Possible OVAL feed bug

Security
1

greetings; i’m writing in reference to CVE-2023-27522, which according to this AL9 security advisory, should be fixed in the package versions listed therein.

however, if i install any of the noted package versions and run an OVAL scan, the resulting report notes that the security advistory/vulnerability applies. (ID oval:org.almalinux.alsa:def:20236403 is reported as true, when i would expect it to be false).

i’m a new discourse group user without file attachment privileges, but it seems straightforward to reproduce and illustrate using the AL9 container image (i’ve originally run the OVAL scan on a virtual machine with AL9.3 installed with the latest packages as of this writing):

docker run --rm --name al9test -it almalinux:9 bash
dnf update -y
dnf install -y openscap scap-security-guide httpd
curl -s -O https://security.almalinux.org/oval/org.almalinux.alsa-9.xml
oscap oval eval --results oval_results.xml --report oval_report.html --fetch-remote-resources org.almalinux.alsa-9.xml

from another terminal, one may retrieve the HTML report to see the aforementioned vulnerability ID is set to “true” and applies to the reference system:

docker cp al9test:/oval_report.html .

additional note: the following OVAL feed XML snippet may be relevant to this scenario:

    <red-def:rpminfo_test check="at least one" comment="httpd is earlier than 0:2.4.57-5.el9" id="oval:org.almalinux.alsa:tst:20236403001" version="637">
      <red-def:object object_ref="oval:org.almalinux.alsa:obj:20228067001"/>
      <red-def:state state_ref="oval:org.almalinux.alsa:ste:20236403001"/>
    </red-def:rpminfo_test>
    <red-def:rpminfo_test check="at least one" comment="httpd-core is earlier than 0:2.4.57-5.el9" id="oval:org.almalinux.alsa:tst:20236403003" version="637">
      <red-def:object object_ref="oval:org.almalinux.alsa:obj:20228067002"/>
      <red-def:state state_ref="oval:org.almalinux.alsa:ste:20236403001"/>
    </red-def:rpminfo_test>
    <red-def:rpminfo_test check="at least one" comment="httpd-devel is earlier than 0:2.4.57-5.el9" id="oval:org.almalinux.alsa:tst:20236403005" version="637">
      <red-def:object object_ref="oval:org.almalinux.alsa:obj:20228067003"/>
      <red-def:state state_ref="oval:org.almalinux.alsa:ste:20236403001"/>
    </red-def:rpminfo_test>
    <red-def:rpminfo_test check="at least one" comment="httpd-filesystem is earlier than 0:2.4.57-5.el9" id="oval:org.almalinux.alsa:tst:20236403007" version="637">
      <red-def:object object_ref="oval:org.almalinux.alsa:obj:20228067004"/>
      <red-def:state state_ref="oval:org.almalinux.alsa:ste:20236403003"/>
    </red-def:rpminfo_test>
    <red-def:rpminfo_test check="at least one" comment="httpd-manual is earlier than 0:2.4.57-5.el9" id="oval:org.almalinux.alsa:tst:20236403009" version="637">
      <red-def:object object_ref="oval:org.almalinux.alsa:obj:20228067005"/>
      <red-def:state state_ref="oval:org.almalinux.alsa:ste:20236403003"/>
    </red-def:rpminfo_test>
    <red-def:rpminfo_test check="at least one" comment="httpd-tools is earlier than 0:2.4.57-5.el9" id="oval:org.almalinux.alsa:tst:20236403011" version="637">
      <red-def:object object_ref="oval:org.almalinux.alsa:obj:20228067006"/>
      <red-def:state state_ref="oval:org.almalinux.alsa:ste:20236403001"/>
    </red-def:rpminfo_test>
    <red-def:rpminfo_test check="at least one" comment="mod_ldap is earlier than 0:2.4.57-5.el9" id="oval:org.almalinux.alsa:tst:20236403013" version="637">
      <red-def:object object_ref="oval:org.almalinux.alsa:obj:20228067007"/>
      <red-def:state state_ref="oval:org.almalinux.alsa:ste:20236403001"/>
    </red-def:rpminfo_test>
    <red-def:rpminfo_test check="at least one" comment="mod_lua is earlier than 0:2.4.57-5.el9" id="oval:org.almalinux.alsa:tst:20236403015" version="637">
      <red-def:object object_ref="oval:org.almalinux.alsa:obj:20228067008"/>
      <red-def:state state_ref="oval:org.almalinux.alsa:ste:20236403001"/>
    </red-def:rpminfo_test>
    <red-def:rpminfo_test check="at least one" comment="mod_proxy_html is earlier than 1:2.4.57-5.el9" id="oval:org.almalinux.alsa:tst:20236403017" version="637">
      <red-def:object object_ref="oval:org.almalinux.alsa:obj:20228067009"/>
      <red-def:state state_ref="oval:org.almalinux.alsa:ste:20236403004"/>
    </red-def:rpminfo_test>
    <red-def:rpminfo_test check="at least one" comment="mod_session is earlier than 0:2.4.57-5.el9" id="oval:org.almalinux.alsa:tst:20236403019" version="637">
      <red-def:object object_ref="oval:org.almalinux.alsa:obj:20228067010"/>
      <red-def:state state_ref="oval:org.almalinux.alsa:ste:20236403001"/>
    </red-def:rpminfo_test>
    <red-def:rpminfo_test check="at least one" comment="mod_ssl is earlier than 1:2.4.57-5.el9" id="oval:org.almalinux.alsa:tst:20236403021" version="637">
      <red-def:object object_ref="oval:org.almalinux.alsa:obj:20228067011"/>
      <red-def:state state_ref="oval:org.almalinux.alsa:ste:20236403004"/>
    </red-def:rpminfo_test>
    <red-def:rpminfo_test check="at least one" comment="libvirt is earlier than 0:9.5.0-7.el9_3" id="oval:org.almalinux.alsa:tst:20236409001" version="636">
      <red-def:object object_ref="oval:org.almalinux.alsa:obj:20228003001"/>
      <red-def:state state_ref="oval:org.almalinux.alsa:ste:20236409001"/>
    </red-def:rpminfo_test>

i wonder if the presence of the package epoch prefix has anything to do with this :thinking:

2

Thanks for such great report @joexona!
I can reproduce the issue and it is indeed an issue in our OVAL generation process, thank you for spotting it. We already figured out what happened, the OVAL data will be fixed ASAP and we’ll make sure this doesn’t happen again.

3

my pleasure. thanks for addressing it!

1 Like