Distributions backport security fixes without bumping the upstream OpenSSH version, so a banner like "OpenSSH_9.2p1 Debian-2+deb12u3" was wrongly flagged for regreSSHion despite carrying the fix. Thread the banner vendor comment into analyseBannerVulns and add a per-CVE VendorFixes table recording the earliest patched package revision per distro/upstream version. Revisions are compared with a faithful port of dpkg's verrevcmp ordering. Populated for CVE-2024-6387 from DSA-5724-1 (Debian) and USN-6859-1 (Ubuntu).
92 lines
3.2 KiB
Go
92 lines
3.2 KiB
Go
// This file is part of the happyDomain (R) project.
|
|
// Copyright (c) 2020-2026 happyDomain
|
|
// Authors: Pierre-Olivier Mercier, et al.
|
|
//
|
|
// This program is offered under a commercial and under the AGPL license.
|
|
// For commercial licensing, contact us at <contact@happydomain.org>.
|
|
//
|
|
// For AGPL licensing:
|
|
// This program is free software: you can redistribute it and/or modify
|
|
// it under the terms of the GNU Affero General Public License as published by
|
|
// the Free Software Foundation, either version 3 of the License, or
|
|
// (at your option) any later version.
|
|
//
|
|
// This program is distributed in the hope that it will be useful,
|
|
// but WITHOUT ANY WARRANTY; without even the implied warranty of
|
|
// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
|
// GNU Affero General Public License for more details.
|
|
//
|
|
// You should have received a copy of the GNU Affero General Public License
|
|
// along with this program. If not, see <https://www.gnu.org/licenses/>.
|
|
|
|
package checker
|
|
|
|
import "testing"
|
|
|
|
func hasIssue(issues []Issue, code string) bool {
|
|
for _, i := range issues {
|
|
if i.Code == code {
|
|
return true
|
|
}
|
|
}
|
|
return false
|
|
}
|
|
|
|
func TestVendorFixSuppressesRegreSSHion(t *testing.T) {
|
|
const code = "cve_2024_6387_regreSSHion"
|
|
cases := []struct {
|
|
name string
|
|
soft string
|
|
vendor string
|
|
flagged bool
|
|
}{
|
|
// Vanilla upstream in the affected window: must flag.
|
|
{"upstream 9.2p1", "OpenSSH_9.2p1", "", true},
|
|
// Debian bookworm before / at / after the fix.
|
|
{"debian unpatched", "OpenSSH_9.2p1", "Debian-2+deb12u2", true},
|
|
{"debian patched", "OpenSSH_9.2p1", "Debian-2+deb12u3", false},
|
|
{"debian later point release", "OpenSSH_9.2p1", "Debian-2+deb12u10", false},
|
|
// Ubuntu jammy: numeric ".10" must beat ".2" (dpkg numeric run).
|
|
{"ubuntu jammy unpatched", "OpenSSH_8.9p1", "Ubuntu-3ubuntu0.2", true},
|
|
{"ubuntu jammy patched", "OpenSSH_8.9p1", "Ubuntu-3ubuntu0.10", false},
|
|
// Ubuntu noble.
|
|
{"ubuntu noble patched", "OpenSSH_9.6p1", "Ubuntu-3ubuntu13.3", false},
|
|
{"ubuntu noble unpatched", "OpenSSH_9.6p1", "Ubuntu-3ubuntu13.2", true},
|
|
// A fix recorded for a different upstream version must not apply.
|
|
{"vendor mismatch upstream", "OpenSSH_9.3p1", "Debian-2+deb12u3", true},
|
|
// Not affected at all (below 8.5p1): never flagged regardless.
|
|
{"debian bullseye", "OpenSSH_8.4p1", "Debian-5+deb11u1", false},
|
|
}
|
|
for _, tc := range cases {
|
|
t.Run(tc.name, func(t *testing.T) {
|
|
banner := "SSH-2.0-" + tc.soft
|
|
if tc.vendor != "" {
|
|
banner += " " + tc.vendor
|
|
}
|
|
issues := analyseBannerVulns("host:22", banner, tc.soft, tc.vendor)
|
|
if got := hasIssue(issues, code); got != tc.flagged {
|
|
t.Fatalf("regreSSHion flagged=%v, want %v (issues=%v)", got, tc.flagged, issues)
|
|
}
|
|
})
|
|
}
|
|
}
|
|
|
|
func TestDpkgVerCmp(t *testing.T) {
|
|
cases := []struct {
|
|
a, b string
|
|
want int // sign
|
|
}{
|
|
{"2+deb12u3", "2+deb12u2", 1},
|
|
{"2+deb12u3", "2+deb12u3", 0},
|
|
{"2+deb12u3", "2+deb12u10", -1},
|
|
{"3ubuntu0.10", "3ubuntu0.2", 1},
|
|
{"3ubuntu13.3", "3ubuntu13.2", 1},
|
|
{"1.0", "1.0~rc1", 1}, // tilde sorts before everything
|
|
}
|
|
for _, tc := range cases {
|
|
got := dpkgVerCmp(tc.a, tc.b)
|
|
if (got > 0) != (tc.want > 0) || (got < 0) != (tc.want < 0) {
|
|
t.Errorf("dpkgVerCmp(%q,%q)=%d, want sign %d", tc.a, tc.b, got, tc.want)
|
|
}
|
|
}
|
|
}
|