anchore
False positive: CVE-2017-11624 CVE-2017-11625 CVE-2017-11627 on libqpdf26 package, FIXED-IN confusion between libqpdf26 and qpdf
What happened:
Scan on image that has libqpdf26-9.0.2-150200.3.3.1.x86_64 installed. It generates the following vulnerabilities:
NAME INSTALLED FIXED-IN TYPE VULNERABILITY SEVERITY
libqpdf26 9.0.2-150200.3.3.1 0:10.3.1-150600.11.2 rpm CVE-2017-11627 High
libqpdf26 9.0.2-150200.3.3.1 0:10.3.1-150600.11.2 rpm CVE-2017-11625 High
libqpdf26 9.0.2-150200.3.3.1 0:10.3.1-150600.11.2 rpm CVE-2017-11624 High
libqpdf26 9.0.2-150200.3.3.1 0:10.3.1-150600.11.2 rpm CVE-2017-9210 Medium
libqpdf26 9.0.2-150200.3.3.1 0:10.3.1-150600.11.2 rpm CVE-2017-9209 Medium
libqpdf26 9.0.2-150200.3.3.1 0:10.3.1-150600.11.2 rpm CVE-2017-9208 Medium
libqpdf26 9.0.2-150200.3.3.1 0:10.3.1-150600.11.2 rpm CVE-2017-12595 Low
libqpdf26 9.0.2-150200.3.3.1 0:10.3.1-150600.11.2 rpm CVE-2017-11626 Low
What you expected to happen:
According to SUSE Advisory CVE-2017-11624, CVE-2017-11625, CVE-2017-11627 Patch for these CVE are applied from version libqpdf26-9.0.2-150200.3.3.1.x86_64
See with this link: https://www.suse.com/security/cve/CVE-2017-11624.html
SUSE Linux Enterprise Server 15 SP6
libqpdf26 >= 9.0.2-150200.3.3.1
qpdf >= 10.3.1-150600.11.2
qpdf-devel >= 10.3.1-150600.11.2
Note: Grype FIXED-IN seem to confuse libqpdf26 with qpdf (version 0:10.3.1-150600.11.2) where recommended qpdf in SUSE advisory is 10.3.1-150600.11.2. It could be the cause that triggered this CVE generation.
How to reproduce it (as minimally and precisely as possible):
- Create the Dockerfile with this content:
FROM registry.suse.com/suse/sle15:15.6 RUN zypper in -y --no-recommends libqpdf26=9.0.2-150200.3.3.1 ENTRYPOINT [""] CMD ["bash"]
- Build an image from Dockerfile
$ docker build -t "suse15.6_libqpdf26:v1" .
- Test with Grype now
$ $ grype --distro sles:15.6 suse15.6_libqpdf26:v1 | grep libqpdf
libqpdf26 9.0.2-150200.3.3.1 0:10.3.1-150600.11.2 rpm CVE-2017-11627 High (Problem reproduced) libqpdf26 9.0.2-150200.3.3.1 0:10.3.1-150600.11.2 rpm CVE-2017-11625 High (Problem reproduced) libqpdf26 9.0.2-150200.3.3.1 0:10.3.1-150600.11.2 rpm CVE-2017-11624 High (Problem reproduced) libqpdf26 9.0.2-150200.3.3.1 0:10.3.1-150600.11.2 rpm CVE-2017-9210 Medium libqpdf26 9.0.2-150200.3.3.1 0:10.3.1-150600.11.2 rpm CVE-2017-9209 Medium libqpdf26 9.0.2-150200.3.3.1 0:10.3.1-150600.11.2 rpm CVE-2017-9208 Medium libqpdf26 9.0.2-150200.3.3.1 0:10.3.1-150600.11.2 rpm CVE-2017-12595 Low libqpdf26 9.0.2-150200.3.3.1 0:10.3.1-150600.11.2 rpm CVE-2017-11626 Low `
- Verify package install in the image
$ docker run -it suse15.6_libqpdf26:v1 rpm -qa | grep libqpdf26 libqpdf26-9.0.2-150200.3.3.1.x86_64
- Test with Syft $ syft suse15.6_libqpdf26:v1 | grep libqpdf
libqpdf26 9.0.2-150200.3.3.1 rpm
Environment:
-
Output of
grype version: grype 0.86.1 -
OS (e.g:
cat /etc/os-releaseor similar):
$ docker run -it suse15.6_libqpdf26:v1 cat /etc/release NAME="SLES" VERSION="15-SP6" VERSION_ID="15.6" PRETTY_NAME="SUSE Linux Enterprise Server 15 SP6" ID="sles" ID_LIKE="suse" ANSI_COLOR="0;32" CPE_NAME="cpe:/o:suse:sles:15:sp6"
Hi @sekveaja thanks for the report! I was able to reproduce this issue.
It looks like, basically what is happening, is that Syft finds a package like this:
pkg:rpm/sles/[email protected]?arch=aarch64&distro=sles-15.6&upstream=qpdf-9.0.2-150200.3.3.1.src.rpm
Which is within the fixed range for libqpdf but the vulnerable range for qpdf. I'm surprised to see the installed RPM fixed at a lower version than the source RPM. We will need to investigate how Grype considers this data.
