Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

False positive: CVE-2017-11624 CVE-2017-11625 CVE-2017-11627 on libqpdf26 package, FIXED-IN confusion between libqpdf26 and qpdf #2345

Open
sekveaja opened this issue Dec 19, 2024 · 0 comments
Labels
bug Something isn't working

Comments

@sekveaja
Copy link

What happened:

Scan on image that has libqpdf26-9.0.2-150200.3.3.1.x86_64 installed.
It generates the following vulnerabilities:

NAME INSTALLED FIXED-IN TYPE VULNERABILITY SEVERITY
libqpdf26 9.0.2-150200.3.3.1 0:10.3.1-150600.11.2 rpm CVE-2017-11627 High
libqpdf26 9.0.2-150200.3.3.1 0:10.3.1-150600.11.2 rpm CVE-2017-11625 High
libqpdf26 9.0.2-150200.3.3.1 0:10.3.1-150600.11.2 rpm CVE-2017-11624 High
libqpdf26 9.0.2-150200.3.3.1 0:10.3.1-150600.11.2 rpm CVE-2017-9210 Medium
libqpdf26 9.0.2-150200.3.3.1 0:10.3.1-150600.11.2 rpm CVE-2017-9209 Medium
libqpdf26 9.0.2-150200.3.3.1 0:10.3.1-150600.11.2 rpm CVE-2017-9208 Medium
libqpdf26 9.0.2-150200.3.3.1 0:10.3.1-150600.11.2 rpm CVE-2017-12595 Low
libqpdf26 9.0.2-150200.3.3.1 0:10.3.1-150600.11.2 rpm CVE-2017-11626 Low

What you expected to happen:

According to SUSE Advisory CVE-2017-11624, CVE-2017-11625, CVE-2017-11627
Patch for these CVE are applied from version libqpdf26-9.0.2-150200.3.3.1.x86_64

See with this link: https://www.suse.com/security/cve/CVE-2017-11624.html

SUSE Linux Enterprise Server 15 SP6
libqpdf26 >= 9.0.2-150200.3.3.1
qpdf >= 10.3.1-150600.11.2
qpdf-devel >= 10.3.1-150600.11.2

Note: Grype FIXED-IN seem to confuse libqpdf26 with qpdf (version 0:10.3.1-150600.11.2) where recommended qpdf in SUSE advisory is 10.3.1-150600.11.2. It could be the cause that triggered this CVE generation.

How to reproduce it (as minimally and precisely as possible):

  1. Create the Dockerfile with this content:

FROM registry.suse.com/suse/sle15:15.6
RUN zypper in -y --no-recommends libqpdf26=9.0.2-150200.3.3.1
ENTRYPOINT [""]
CMD ["bash"]

  1. Build an image from Dockerfile

$ docker build -t "suse15.6_libqpdf26:v1" .

  1. Test with Grype now

$ $ grype --distro sles:15.6 suse15.6_libqpdf26:v1 | grep libqpdf

libqpdf26 9.0.2-150200.3.3.1 0:10.3.1-150600.11.2 rpm CVE-2017-11627 High (Problem reproduced)
libqpdf26 9.0.2-150200.3.3.1 0:10.3.1-150600.11.2 rpm CVE-2017-11625 High (Problem reproduced)
libqpdf26 9.0.2-150200.3.3.1 0:10.3.1-150600.11.2 rpm CVE-2017-11624 High (Problem reproduced)
libqpdf26 9.0.2-150200.3.3.1 0:10.3.1-150600.11.2 rpm CVE-2017-9210 Medium
libqpdf26 9.0.2-150200.3.3.1 0:10.3.1-150600.11.2 rpm CVE-2017-9209 Medium
libqpdf26 9.0.2-150200.3.3.1 0:10.3.1-150600.11.2 rpm CVE-2017-9208 Medium
libqpdf26 9.0.2-150200.3.3.1 0:10.3.1-150600.11.2 rpm CVE-2017-12595 Low
libqpdf26 9.0.2-150200.3.3.1 0:10.3.1-150600.11.2 rpm CVE-2017-11626 Low
`

  1. Verify package install in the image

$ docker run -it suse15.6_libqpdf26:v1 rpm -qa | grep libqpdf26
libqpdf26-9.0.2-150200.3.3.1.x86_64

  1. Test with Syft
    $ syft suse15.6_libqpdf26:v1 | grep libqpdf

libqpdf26 9.0.2-150200.3.3.1 rpm

Environment:

  • Output of grype version: grype 0.86.1

  • OS (e.g: cat /etc/os-release or similar):

$ docker run -it suse15.6_libqpdf26:v1 cat /etc/release
NAME="SLES"
VERSION="15-SP6"
VERSION_ID="15.6"
PRETTY_NAME="SUSE Linux Enterprise Server 15 SP6"
ID="sles"
ID_LIKE="suse"
ANSI_COLOR="0;32"
CPE_NAME="cpe:/o:suse:sles:15:sp6"

@sekveaja sekveaja added the bug Something isn't working label Dec 19, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
bug Something isn't working
Projects
Status: No status
Development

No branches or pull requests

1 participant