grub related packages reported as vulnerable without a means to fix #81

mattatsi · 2021-07-02T15:27:03Z

cvescan is reporting the following packages as vulnerable to several CVEs: grub-common, grub-pc, grub-pc-bin, grub2-common. It recommends upgrading each to version 2.04-1ubuntu44.1.2 but no such version exists for those packages.

Full example reproducing what I'm seeing (in a docker container with docker run --rm -it ubuntu:18.04 /bin/bash):

apt-get update -q
apt-get install -y grub-common grub-pc grub-pc-bin grub2-common
apt-get install -y python3-apt python3-pip
apt-get install -y git
git clone https://github.com/canonical/sec-cvescan
pip3 install sec-cvescan/

# cvescan --priority medium
\u2705 Ubuntu vulnerability database successfully downloaded! 
\u2705 Scan complete!
 
CVE ID          PRIORITY    PACKAGE       FIXED VERSION           REPOSITORY
CVE-2020-14372  medium      grub-common   2.04-1ubuntu44.1.2      Ubuntu Archive
CVE-2020-14372  medium      grub-pc       2.04-1ubuntu44.1.2      Ubuntu Archive
CVE-2020-14372  medium      grub-pc-bin   2.04-1ubuntu44.1.2      Ubuntu Archive
CVE-2020-14372  medium      grub2-common  2.04-1ubuntu44.1.2      Ubuntu Archive
CVE-2020-25632  medium      grub-common   2.04-1ubuntu44.1.2      Ubuntu Archive
CVE-2020-25632  medium      grub-pc       2.04-1ubuntu44.1.2      Ubuntu Archive
CVE-2020-25632  medium      grub-pc-bin   2.04-1ubuntu44.1.2      Ubuntu Archive
CVE-2020-25632  medium      grub2-common  2.04-1ubuntu44.1.2      Ubuntu Archive
CVE-2020-27749  medium      grub-common   2.04-1ubuntu44.1.2      Ubuntu Archive
CVE-2020-27749  medium      grub-pc       2.04-1ubuntu44.1.2      Ubuntu Archive
CVE-2020-27749  medium      grub-pc-bin   2.04-1ubuntu44.1.2      Ubuntu Archive
CVE-2020-27749  medium      grub2-common  2.04-1ubuntu44.1.2      Ubuntu Archive
CVE-2020-27779  medium      grub-common   2.04-1ubuntu44.1.2      Ubuntu Archive
CVE-2020-27779  medium      grub-pc       2.04-1ubuntu44.1.2      Ubuntu Archive
CVE-2020-27779  medium      grub-pc-bin   2.04-1ubuntu44.1.2      Ubuntu Archive
CVE-2020-27779  medium      grub2-common  2.04-1ubuntu44.1.2      Ubuntu Archive
CVE-2021-3580   medium      libhogweed4   3.4.1-0ubuntu0.18.04.1  Ubuntu Archive
CVE-2021-3580   medium      libnettle6    3.4.1-0ubuntu0.18.04.1  Ubuntu Archive
CVE-2021-20225  medium      grub-common   2.04-1ubuntu44.1.2      Ubuntu Archive
CVE-2021-20225  medium      grub-pc       2.04-1ubuntu44.1.2      Ubuntu Archive
CVE-2021-20225  medium      grub-pc-bin   2.04-1ubuntu44.1.2      Ubuntu Archive
CVE-2021-20225  medium      grub2-common  2.04-1ubuntu44.1.2      Ubuntu Archive
CVE-2021-20233  medium      grub-common   2.04-1ubuntu44.1.2      Ubuntu Archive
CVE-2021-20233  medium      grub-pc       2.04-1ubuntu44.1.2      Ubuntu Archive
CVE-2021-20233  medium      grub-pc-bin   2.04-1ubuntu44.1.2      Ubuntu Archive
CVE-2021-20233  medium      grub2-common  2.04-1ubuntu44.1.2      Ubuntu Archive

Summary
------------------------------------  ----------------
Ubuntu Release                        bionic
Installed Packages                    271
CVE Priority                          medium or higher
Unique Packages Fixable by Patching   6
Unique CVEs Fixable by Patching       7
Vulnerabilities Fixable by Patching   26
Fixes Available by `apt-get upgrade`  26
------------------------------------  ----------------

# apt-cache madison grub-common grub-pc
grub-common | 2.02-2ubuntu8.23 | http://archive.ubuntu.com/ubuntu bionic-updates/main amd64 Packages
grub-common | 2.02-2ubuntu8.23 | http://security.ubuntu.com/ubuntu bionic-security/main amd64 Packages
grub-common | 2.02-2ubuntu8 | http://archive.ubuntu.com/ubuntu bionic/main amd64 Packages
   grub-pc | 2.02-2ubuntu8.23 | http://archive.ubuntu.com/ubuntu bionic-updates/main amd64 Packages
   grub-pc | 2.02-2ubuntu8.23 | http://security.ubuntu.com/ubuntu bionic-security/main amd64 Packages
   grub-pc | 2.02-2ubuntu8 | http://archive.ubuntu.com/ubuntu bionic/main amd64 Packages
root@233f46abb2c8:/# apt-cache madison grub-common grub-pc grub-pc-bin grub2-common
grub-common | 2.02-2ubuntu8.23 | http://archive.ubuntu.com/ubuntu bionic-updates/main amd64 Packages
grub-common | 2.02-2ubuntu8.23 | http://security.ubuntu.com/ubuntu bionic-security/main amd64 Packages
grub-common | 2.02-2ubuntu8 | http://archive.ubuntu.com/ubuntu bionic/main amd64 Packages
   grub-pc | 2.02-2ubuntu8.23 | http://archive.ubuntu.com/ubuntu bionic-updates/main amd64 Packages
   grub-pc | 2.02-2ubuntu8.23 | http://security.ubuntu.com/ubuntu bionic-security/main amd64 Packages
   grub-pc | 2.02-2ubuntu8 | http://archive.ubuntu.com/ubuntu bionic/main amd64 Packages
grub-pc-bin | 2.02-2ubuntu8.23 | http://archive.ubuntu.com/ubuntu bionic-updates/main amd64 Packages
grub-pc-bin | 2.02-2ubuntu8.23 | http://security.ubuntu.com/ubuntu bionic-security/main amd64 Packages
grub-pc-bin | 2.02-2ubuntu8 | http://archive.ubuntu.com/ubuntu bionic/main amd64 Packages
grub2-common | 2.02-2ubuntu8.23 | http://archive.ubuntu.com/ubuntu bionic-updates/main amd64 Packages
grub2-common | 2.02-2ubuntu8.23 | http://security.ubuntu.com/ubuntu bionic-security/main amd64 Packages
grub2-common | 2.02-2ubuntu8 | http://archive.ubuntu.com/ubuntu bionic/main amd64 Packages

The text was updated successfully, but these errors were encountered:

clarsen-007 · 2021-07-15T08:23:18Z

Hi - Same issue on 20.04...

~$ apt-cache madison grub-common grub-pc
grub-common | 2.04-1ubuntu26.12 | http://za.archive.ubuntu.com/ubuntu focal-updates/main amd64 Packages
grub-common | 2.04-1ubuntu26.12 | http://security.ubuntu.com/ubuntu focal-security/main amd64 Packages
grub-common | 2.04-1ubuntu26 | http://za.archive.ubuntu.com/ubuntu focal/main amd64 Packages
grub-pc | 2.04-1ubuntu26.12 | http://za.archive.ubuntu.com/ubuntu focal-updates/main amd64 Packages
grub-pc | 2.04-1ubuntu26.12 | http://security.ubuntu.com/ubuntu focal-security/main amd64 Packages
grub-pc | 2.04-1ubuntu26 | http://za.archive.ubuntu.com/ubuntu focal/main amd64 Packages

~$ sudo cvescan -p all
✅ Ubuntu vulnerability datbase successfully downloaded!
✅ Scan complete!

CVE ID PRIORITY PACKAGE FIXED VERSION REPOSITORY
CVE-2020-14372 medium CVE-2020-14372 medium CVE-2020-14372 medium CVE-2020-14372 medium CVE-2020-25632 medium CVE-2020-25632 medium CVE-2020-25632 medium CVE-2020-25632 medium CVE-2020-27749 medium CVE-2020-27749 medium CVE-2020-27749 medium CVE-2020-27749 medium CVE-2020-27779 medium CVE-2020-27779 medium CVE-2020-27779 medium CVE-2020-27779 medium CVE-2021-20225 medium CVE-2021-20225 medium CVE-2021-20225 medium CVE-2021-20225 medium CVE-2021-20233 medium CVE-2021-20233 medium CVE-2021-20233 medium CVE-2021-20233 medium grub-common 2.04-1ubuntu44.2 Ubuntu Archive
grub-pc 2.04-1ubuntu44.2 Ubuntu Archive
grub-pc-bin 2.04-1ubuntu44.2 Ubuntu Archive
grub2-common 2.04-1ubuntu44.2 Ubuntu Archive
grub-common 2.04-1ubuntu44.2 Ubuntu Archive
grub-pc 2.04-1ubuntu44.2 Ubuntu Archive
grub-pc-bin 2.04-1ubuntu44.2 Ubuntu Archive
grub2-common 2.04-1ubuntu44.2 Ubuntu Archive
grub-common 2.04-1ubuntu44.2 Ubuntu Archive
grub-pc 2.04-1ubuntu44.2 Ubuntu Archive
grub-pc-bin 2.04-1ubuntu44.2 Ubuntu Archive
grub2-common 2.04-1ubuntu44.2 Ubuntu Archive
grub-common 2.04-1ubuntu44.2 Ubuntu Archive
grub-pc 2.04-1ubuntu44.2 Ubuntu Archive
grub-pc-bin 2.04-1ubuntu44.2 Ubuntu Archive
grub2-common 2.04-1ubuntu44.2 Ubuntu Archive
grub-common 2.04-1ubuntu44.2 Ubuntu Archive
grub-pc 2.04-1ubuntu44.2 Ubuntu Archive
grub-pc-bin 2.04-1ubuntu44.2 Ubuntu Archive
grub2-common 2.04-1ubuntu44.2 Ubuntu Archive
grub-common 2.04-1ubuntu44.2 Ubuntu Archive
grub-pc 2.04-1ubuntu44.2 Ubuntu Archive
grub-pc-bin 2.04-1ubuntu44.2 Ubuntu Archive
grub2-common 2.04-1ubuntu44.2 Ubuntu Archive

Summary

Ubuntu Release focal
Installed Packages 1779
CVE Priority All
Unique Packages Fixable by Patching 4
Unique CVEs Fixable by Patching 6
Vulnerabilities Fixable by Patching 24
Fixes Available by apt-get upgrade 24

~$ sudo apt-get update
Hit:1 http://za.archive.ubuntu.com/ubuntu focal InRelease
Hit:2 http://za.archive.ubuntu.com/ubuntu focal-updates InRelease
Hit:3 http://za.archive.ubuntu.com/ubuntu focal-backports InRelease
Hit:4 http://dl.google.com/linux/chrome/deb stable InRelease
Get:5 http://security.ubuntu.com/ubuntu focal-security InRelease [114 kB]
Fetched 114 kB in 1s (76.8 kB/s)
Reading package lists... Done

~$ sudo apt-get upgrade
Reading package lists... Done
Building dependency tree
Reading state information... Done
Calculating upgrade... Done
0 upgraded, 0 newly installed, 0 to remove and 0 not upgraded.

wdoust · 2021-12-24T01:16:47Z

Confirming issue still exists with 20.04 LTS:

grub-common | 2.04-1ubuntu26.13 | http://au.archive.ubuntu.com/ubuntu focal-updates/main amd64 Packages
grub-common | 2.04-1ubuntu26.12 | http://au.archive.ubuntu.com/ubuntu focal-security/main amd64 Packages
grub-common | 2.04-1ubuntu26 | http://au.archive.ubuntu.com/ubuntu focal/main amd64 Packages
grub-pc | 2.04-1ubuntu26.13 | http://au.archive.ubuntu.com/ubuntu focal-updates/main amd64 Packages
grub-pc | 2.04-1ubuntu26.12 | http://au.archive.ubuntu.com/ubuntu focal-security/main amd64 Packages
grub-pc | 2.04-1ubuntu26 | http://au.archive.ubuntu.com/ubuntu focal/main amd64 Packages

Summary

Ubuntu Release focal
Installed Packages 726
CVE Priority All
Unique Packages Fixable by Patching 4
Unique CVEs Fixable by Patching 6
Vulnerabilities Fixable by Patching 24
Fixes Available by apt-get upgrade 24

ragingpastry · 2022-04-20T14:28:13Z

Looks like its broken in here: https://people.canonical.com/~ubuntu-security/cvescan/ubuntu-vuln-db-focal.json.bz2

mattatsi mentioned this issue Aug 30, 2021

Add -X/--exclude-cve option to ignore specific CVEs #84

Open

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

grub related packages reported as vulnerable without a means to fix #81

grub related packages reported as vulnerable without a means to fix #81

mattatsi commented Jul 2, 2021

clarsen-007 commented Jul 15, 2021

wdoust commented Dec 24, 2021

ragingpastry commented Apr 20, 2022

grub related packages reported as vulnerable without a means to fix #81

grub related packages reported as vulnerable without a means to fix #81

Comments

mattatsi commented Jul 2, 2021

clarsen-007 commented Jul 15, 2021

wdoust commented Dec 24, 2021

ragingpastry commented Apr 20, 2022