Secure testing team - Jan 2011 - Comparing NVD and Debian CVE tracking

As I mentioned on IRC and debian-devel@, I have spend some time
recently to try to set up a framework for comparing the set of
affected packages reported by NVD and the Debian CVE list, and this
work is starting to bring some useful results.

I''ve created a mapping between Debian source packages and CPE entries
used in the CVE information in NVD.  The result is in the
secure-testing subversion tree, data/CPE/list.  The data is probably
not 100% accurate, but close enough to be useful.

One part of the check is to loo in NVD for affected packages
represented by CPEs, and for every CPE also listed as a source package
in Debian, report a warning if the Debian source package is not listed
as affected in data/CVE/list.

The first reported issue  inform that
<URL: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2010-4530 >
list cpe:/a:muscle:pcsc-lite (Debian source package pcsc-lite) as
affected, but the CVE entry for Debian do not say anything about this
package.  The latter look like this:

  CVE-2010-4530 (Signedness error in ccid_serial.c in libccid in the
  USB Chip/Smart ...)
	- ccid 1.3.11-2 (unimportant; bug #607780)
	NOTE: CVE requested, http://seclists.org/oss-sec/2010/q4/356
	NOTE: Theoretical attack

I have not evaluated these issues, and would very much like feedback
on this approach.  I am aware that these issues might be bugs in
either NVD or in the Debian CVE info, and believe the only way to
figure out is to check each one.

Here is the complete list of such issues for the time period
2011-2008.  There are 93 such issues reported at the moment.

warning: CVE-2010-4530 in NVD is not refering to cpe:/a:muscle:pcsc-lite found
in Debian.
warning: CVE-2010-3975 in NVD is not refering to cpe:/a:adobe:flash_player found
in Debian.
warning: CVE-2010-3490 in NVD is not refering to cpe:/a:freepbx:freepbx found in
Debian.
warning: CVE-2010-3205 in NVD is not refering to cpe:/a:textpattern:textpattern
found in Debian.
warning: CVE-2010-3192 in NVD is not refering to cpe:/a:gnu:glibc found in
Debian.
warning: CVE-2010-2530 in NVD is not refering to cpe:/o:freebsd:freebsd found in
Debian.
warning: CVE-2010-1988 in NVD is not refering to cpe:/a:mozilla:firefox found in
Debian.
warning: CVE-2010-1987 in NVD is not refering to cpe:/a:mozilla:firefox found in
Debian.
warning: CVE-2010-1986 in NVD is not refering to cpe:/a:mozilla:firefox found in
Debian.
warning: CVE-2010-1585 in NVD is not refering to cpe:/a:mozilla:firefox found in
Debian.
warning: CVE-2010-1516 in NVD is not refering to cpe:/a:swftools:swftools found
in Debian.
warning: CVE-2010-1215 in NVD is not refering to cpe:/a:mozilla:thunderbird
found in Debian.
warning: CVE-2010-1207 in NVD is not refering to cpe:/a:mozilla:thunderbird
found in Debian.
warning: CVE-2010-0378 in NVD is not refering to cpe:/a:adobe:flash_player found
in Debian.
warning: CVE-2009-4855 in NVD is not refering to cpe:/a:typo3:typo3 found in
Debian.
warning: CVE-2009-4630 in NVD is not refering to cpe:/a:mozilla:thunderbird
found in Debian.
warning: CVE-2009-4130 in NVD is not refering to cpe:/a:mozilla:firefox found in
Debian.
warning: CVE-2009-4129 in NVD is not refering to cpe:/a:mozilla:firefox found in
Debian.
warning: CVE-2009-4102 in NVD is not refering to cpe:/a:mozilla:firefox found in
Debian.
warning: CVE-2009-4066 in NVD is not refering to cpe:/a:drupal:drupal found in
Debian.
warning: CVE-2009-3984 in NVD is not refering to cpe:/a:mozilla:thunderbird
found in Debian.
warning: CVE-2009-3983 in NVD is not refering to cpe:/a:mozilla:thunderbird
found in Debian.
warning: CVE-2009-3982 in NVD is not refering to cpe:/a:mozilla:thunderbird
found in Debian.
warning: CVE-2009-3981 in NVD is not refering to cpe:/a:mozilla:thunderbird
found in Debian.
warning: CVE-2009-3980 in NVD is not refering to cpe:/a:mozilla:thunderbird
found in Debian.
warning: CVE-2009-3976 in NVD is not refering to cpe:/a:proftpd:proftpd found in
Debian.
warning: CVE-2009-3479 in NVD is not refering to cpe:/a:drupal:drupal found in
Debian.
warning: CVE-2009-3156 in NVD is not refering to cpe:/a:drupal:drupal found in
Debian.
warning: CVE-2009-3014 in NVD is not refering to cpe:/a:mozilla:seamonkey found
in Debian.
warning: CVE-2009-3010 in NVD is not refering to cpe:/a:mozilla:seamonkey found
in Debian.
warning: CVE-2009-3007 in NVD is not refering to cpe:/a:mozilla:firefox found in
Debian.
warning: CVE-2009-2975 in NVD is not refering to cpe:/a:mozilla:firefox found in
Debian.
warning: CVE-2009-2696 in NVD is not refering to cpe:/a:apache:tomcat found in
Debian.
warning: CVE-2009-2479 in NVD is not refering to cpe:/a:mozilla:firefox found in
Debian.
warning: CVE-2009-2478 in NVD is not refering to cpe:/a:mozilla:firefox found in
Debian.
warning: CVE-2009-2477 in NVD is not refering to cpe:/a:mozilla:firefox found in
Debian.
warning: CVE-2009-2464 in NVD is not refering to cpe:/a:mozilla:seamonkey found
in Debian.
warning: CVE-2009-2409 in NVD is not refering to cpe:/a:mozilla:firefox found in
Debian.
warning: CVE-2009-2030 in NVD is not refering to cpe:/a:sun:jdk found in Debian.
warning: CVE-2009-1955 in NVD is not refering to cpe:/a:apache:http_server found
in Debian.
warning: CVE-2009-1840 in NVD is not refering to cpe:/a:mozilla:thunderbird
found in Debian.
warning: CVE-2009-1840 in NVD is not refering to cpe:/a:mozilla:seamonkey found
in Debian.
warning: CVE-2009-1828 in NVD is not refering to cpe:/a:mozilla:firefox found in
Debian.
warning: CVE-2009-1827 in NVD is not refering to cpe:/a:mozilla:firefox found in
Debian.
warning: CVE-2009-1690 in NVD is not refering to cpe:/a:google:chrome found in
Debian.
warning: CVE-2009-1597 in NVD is not refering to cpe:/a:mozilla:firefox found in
Debian.
warning: CVE-2009-1313 in NVD is not refering to cpe:/a:mozilla:firefox found in
Debian.
warning: CVE-2009-1312 in NVD is not refering to cpe:/a:mozilla:seamonkey found
in Debian.
warning: CVE-2009-1309 in NVD is not refering to cpe:/a:mozilla:thunderbird
found in Debian.
warning: CVE-2009-1309 in NVD is not refering to cpe:/a:mozilla:seamonkey found
in Debian.
warning: CVE-2009-1308 in NVD is not refering to cpe:/a:mozilla:thunderbird
found in Debian.
warning: CVE-2009-1308 in NVD is not refering to cpe:/a:mozilla:seamonkey found
in Debian.
warning: CVE-2009-1307 in NVD is not refering to cpe:/a:mozilla:seamonkey found
in Debian.
warning: CVE-2009-1306 in NVD is not refering to cpe:/a:mozilla:thunderbird
found in Debian.
warning: CVE-2009-1306 in NVD is not refering to cpe:/a:mozilla:seamonkey found
in Debian.
warning: CVE-2009-1047 in NVD is not refering to cpe:/a:drupal:drupal found in
Debian.
warning: CVE-2009-1044 in NVD is not refering to cpe:/a:mozilla:firefox found in
Debian.
warning: CVE-2009-0733 in NVD is not refering to cpe:/a:mozilla:firefox found in
Debian.
warning: CVE-2009-0733 in NVD is not refering to cpe:/a:gimp:gimp found in
Debian.
warning: CVE-2009-0723 in NVD is not refering to cpe:/a:mozilla:firefox found in
Debian.
warning: CVE-2009-0723 in NVD is not refering to cpe:/a:gimp:gimp found in
Debian.
warning: CVE-2009-0689 in NVD is not refering to cpe:/a:mozilla:seamonkey found
in Debian.
warning: CVE-2009-0581 in NVD is not refering to cpe:/a:mozilla:firefox found in
Debian.
warning: CVE-2009-0581 in NVD is not refering to cpe:/a:gimp:gimp found in
Debian.
warning: CVE-2009-0253 in NVD is not refering to cpe:/a:mozilla:firefox found in
Debian.
warning: CVE-2008-6699 in NVD is not refering to cpe:/a:typo3:typo3 found in
Debian.
warning: CVE-2008-5915 in NVD is not refering to cpe:/a:google:chrome found in
Debian.
warning: CVE-2008-4724 in NVD is not refering to cpe:/a:google:chrome found in
Debian.
warning: CVE-2008-4395 in NVD is not refering to cpe:/o:linux:kernel found in
Debian.
warning: CVE-2008-4247 in NVD is not refering to cpe:/o:freebsd:freebsd found in
Debian.
warning: CVE-2008-4226 in NVD is not refering to cpe:/a:xmlsoft:libxml found in
Debian.
warning: CVE-2008-4225 in NVD is not refering to cpe:/a:xmlsoft:libxml found in
Debian.
warning: CVE-2008-4120 in NVD is not refering to cpe:/a:flatpress:flatpress
found in Debian.
warning: CVE-2008-3873 in NVD is not refering to cpe:/a:adobe:flash_player found
in Debian.
warning: CVE-2008-2579 in NVD is not refering to cpe:/a:apache:http_server found
in Debian.
warning: CVE-2008-2464 in NVD is not refering to cpe:/o:freebsd:freebsd found in
Debian.
warning: CVE-2008-2452 in NVD is not refering to cpe:/a:typo3:typo3 found in
Debian.
warning: CVE-2008-2451 in NVD is not refering to cpe:/a:typo3:typo3 found in
Debian.
warning: CVE-2008-2450 in NVD is not refering to cpe:/a:typo3:typo3 found in
Debian.
warning: CVE-2008-2419 in NVD is not refering to cpe:/a:mozilla:firefox found in
Debian.
warning: CVE-2008-2182 in NVD is not refering to cpe:/a:typo3:typo3 found in
Debian.
warning: CVE-2008-1810 in NVD is not refering to cpe:/a:sap:maxdb found in
Debian.
warning: CVE-2008-0732 in NVD is not refering to cpe:/a:apache:geronimo found in
Debian.
warning: CVE-2008-0646 in NVD is not refering to
cpe:/a:rasterbar_software:libtorrent found in Debian.
warning: CVE-2008-0618 in NVD is not refering to cpe:/a:wordpress:wordpress
found in Debian.
warning: CVE-2008-0617 in NVD is not refering to cpe:/a:wordpress:wordpress
found in Debian.
warning: CVE-2008-0616 in NVD is not refering to cpe:/a:wordpress:wordpress
found in Debian.
warning: CVE-2008-0615 in NVD is not refering to cpe:/a:wordpress:wordpress
found in Debian.
warning: CVE-2008-0491 in NVD is not refering to cpe:/a:wordpress:wordpress
found in Debian.
warning: CVE-2008-0462 in NVD is not refering to cpe:/a:drupal:drupal found in
Debian.
warning: CVE-2008-0358 in NVD is not refering to cpe:/a:pixelpost:pixelpost
found in Debian.
warning: CVE-2008-0238 in NVD is not refering to cpe:/a:xine:xine-lib found in
Debian.
warning: CVE-2008-0198 in NVD is not refering to cpe:/a:wordpress:wordpress
found in Debian.

Happy hacking,
-- 
Petter Reinholdtsen

On ven., 2011-01-28 at 01:18 +0100, Petter Reinholdtsen
wrote:
> I''ve created a mapping between Debian source packages and CPE
entries
> used in the CVE information in NVD.  The result is in the
> secure-testing subversion tree, data/CPE/list.  The data is probably
> not 100% accurate, but close enough to be useful. 
Btw I wonder if the CPE names could be matched against packages names
the same way packages are matched accross distros (see the appinstaller
meeting report by Enrico Zini:
http://www.enricozini.org/2011/debian/distromatch/)

What it needs is:

----
The data it requires for a distribution should be rather straightforward
to generate:

     1. a file which maps binary package names to source package names
     2. a file with the list of files in all the packages
----

In our case there''s no binary packages, but there''s no file
list
available either, so we only have the package name to feed the xapian
index, not sure if it''s enough for the euristic to work.

(not sure if it''s helpful either, we can keep the CPE/packages matching
list in secure-testing repository and maintain it here)

Regards,
-- 
Yves-Alexis
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 836 bytes
Desc: This is a digitally signed message part
URL:
<http://lists.alioth.debian.org/pipermail/secure-testing-team/attachments/20110128/ba8e5a10/attachment.pgp>

[Yves-Alexis Perez]
> Btw I wonder if the CPE names could be matched against packages
> names the same way packages are matched accross distros (see the
> appinstaller meeting report by Enrico Zini:
> http://www.enricozini.org/2011/debian/distromatch/)
I''m sure it could be used for this.

There are two hurdles to overcome.  First, there is no CPE for all the
packages in Debian (the focus has been on those with known security
issues.  Not a big problem, as the CPE dictionary is updated on
request.  We simply have to ask for new CPEs where they are missing.

The second problem is that the CPE usage in NVD and elsewhere is
slightly inconsistent.  Some programs are refered to using multiple
IDs.  Not quite sure why this could happen.  Here is an example:

  cpe:/a:interchange_development_group:interchange
  cpe:/a:icdevgroup:interchange

We can of course handle this too, by documenting CPE aliases.  I
suspect such duplicates should be reported to the people handing out
CPE IDs to try to get one of the IDs dropped and everyone to use only
one ID for a given project.

I find such duplicates by comparing the CVE database in Debian with
the CVE data base from NVD.
> What it needs is:
>
> ----
> The data it requires for a distribution should be rather straightforward
> to generate:
>
>      1. a file which maps binary package names to source package names
>      2. a file with the list of files in all the packages
> ----
The Packages list in the APT repository maps from binary to source
package name, so that is already available in Debian.
> (not sure if it''s helpful either, we can keep the CPE/packages
> matching list in secure-testing repository and maintain it here)
I believe it is best to keep the CPE ids of Debian source packages in
each individual package source file, to increase the chance of keeping
it up-to-date and to allow those knowing the package best to control
the setting.  But for now I have settled for a central file, to get
started before a way to store it in the source package is in place.

Happy hacking,
-- 
Petter Reinholdtsen

On Fri, 28 Jan 2011 01:18:07 +0100, Petter Reinholdtsen
wrote:
> The first reported issue  inform that
> <URL: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2010-4530 >
> list cpe:/a:muscle:pcsc-lite (Debian source package pcsc-lite) as
> affected, but the CVE entry for Debian do not say anything about this
> package.  The latter look like this:
> 
>   CVE-2010-4530 (Signedness error in ccid_serial.c in libccid in the
>   USB Chip/Smart ...)
> 	- ccid 1.3.11-2 (unimportant; bug #607780)
> 	NOTE: CVE requested, http://seclists.org/oss-sec/2010/q4/356
> 	NOTE: Theoretical attack
That''s because the affected code is not present in the debian pcsc-lite
source package.  It''s in the ccid driver source package instead.  I
checked this when I created the original entries for these issues. It
may be that the two separate debian source packages are part of the same
upstream release? If so, you''ll need to update the CPE list to reflect
that.
> I have not evaluated these issues, and would very much like feedback
> on this approach.  I am aware that these issues might be bugs in
> either NVD or in the Debian CVE info, and believe the only way to
> figure out is to check each one.
> 
> Here is the complete list of such issues for the time period
> 2011-2008.  There are 93 such issues reported at the moment.
This is a good list, and I''ll take a look at it in a bit more detail
when I have some free time.  Right now, I see a couple issues:

1. According to Moritz, flash player should not be tracked (even though
there is a Debian package in non-free).  Personally, I think all
packages in the Debian archives should be tracked, but I defer to his
judgment on this.

2. The description for CVE-2009-3976 seems to implicate labtam proftp,
not proftpd, so the CVE entry is likely wrong if it
references /a:proftpd:proftpd.  Not sure how that is corrected?  A
message to oss-security?

4. Similar for CVE-2008-4395, the linux kernel itself shouldn''t be in
the NVD entry since its an issue in the separate ndiswrapper module.

3. There has been a lot of churn in the mozilla source package name, so
that may explain a lot of those; though I''ll have to look at that in
more detail.

4.  swftools has been removed, so it shouldn''t show up there.

Thanks for compiling this.

Best wishes,
Mike

[Petter Reinholdtsen 2011-01-28]
> I believe it is best to keep the CPE ids of Debian source packages
> in each individual package source file, to increase the chance of
> keeping it up-to-date and to allow those knowing the package best to
> control the setting.  But for now I have settled for a central file,
> to get started before a way to store it in the source package is in
> place.
I finally found some time to work on this again today, and wrote
<URL: http://wiki.debian.org/CPEtagPackagesDep > as a DEP to get the
CPE information into each individual package.

Anyone interested in working on this with me?
-- 
Happy hacking,
Petter Reinholdtsen