 allows primary DNS servers to cause a denial of service (secondary DNS server crash) via a large AXFR response, and possibly allows IXFR servers to cause a denial of service (IXFR client crash) via a large IXFR response and allows remote authenticated users to cause a denial of service (primary DNS server crash) via a large UPDATE message.</vuln:summary> </entry> </nvd>
  Wed Jul 13 08:18:39 2016 QIANGZHAO [...] cpan.org - Correspondence added
I work the fix for the bug, the patch works well in local environment, hope it can be integrated into the module, thanks. On Wed Jul 13 08:16:01 2016, QIANGZHAO wrote: Show quoted text
> The problem is about the module(.pm) instead of convert-nvdcve script. > > When the feed-in XML files are to imported into the same db file, if > the CPE key is already existing in db, the CVE records with the CPE > key can't be indexed correctly into xxx.idx_cpe.db. > > step1: Prepare the test feed-in files and check the CVE records. > > CVE-2016-4998, CVE-2016-6130 has same cpe: > cpe:/o:linux:linux_kernel:4.5.5 > > nvdcve-2.0-test-merge1.xml: > <entry id="CVE-2016-4998"> > > nvdcve-2.0-test-merge2.xml: > <entry id="CVE-2016-6130"> > ... > <entry id="CVE-2016-6170"> > > $grep -E 'product.*cpe' nvdcve-2.0-test-merge*.xml > nvdcve-2.0-test-merge1.xml: > <vuln:product>cpe:/o:linux:linux_kernel:4.5.5</vuln:product> > > nvdcve-2.0-test-merge2.xml: > <vuln:product>cpe:/o:linux:linux_kernel:4.5.5</vuln:product> > nvdcve-2.0-test-merge2.xml: > <vuln:product>cpe:/a:isc:bind:9.10.4</vuln:product> > nvdcve-2.0-test-merge2.xml: > <vuln:product>cpe:/a:isc:bind:9.4.3</vuln:product> > > step2: import one feed-in file: > perl convert-nvdcve nvdcve-2.0-test-merge1.xml > > step3: import the second feed-in file > perl convert-nvdcve nvdcve-2.0-test-merge2.xml > > step4: query the CVE records from second feed-in file > perl get_cve_by_cpe.pl nvdcve-2.0-test-merge.db nvdcve-2.0-test- > merge.idx_cpe.db cpe:/o:linux:linux_kernel:4.5.5 > > Only 1 CVE is showed: CVE-2016-4988. > CVE-2016-6130 can be retrieved by it's cpe. > >
Subject: merge_cves_for_same_cpe_in_multi_feedin.diff
--- DB_File.pm 2016-07-13 17:37:43.854343968 +0800 +++ DB_File.pm.new 2016-07-13 17:45:51.782435695 +0800 @@ -175,16 +175,20 @@ foreach my $cpe_urn ( keys %$vuln_software ) { my $frozen; - $self->{'idx_cpe.db'}->get( $cpe_urn, $frozen ); + my $cpe_isnew = $self->{'idx_cpe.db'}->get( $cpe_urn, $frozen ); + #my $cvelist = nfreeze( $vuln_software->{$cpe_urn} ); + #print "<<<$cpe_urn\t$cvelist>>>\n"; - if ($frozen) { + if (!$cpe_isnew) { + + #print "In db:$cpe_urn\t$frozen\n"; my $thawed = thaw($frozen); next unless ref $thawed eq 'ARRAY'; my @vuln_list = (); - @vuln_list = @{ $self->{vuln_software}->{$cpe_urn} } - if ref $self->{vuln_software}->{$cpe_urn} eq 'ARRAY'; + @vuln_list = @{ $vuln_software->{$cpe_urn} } + if ref $vuln_software->{$cpe_urn} eq 'ARRAY'; # Combine previous results with these results $vuln_software->{$cpe_urn} = [ @vuln_list, @{$thawed} ];