Research vulnerable packages for usage in VDT System tests

[Deblintrake09]

Target version	Related issue	Related PR/dev branch
4.8.0	#4369

Description

This Issue aims to research packages usable for the different OSs that will be supported in the new Vulnerability Detector System tests, for each test case.

Systems

• Windows 11
• Windows Server 2022
• MacOS Sonoma
  • arm64
  • x64
• Centos 7
  • arm64
  • x64
• Ubuntu 22.04
  • arm64
  • x64

Test cases

• E2E-VD-3: Installation of a vulnerable package
• E2E-VD-4: Updating a vulnerable package that remains vulnerable to the same CVE
• E2E-VD-5: Updating a vulnerable package that becomes vulnerable to another CVE
• E2E-VD-6: Updating a vulnerable package that becomes vulnerable to another CVE and retains the previous one
• E2E-VD-7: Updating a vulnerable package that ceases to be vulnerable
• E2E-VD-8: Deleting a vulnerable package
• E2E-VD-9: Installation of a non-vulnerable package
• E2E-VD-10: Updating a non-vulnerable package that remains non-vulnerable
• E2E-VD-11: Updating a non-vulnerable package that becomes vulnerable

Considerations

• Since the tests are aimed to real world test cases, neither the packages or the feeds should be mocked.
• Packages are required for ARM64 and x64

[Deblintrake09]

Proposed packages

X86_64

System	E2E-VD-3	E2E-VD-4	E2E-VD-5	E2E-VD-6	E2E-VD-7	E2E-VD-9	E2E-VD-10	E2E-VD-11
Windows 11	CVE-2022-41325 - VLC Media Player 3.0.6	Mantains CVE-2022-41325 - VLC Media Player 3.0.6 -> 3.0.7	Loses CVE-2019-13962 / Adds CVE-2019-14437 - VLC Media Player 3.0.7 -> 3.0.7.1	Mantains CVE-2022-41325 / Adds CVE-2021-25801 - VLC Media Player 3.0.7.1 -> 3.0.11	Loses CVE-2021-25801 / No new vulns - VLC Media Player 3.0.11 -> 3.0.12	No CVE - VLC Media Player 3.0.18	No CVE - VLC Media Player 3.0.19	NO CVE - Adds CVE-2023-44487 - Nodejs 19.7.0 -> Nodejs v20.0.0
Windows Server 2022	CVE-2022-41325 - VLC Media Player 3.0.6	Mantains CVE-2022-41325 - VLC Media Player 3.0.6 -> 3.0.7	Loses CVE-2019-13962 / Adds CVE-2019-14437 - VLC Media Player 3.0.7 -> 3.0.7.1	Mantains CVE-2022-41325 / Adds CVE-2021-25801 - VLC Media Player 3.0.7.1 -> 3.0.11	Loses CVE-2021-25801 / No new vulns - VLC Media Player 3.0.11 -> 3.0.12	No CVE - VLC Media Player 3.0.18	No CVE - VLC Media Player 3.0.19	NO CVE - Adds CVE-2023-44487 - Nodejs 19.7.0 -> Nodejs v20.0.0
Ubuntu 2022	CVE-2023-33244 - Obsidian 0.13.23	Mantains CVE-2023-33244 - Obsidian 0.13.24		Mantains CVE-2023-33244 / Adds CVE-2023-27035 - Obsidian 1.1.9	Loses CVE-2023-33244 - Obsidian 1.2.8	NO CVEs - Obsidian 1.2.8
Centos 7	New CVE-2018-15173 - NMap 6.46-1	Mantains CVE-2018-15173 - NMap 6.47-1	Mantains CVE-2018-15173 / New CVE-2018-1000161 - NMap 7.00-1	New CVE-2017-18594 / Solved CVE-2018-1000161 - NMap 7.70-1	Solves CVE-2017-18594 + CVE-2018-15173 - NMap 7.80-1	No CVE - NMap 7.80-1	No CVE - NMap 7.90-1	PostgreSQL 14.9 -> PostgreSQL 15.4
macOS	New CVE-2014-9323 - Firebird 2.0.7	Mantains CVE-2014-9323 / - Firebird 2.0.7 -> 2.1.3			Loses CVE-2013-2492 - Firebird 2.1.3 -> 2.1.6	No CVEs - Firebird 2.1.7	No CVEs - Firebird 2.1.7 -> 2.5.8	Becomes vuln CVE-2014-9323 / - Firebird 2.1.7 -> 2.5.0

ARM64

System	E2E-VD-3	E2E-VD-4	E2E-VD-5	E2E-VD-6	E2E-VD-7	E2E-VD-9	E2E-VD-10	E2E-VD-11
Ubuntu 22
Centos 7
macOS

[Deblintrake09]

Update

• Research possible packages for Ubuntu
  • Firefox does not have built packages, only folders saved that have to be manually installed, and are not detected by VDT.
  • Trying to build package from sources, causes the package to not be detected because the vendor is not the correct one.
  • Research other package options:
    • Dificulties getting old packages. Usually not present.
    • Installing old packages causes issues with required dependencies for the package.

[Deblintrake09]

Update

• Research building vim locally for Ubuntu using version 8.1.2135 for CVE-2020-20703, gets invalid version installed
  
  

• Download package source from repository , installs version 8.1.3741

• Installed v8.1.2134 from sources. Installed version is not detected

root@ubuntu-focal:/home/vagrant/vim-8.1.2134/src# vim --version
VIM - Vi IMproved 8.1 (2018 May 18, compiled Oct 12 2023 21:42:02)
Included patches: 1-2134
Compiled by vagrant@ubuntu-focal
Huge version without GUI.  Features included (+) or not (-):
+acl               -farsi             -mouse_sysmouse    -tag_any_white
+arabic            +file_in_path      +mouse_urxvt       -tcl
+autocmd           +find_in_path      +mouse_xterm       +termguicolors
+autochdir         +float             +multi_byte        +terminal
-autoservername    +folding           +multi_lang        +terminfo
-balloon_eval      -footer            -mzscheme          +termresponse
+balloon_eval_term +fork()            +netbeans_intg     +textobjects
-browse            -gettext           +num64             +textprop
++builtin_terms    -hangul_input      +packages          +timers
+byte_offset       +iconv             +path_extra        +title
+channel           +insert_expand     -perl              -toolbar
+cindent           +job               +persistent_undo   +user_commands
-clientserver      +jumplist          +postscript        +vartabs
-clipboard         +keymap            +printer           +vertsplit
+cmdline_compl     +lambda            +profile           +virtualedit
+cmdline_hist      +langmap           -python            +visual
+cmdline_info      +libcall           -python3           +visualextra
+comments          +linebreak         +quickfix          +viminfo
+conceal           +lispindent        +reltime           +vreplace
+cryptv            +listcmds          +rightleft         +wildignore
+cscope            +localmap          -ruby              +wildmenu
+cursorbind        -lua               +scrollbind        +windows
+cursorshape       +menu              +signs             +writebackup
+dialog_con        +mksession         +smartindent       -X11
+diff              +modify_fname      -sound             -xfontset
+digraphs          +mouse             +spell             -xim
-dnd               -mouseshape        +startuptime       -xpm
-ebcdic            +mouse_dec         +statusline        -xsmp
+emacs_tags        -mouse_gpm         -sun_workshop      -xterm_clipboard
+eval              -mouse_jsbterm     +syntax            -xterm_save
+ex_extra          +mouse_netterm     +tag_binary        
+extra_search      +mouse_sgr         -tag_old_static    
   system vimrc file: "$VIM/vimrc"
     user vimrc file: "$HOME/.vimrc"
 2nd user vimrc file: "~/.vim/vimrc"
      user exrc file: "$HOME/.exrc"
       defaults file: "$VIMRUNTIME/defaults.vim"
  fall-back for $VIM: "/usr/local/share/vim"
Compilation: gcc -c -I. -Iproto -DHAVE_CONFIG_H     -O2 -fno-strength-reduce -Wall -U_FORTIFY_SOURCE -D_FORTIFY_SOURCE=1       
Linking: gcc   -L/usr/local/lib -Wl,--as-needed -o vim        -lm -ltinfo -lnsl  -ldl    

• Package shown is old version that was removed
  

[Rebits]

I have conducted research on potential vulnerable package options. We propose using the following applications to conduct the suggested tests.

• centOS:
  • nmap
  • vbox
  • libreoffice
• Windows
  • nmap
  • vbox
  • gimp
  • libreoffice
• Ubuntu
  • Libreoffice
• macOS
  • Libreoffice
  • vbox

[Rebits]

Parallel approach packages

In order to proceed with a parallel approach we need to use different packages for each tests due to pytest-xdist do not allow dependent tests cases.

Case	Packages	Download Links	CVE Information
Vulnerability Package Installation	Firebird 2.0.7	RPM, Deb: None, Win, macOS	Firebirdsql2.0.7
Updating a vulnerable package that remains vulnerable to the same CVE	Rclone 1.49.5 -> 1.50.0	RPM1495, RPM1500, DEB1495, DEB1500, Win1495, Win1500, macOS: None	RClone1.49.5, RClone1.50.0
Updating a vulnerable package that becomes vulnerable to another CVE	Nmap 6.47 -> 7.00	RPM647, RPM700, WIN647, WIN700, macOS647, macOS700, Deb: None	Nmap6.47, Nmap7.00
Vulnerable package that update is also vulnerable to another CVE	MongoDB 4.2.11 -> 4.4.10	RPM4211, RPM4410, DEB4211, DEB4410, WIN4211, WIN4410, macOS, macOS	MongoDB4.2.11, MongoDB4.4.10
Vulnerable package that update cease to be vulnerable	Webmin 2.000 -> 2.003	RPM2003, RPM2000, DEB2003, deb2000	WebMin
Non-vulnerable package	BleachBit 4.4.2	RPM, DEB, Win	None
Non-vulnerable package that remain non-vulnerable update	Mercurial 4.9.1 -> 6.5.1	RPM491, RPM651, DEB none, Windows None, macOS None	Mercurial4.9.1
Non-vulnerable package that become vulnerable	CounchDB 3.2.3 -> 3.3.0	RPM323, RPM330, DEB323, DEB330, Win: None, macOS: None	Couchdb323, Couchdb332

[Deblintrake09]

Update Research 18/10/2023

• Tried to find vulnerable packages for windows. Some packages that were expected to be vulnerable did not report vulnerabilities. Asked core team to validate behavior. Tested
  • Git v2.39.2, 2.40.0
  • couchDB
  • postgresql
  • Chrome

[Deblintrake09]

Update Research 19/10/2023

• Completed Centos test cases
• Added Ubuntu cases E2E-VD-3 through E2E-VD-7
• Added Windows case E2E-VD-6
• Researched possible deb, macos and Windows candidates:
  • postman
  • hexchat
  • meld
  • terminator
  • vim
  • spotify
  • pycharm
  • gimp -> Uses flatpak in debian.
  • docker -> could not get old packages
  • Libreoffice -> could not get old packages
  • okular
  • flameshot
  • krita
  • inkscape
  • tomcat - no installer
  • bookkeeper - no installer
  • perl - no packages - installs from sources

[Deblintrake09]

Update Research 20/10/2023

• Updated Windows test cases
• Research possible macos Candidates

[Rebits]

Regarding new changes in the tests requirements is required to research possible packages for ARM architectures: #4369 (comment)

[juliamagan]

Update

Started reviewing information on installing specific packages in macOS ARM

[Rebits]

Meeting with @juliamagan regarding research of ARM packages.

It seems nodejs could be a good option to supply almost all the cases for macOS: https://nodejs.org/dist/
Further research is required

[juliamagan]

macOS ARM

Case	Packages	Download links	CVE info
E2E-VD-3: Installation of a vulnerable package	Nodejs 17.0.1	node-v17.0.1.pkg	Node.js-17.0.1
E2E-VD-4: Updating a vulnerable package that remains vulnerable to the same CVE	Nodejs 17.0.1 -> 17.1.0	node-v17.1.0.pkg	Node.js-17.1.0
E2E-VD-5: Updating a vulnerable package that becomes vulnerable to another CVE	Nodejs 17.1.0 -> 18.0.0	node-v18.0.0.pkg	Node.js-18.0.0
E2E-VD-6: Updating a vulnerable package that becomes vulnerable to another CVE and retains the previous one	Nodejs 18.0.0 -> 18.0.1	node-v18.0.1.pkg	Node.js-18.0.1
E2E-VD-7: Updating a vulnerable package that ceases to be vulnerable	Nodejs 18.0.1 -> 19.5.0	node-v19.5.0.pkg	Node.js-19.5.0
E2E-VD-8: Deleting a vulnerable package	Any of the previous ones	-	-
E2E-VD-9: Installation of a non-vulnerable package	Nodejs 19.5.0	node-v19.5.0.pkg	Node.js-19.5.0
E2E-VD-10: Updating a non-vulnerable package that remains non-vulnerable	Nodejs 19.5.0 -> 19.6.0	node-v19.6.0.pkg	Node.js-19.6.0
E2E-VD-11: Updating a non-vulnerable package that becomes vulnerable	Nodejs 19.6.0 -> 20.0.0	node-v20.0.0.pkg	Node.js-20.0.0

CentOS 7

Case	Packages	Download links	CVE info
E2E-VD-3: Installation of a vulnerable package
E2E-VD-4: Updating a vulnerable package that remains vulnerable to the same CVE
E2E-VD-5: Updating a vulnerable package that becomes vulnerable to another CVE
E2E-VD-6: Updating a vulnerable package that becomes vulnerable to another CVE and retains the previous one
E2E-VD-7: Updating a vulnerable package that ceases to be vulnerable
E2E-VD-8: Deleting a vulnerable package	Any of the previous ones	-	-
E2E-VD-9: Installation of a non-vulnerable package
E2E-VD-10: Updating a non-vulnerable package that remains non-vulnerable
E2E-VD-11: Updating a non-vulnerable package that becomes vulnerable

It has been more difficult to find packages for CentOS than for macOS, it seemed that Docker could be a good option, but we are missing packages for the last two cases. Although there are future versions that may not be vulnerable or have new vulnerabilities, we found no information about these packages.

Docker:
18.09.5 -> 18.09.6 -> 19.03.0 (2) -> 20.10.15 -> Any of the previous ones -> 20.10.15
18.03.0 -> 18.06.0 ->

[juliamagan]

CentOS 7

Case	Packages	Download links	CVE info
E2E-VD-3: Installation of a vulnerable package	Postgresql 11.17	postgresql11-libs-11.17 and postgresql11-11.17	Postgresql-11.17
E2E-VD-4: Updating a vulnerable package that remains vulnerable to the same CVE	Postgresql 11.17 -> 11.18	postgresql11-libs-11.18 and postgresql11-11.18	Postgresql-11.18
E2E-VD-5: Updating a vulnerable package that becomes vulnerable to another CVE	Postgresql 11.18 -> 11.20	postgresql11-libs-11.20 and postgresql11-11.20	Postgresql-11.20
E2E-VD-6: Updating a vulnerable package that becomes vulnerable to another CVE and retains the previous one	Postgresql 11.20 -> 12.12	postgresql12-libs-12.12 and postgresql12-12.12	Postgresql-12.12
E2E-VD-7: Updating a vulnerable package that ceases to be vulnerable	Postgresql 12.12 -> 12.16	postgresql12-libs-12.16 and postgresql12-12.16	Postgresql-12.16
E2E-VD-8: Deleting a vulnerable package	Any of the previous ones	-	-
E2E-VD-9: Installation of a non-vulnerable package	Postgresql 12.16	postgresql12-libs-12.16 and postgresql12-12.16	Postgresql-12.16
E2E-VD-10: Updating a non-vulnerable package that remains non-vulnerable	Postgresql 12.16 -> 13.12	postgresql13-libs-13.12 and postgresql13-13.12	Postgresql-13.12
E2E-VD-11: Updating a non-vulnerable package that becomes vulnerable	Postgresql 13.12 -> 14.5	postgresql14-libs-14.5 and postgresql14-14.5	Postgresql-14.5

Ubuntu 22

• VSCODE: missing latest version with vulnerabilities
• POstgresql: only 11.22 is available
• FFMEP: missing a version without vulnerabilities
• Docker: missing latest version with vulnerabilities

[juliamagan]

Ubuntu 22

Case	Packages	Download links	CVE info
E2E-VD-3: Installation of a vulnerable package	Grafana 8.5.5	grafana-enterprise_8.5.5_arm64.deb	Grafana-8.5.5
E2E-VD-4: Updating a vulnerable package that remains vulnerable to the same CVE	Grafana 8.5.5 -> 8.5.6	grafana-enterprise_8.5.6_arm64.deb	Grafana-8.5.6
E2E-VD-5: Updating a vulnerable package that becomes vulnerable to another CVE	Grafana 8.5.6 -> 9.1.1	grafana-enterprise_9.1.1_arm64.deb	Grafana-9.1.1
E2E-VD-6: Updating a vulnerable package that becomes vulnerable to another CVE and retains the previous one	Grafana 9.1.1 -> 9.2.0	grafana-enterprise_9.2.0_arm64.deb	Grafana-9.2.0
E2E-VD-7: Updating a vulnerable package that ceases to be vulnerable	Grafana 9.2.0 -> 9.4.17	grafana-enterprise_9.4.17_arm64.deb	Grafana-9.4.17
E2E-VD-8: Deleting a vulnerable package	Any of the previous ones	-	-
E2E-VD-9: Installation of a non-vulnerable package	Grafana 9.4.17	grafana-enterprise_9.4.17_arm64.deb	Grafana-9.4.17
E2E-VD-10: Updating a non-vulnerable package that remains non-vulnerable	Grafana 9.4.17 -> 9.5.13	grafana-enterprise_9.5.13_arm64.deb	Grafana-9.5.13
E2E-VD-11: Updating a non-vulnerable package that becomes vulnerable	Grafana 9.4.17 -> 10.0.0	grafana-enterprise_10.0.0_arm64.deb	Grafana-10.0.0

[juliamagan]

Remaining AMD64 Packages

macOS

We can use the same Nodejs packages

Ubuntu

We can use the same Grafana packages

[juliamagan]

Conclusion

arm64

System	E2E-VD-3	E2E-VD-4	E2E-VD-5	E2E-VD-6	E2E-VD-7	E2E-VD-8	E2E-VD-9	E2E-VD-10	E2E-VD-11
macOS Sonoma	node-v17.0.1.pkg	node-v17.1.0.pkg	node-v18.0.0.pkg	node-v18.0.1.pkg	node-v19.5.0.pkg	Any of the previous ones (except 19.5.0)	node-v19.5.0.pkg	node-v19.6.0.pkg	node-v20.0.0.pkg
CentOS 7	postgresql11-libs-11.17 and postgresql11-11.17	postgresql11-libs-11.18 and postgresql11-11.18	postgresql11-libs-11.20 and postgresql11-11.20	postgresql12-libs-12.12 and postgresql12-12.12	postgresql12-libs-12.16 and postgresql12-12.16	Any of the previous ones (except 12.16)	postgresql12-libs-12.16 and postgresql12-12.16	postgresql13-libs-13.12 and postgresql13-13.12	postgresql14-libs-14.5 and postgresql14-14.5
Ubuntu 22	grafana-enterprise_8.5.5_arm64.deb	grafana-enterprise_8.5.6_arm64.deb	grafana-enterprise_9.1.1_arm64.deb	grafana-enterprise_9.2.0_arm64.deb	grafana-enterprise_9.4.17_arm64.deb	Any of the previous ones (except 9.4.17)	grafana-enterprise_9.4.17_arm64.deb	grafana-enterprise_9.5.13_arm64.deb	grafana-enterprise_10.0.0_arm64.deb

Research:

• macOS arm
• centOS 7
• Ubuntu 22

x64

System	E2E-VD-3	E2E-VD-4	E2E-VD-5	E2E-VD-6	E2E-VD-7	E2E-VD-8	E2E-VD-9	E2E-VD-10	E2E-VD-11
macOS	node-v17.0.1.pkg	node-v17.1.0.pkg	node-v18.0.0.pkg	node-v18.0.1.pkg	node-v19.5.0.pkg	Any of the previous ones (except 19.5.0)	node-v19.5.0.pkg	node-v19.6.0.pkg	node-v20.0.0.pkg
CentOS 7	NMap 6.46-1	NMap 6.47-1	NMap 7.00-1	NMap 7.70-1	NMap 7.80-1	Any of the previous ones (except 7.80-1)	NMap 7.80-1	NMap 7.90-1	PostgreSQL 14.9 -> PostgreSQL 15.4
Ubuntu 22	grafana-enterprise_8.5.5_amd64.deb	grafana-enterprise_8.5.6_amd64.deb	grafana-enterprise_9.1.1_amd64.deb	grafana-enterprise_9.2.0_amd64.deb	grafana-enterprise_9.4.17_amd64.deb	Any of the previous ones (except 9.4.17)	grafana-enterprise_9.4.17_amd64.deb	grafana-enterprise_9.5.13_amd64.deb	grafana-enterprise_10.0.0_amd64.deb
Windows 11	VLC Media Player 3.0.6	VLC Media Player 3.0.6 -> 3.0.7	VLC Media Player 3.0.7 -> 3.0.7.1	VLC Media Player 3.0.7.1 -> 3.0.11	VLC Media Player 3.0.11 -> 3.0.12	Any of the previous ones (except 3.0.18)	VLC Media Player 3.0.18	VLC Media Player 3.0.19	Nodejs 19.7.0 -> Nodejs v20.0.0
Windows Server 2022	VLC Media Player 3.0.6	VLC Media Player 3.0.6 -> 3.0.7	VLC Media Player 3.0.7 -> 3.0.7.1	VLC Media Player 3.0.7.1 -> 3.0.11	VLC Media Player 3.0.11 -> 3.0.12	Any of the previous ones (except 3.0.18)	VLC Media Player 3.0.18	VLC Media Player 3.0.19	Nodejs 19.7.0 -> Nodejs v20.0.0

Research:

• macOS and Ubuntu
• Windows and CentOS

[Deblintrake09]

LGTM! Approved!

[davidjiglesias]

LGTM!