Comments (2)
There is no binary package called vim
, but it seems to be a source package name for a binary package such as vim-common
.
[vagrant@rhel8 ~]$ rpm -qa --queryformat "%{NAME} %{EPOCHNUM} %{VERSION} %{RELEASE} %{ARCH} %{MODULARITYLABEL} %{SOURCERPM}\n" | grep vim
vim-minimal 2 8.0.1763 19.el8_6.4 x86_64 (none) vim-8.0.1763-19.el8_6.4.src.rpm
vim-filesystem 2 8.0.1763 19.el8_6.4 noarch (none) vim-8.0.1763-19.el8_6.4.src.rpm
vim-common 2 8.0.1763 19.el8_6.4 x86_64 (none) vim-8.0.1763-19.el8_6.4.src.rpm
vim-enhanced 2 8.0.1763 19.el8_6.4 x86_64 (none) vim-8.0.1763-19.el8_6.4.src.rpm
In gost, it seems that vulnerabilities are tied to source package names.
https://github.com/aquasecurity/vuln-list-redhat/blob/8784a9f6a915cead963851da1111342e9e7224a8/api/2020/CVE-2020-20703.json#L5-L10
OVAL includes a binary package and, for some reason, a source package.
It seems that only unpatched ones contain the source package? (As far as I verified with vim package)
https://access.redhat.com/security/data/oval/v2/RHEL8/rhel-8-including-unpatched.oval.xml.bz2
<definition class="vulnerability" id="oval:com.redhat.cve:def:202020703" version="636">
<metadata>
<title>vim: buffer overflow (low)</title>
<reference ref_id="CVE-2020-20703" ref_url="https://access.redhat.com/security/cve/CVE-2020-20703" source="CVE"/>
<description>DOCUMENTATION: A use-after-free flaw was found in Vim. This issue allows a heap buffer overflow leading to a write access violation. This flaw allows the attacker to possibly have control over the write address and value, which may lead to an application crash.
STATEMENT: Red Hat Product Security has rated this issue as having a Low security impact, because the "victim" has to run an untrusted file IN SCRIPT MODE. Someone who is running untrusted files in script mode is equivalent to someone just taking a random python script and running it.
For additional information, refer to the Issue Severity Classification: https://access.redhat.com/security/updates/classification/
MITIGATION: Untrusted vim scripts with -s [scriptin] are not recommended to run.</description>
<advisory from="[email protected]">
<severity>Low</severity>
<updated date="2024-02-07"/>
<cve cvss3="5.5/CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H" cwe="CWE-416->CWE-119" href="https://access.redhat.com/security/cve/CVE-2020-20703" impact="low" public="20230620">CVE-2020-20703</cve>
<affected>
<resolution state="Affected">
<component>vim</component>
<component>vim-X11</component>
<component>vim-common</component>
<component>vim-enhanced</component>
<component>vim-filesystem</component>
<component>vim-minimal</component>
</resolution>
</affected>
<affected_cpe_list>
<cpe>cpe:/a:redhat:enterprise_linux:8</cpe>
<cpe>cpe:/a:redhat:enterprise_linux:8::appstream</cpe>
<cpe>cpe:/a:redhat:enterprise_linux:8::crb</cpe>
<cpe>cpe:/a:redhat:enterprise_linux:8::highavailability</cpe>
<cpe>cpe:/a:redhat:enterprise_linux:8::nfv</cpe>
<cpe>cpe:/a:redhat:enterprise_linux:8::realtime</cpe>
<cpe>cpe:/a:redhat:enterprise_linux:8::resilientstorage</cpe>
<cpe>cpe:/a:redhat:enterprise_linux:8::sap</cpe>
<cpe>cpe:/a:redhat:enterprise_linux:8::sap_hana</cpe>
<cpe>cpe:/a:redhat:enterprise_linux:8::supplementary</cpe>
<cpe>cpe:/o:redhat:enterprise_linux:8</cpe>
<cpe>cpe:/o:redhat:enterprise_linux:8::baseos</cpe>
</affected_cpe_list>
</advisory>
</metadata>
<criteria operator="OR">
<criterion comment="Red Hat Enterprise Linux must be installed" test_ref="oval:com.redhat.cve:tst:20052541004"/>
<criteria operator="AND">
<criterion comment="Red Hat Enterprise Linux 8 is installed" test_ref="oval:com.redhat.cve:tst:20052541003"/>
<criteria operator="OR">
<criteria operator="AND">
<criterion comment="vim-minimal is installed" test_ref="oval:com.redhat.cve:tst:201820786009"/>
<criterion comment="vim-minimal is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.cve:tst:201820786010"/>
</criteria>
<criteria operator="AND">
<criterion comment="vim is installed" test_ref="oval:com.redhat.cve:tst:201820786011"/>
<criterion comment="vim is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.cve:tst:201820786012"/>
</criteria>
<criteria operator="AND">
<criterion comment="vim-common is installed" test_ref="oval:com.redhat.cve:tst:201820786003"/>
<criterion comment="vim-common is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.cve:tst:201820786004"/>
</criteria>
<criteria operator="AND">
<criterion comment="vim-X11 is installed" test_ref="oval:com.redhat.cve:tst:201820786013"/>
<criterion comment="vim-X11 is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.cve:tst:201820786014"/>
</criteria>
<criteria operator="AND">
<criterion comment="vim-enhanced is installed" test_ref="oval:com.redhat.cve:tst:201820786007"/>
<criterion comment="vim-enhanced is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.cve:tst:201820786008"/>
</criteria>
<criteria operator="AND">
<criterion comment="vim-filesystem is installed" test_ref="oval:com.redhat.cve:tst:201820786005"/>
<criterion comment="vim-filesystem is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.cve:tst:201820786006"/>
</criteria>
</criteria>
</criteria>
</criteria>
</definition>
In the case of a modular package, it must be specified as <module name>:<stream>/<source package name>
if it is a gost.
https://github.com/aquasecurity/vuln-list-redhat/blob/e235751d3cb68756b4c4dd873170b694df8b1417/api/2024/CVE-2024-20984.json#L24-L29
from vuls.
There are two possible corrections.
- fix Scanner and use gost
- stop the use of gost and use the data containing Unpatched of OVALV2
In case 1, as before, OVAL is in charge of Patched, and gost is in charge of Unpatched, but you must update vuls scanner.
In case 2, no scanner update is required, but since unpatched is not provided for OVALs under RHRL 5, the detection of unpatched vulnerabilities is not possible with the cessation of gost use.
from vuls.
Related Issues (20)
- Question: Heatmap Category Count HOT 2
- Windows not shown in supported OS list HOT 3
- Support for Fedora is not working HOT 1
- Remote scan from Linux to Windows fails
- Results of the scan & report seem odd HOT 3
- Issue in trivy to vuls convertor HOT 1
- How to remove password from the logs ? HOT 1
- no information in "title" field for vuls scan on ubuntu vm HOT 6
- Error on json report : err: json: cannot unmarshal object into Go struct field Nvd.Cvss2 of type HOT 2
- A lot of bugs are there
- How is server/json mode expected to work for windows ? HOT 1
- severity is different for each scan on debian
- failed to get modularitylabel on RedHat HOT 1
- Enhanced kernel package check with multiple versions installed HOT 1
- The enhancement of the amount of cveContents information included in trivy-to-vuls HOT 1
- Difference in cve contents between vuls report and trivy-to-vuls
- Support for alpine is not actually in place despite the OS being listed as supported HOT 1
- Multiple versions are detected in some packages on Debian-based distributions HOT 1
- GLSA
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from vuls.