[Secure-testing-team] Comparing NVD and Debian CVE tracking

Petter Reinholdtsen pere at hungry.com
Fri Jan 28 00:18:07 UTC 2011 

As I mentioned on IRC and debian-devel@, I have spend some time
recently to try to set up a framework for comparing the set of
affected packages reported by NVD and the Debian CVE list, and this
work is starting to bring some useful results.

I've created a mapping between Debian source packages and CPE entries
used in the CVE information in NVD.  The result is in the
secure-testing subversion tree, data/CPE/list.  The data is probably
not 100% accurate, but close enough to be useful.

One part of the check is to loo in NVD for affected packages
represented by CPEs, and for every CPE also listed as a source package
in Debian, report a warning if the Debian source package is not listed
as affected in data/CVE/list.

The first reported issue  inform that
<URL: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2010-4530 >
list cpe:/a:muscle:pcsc-lite (Debian source package pcsc-lite) as
affected, but the CVE entry for Debian do not say anything about this
package.  The latter look like this:

  CVE-2010-4530 (Signedness error in ccid_serial.c in libccid in the
  USB Chip/Smart ...)
	- ccid 1.3.11-2 (unimportant; bug #607780)
	NOTE: CVE requested, http://seclists.org/oss-sec/2010/q4/356
	NOTE: Theoretical attack

I have not evaluated these issues, and would very much like feedback
on this approach.  I am aware that these issues might be bugs in
either NVD or in the Debian CVE info, and believe the only way to
figure out is to check each one.

Here is the complete list of such issues for the time period
2011-2008.  There are 93 such issues reported at the moment.

warning: CVE-2010-4530 in NVD is not refering to cpe:/a:muscle:pcsc-lite found in Debian.
warning: CVE-2010-3975 in NVD is not refering to cpe:/a:adobe:flash_player found in Debian.
warning: CVE-2010-3490 in NVD is not refering to cpe:/a:freepbx:freepbx found in Debian.
warning: CVE-2010-3205 in NVD is not refering to cpe:/a:textpattern:textpattern found in Debian.
warning: CVE-2010-3192 in NVD is not refering to cpe:/a:gnu:glibc found in Debian.
warning: CVE-2010-2530 in NVD is not refering to cpe:/o:freebsd:freebsd found in Debian.
warning: CVE-2010-1988 in NVD is not refering to cpe:/a:mozilla:firefox found in Debian.
warning: CVE-2010-1987 in NVD is not refering to cpe:/a:mozilla:firefox found in Debian.
warning: CVE-2010-1986 in NVD is not refering to cpe:/a:mozilla:firefox found in Debian.
warning: CVE-2010-1585 in NVD is not refering to cpe:/a:mozilla:firefox found in Debian.
warning: CVE-2010-1516 in NVD is not refering to cpe:/a:swftools:swftools found in Debian.
warning: CVE-2010-1215 in NVD is not refering to cpe:/a:mozilla:thunderbird found in Debian.
warning: CVE-2010-1207 in NVD is not refering to cpe:/a:mozilla:thunderbird found in Debian.
warning: CVE-2010-0378 in NVD is not refering to cpe:/a:adobe:flash_player found in Debian.
warning: CVE-2009-4855 in NVD is not refering to cpe:/a:typo3:typo3 found in Debian.
warning: CVE-2009-4630 in NVD is not refering to cpe:/a:mozilla:thunderbird found in Debian.
warning: CVE-2009-4130 in NVD is not refering to cpe:/a:mozilla:firefox found in Debian.
warning: CVE-2009-4129 in NVD is not refering to cpe:/a:mozilla:firefox found in Debian.
warning: CVE-2009-4102 in NVD is not refering to cpe:/a:mozilla:firefox found in Debian.
warning: CVE-2009-4066 in NVD is not refering to cpe:/a:drupal:drupal found in Debian.
warning: CVE-2009-3984 in NVD is not refering to cpe:/a:mozilla:thunderbird found in Debian.
warning: CVE-2009-3983 in NVD is not refering to cpe:/a:mozilla:thunderbird found in Debian.
warning: CVE-2009-3982 in NVD is not refering to cpe:/a:mozilla:thunderbird found in Debian.
warning: CVE-2009-3981 in NVD is not refering to cpe:/a:mozilla:thunderbird found in Debian.
warning: CVE-2009-3980 in NVD is not refering to cpe:/a:mozilla:thunderbird found in Debian.
warning: CVE-2009-3976 in NVD is not refering to cpe:/a:proftpd:proftpd found in Debian.
warning: CVE-2009-3479 in NVD is not refering to cpe:/a:drupal:drupal found in Debian.
warning: CVE-2009-3156 in NVD is not refering to cpe:/a:drupal:drupal found in Debian.
warning: CVE-2009-3014 in NVD is not refering to cpe:/a:mozilla:seamonkey found in Debian.
warning: CVE-2009-3010 in NVD is not refering to cpe:/a:mozilla:seamonkey found in Debian.
warning: CVE-2009-3007 in NVD is not refering to cpe:/a:mozilla:firefox found in Debian.
warning: CVE-2009-2975 in NVD is not refering to cpe:/a:mozilla:firefox found in Debian.
warning: CVE-2009-2696 in NVD is not refering to cpe:/a:apache:tomcat found in Debian.
warning: CVE-2009-2479 in NVD is not refering to cpe:/a:mozilla:firefox found in Debian.
warning: CVE-2009-2478 in NVD is not refering to cpe:/a:mozilla:firefox found in Debian.
warning: CVE-2009-2477 in NVD is not refering to cpe:/a:mozilla:firefox found in Debian.
warning: CVE-2009-2464 in NVD is not refering to cpe:/a:mozilla:seamonkey found in Debian.
warning: CVE-2009-2409 in NVD is not refering to cpe:/a:mozilla:firefox found in Debian.
warning: CVE-2009-2030 in NVD is not refering to cpe:/a:sun:jdk found in Debian.
warning: CVE-2009-1955 in NVD is not refering to cpe:/a:apache:http_server found in Debian.
warning: CVE-2009-1840 in NVD is not refering to cpe:/a:mozilla:thunderbird found in Debian.
warning: CVE-2009-1840 in NVD is not refering to cpe:/a:mozilla:seamonkey found in Debian.
warning: CVE-2009-1828 in NVD is not refering to cpe:/a:mozilla:firefox found in Debian.
warning: CVE-2009-1827 in NVD is not refering to cpe:/a:mozilla:firefox found in Debian.
warning: CVE-2009-1690 in NVD is not refering to cpe:/a:google:chrome found in Debian.
warning: CVE-2009-1597 in NVD is not refering to cpe:/a:mozilla:firefox found in Debian.
warning: CVE-2009-1313 in NVD is not refering to cpe:/a:mozilla:firefox found in Debian.
warning: CVE-2009-1312 in NVD is not refering to cpe:/a:mozilla:seamonkey found in Debian.
warning: CVE-2009-1309 in NVD is not refering to cpe:/a:mozilla:thunderbird found in Debian.
warning: CVE-2009-1309 in NVD is not refering to cpe:/a:mozilla:seamonkey found in Debian.
warning: CVE-2009-1308 in NVD is not refering to cpe:/a:mozilla:thunderbird found in Debian.
warning: CVE-2009-1308 in NVD is not refering to cpe:/a:mozilla:seamonkey found in Debian.
warning: CVE-2009-1307 in NVD is not refering to cpe:/a:mozilla:seamonkey found in Debian.
warning: CVE-2009-1306 in NVD is not refering to cpe:/a:mozilla:thunderbird found in Debian.
warning: CVE-2009-1306 in NVD is not refering to cpe:/a:mozilla:seamonkey found in Debian.
warning: CVE-2009-1047 in NVD is not refering to cpe:/a:drupal:drupal found in Debian.
warning: CVE-2009-1044 in NVD is not refering to cpe:/a:mozilla:firefox found in Debian.
warning: CVE-2009-0733 in NVD is not refering to cpe:/a:mozilla:firefox found in Debian.
warning: CVE-2009-0733 in NVD is not refering to cpe:/a:gimp:gimp found in Debian.
warning: CVE-2009-0723 in NVD is not refering to cpe:/a:mozilla:firefox found in Debian.
warning: CVE-2009-0723 in NVD is not refering to cpe:/a:gimp:gimp found in Debian.
warning: CVE-2009-0689 in NVD is not refering to cpe:/a:mozilla:seamonkey found in Debian.
warning: CVE-2009-0581 in NVD is not refering to cpe:/a:mozilla:firefox found in Debian.
warning: CVE-2009-0581 in NVD is not refering to cpe:/a:gimp:gimp found in Debian.
warning: CVE-2009-0253 in NVD is not refering to cpe:/a:mozilla:firefox found in Debian.
warning: CVE-2008-6699 in NVD is not refering to cpe:/a:typo3:typo3 found in Debian.
warning: CVE-2008-5915 in NVD is not refering to cpe:/a:google:chrome found in Debian.
warning: CVE-2008-4724 in NVD is not refering to cpe:/a:google:chrome found in Debian.
warning: CVE-2008-4395 in NVD is not refering to cpe:/o:linux:kernel found in Debian.
warning: CVE-2008-4247 in NVD is not refering to cpe:/o:freebsd:freebsd found in Debian.
warning: CVE-2008-4226 in NVD is not refering to cpe:/a:xmlsoft:libxml found in Debian.
warning: CVE-2008-4225 in NVD is not refering to cpe:/a:xmlsoft:libxml found in Debian.
warning: CVE-2008-4120 in NVD is not refering to cpe:/a:flatpress:flatpress found in Debian.
warning: CVE-2008-3873 in NVD is not refering to cpe:/a:adobe:flash_player found in Debian.
warning: CVE-2008-2579 in NVD is not refering to cpe:/a:apache:http_server found in Debian.
warning: CVE-2008-2464 in NVD is not refering to cpe:/o:freebsd:freebsd found in Debian.
warning: CVE-2008-2452 in NVD is not refering to cpe:/a:typo3:typo3 found in Debian.
warning: CVE-2008-2451 in NVD is not refering to cpe:/a:typo3:typo3 found in Debian.
warning: CVE-2008-2450 in NVD is not refering to cpe:/a:typo3:typo3 found in Debian.
warning: CVE-2008-2419 in NVD is not refering to cpe:/a:mozilla:firefox found in Debian.
warning: CVE-2008-2182 in NVD is not refering to cpe:/a:typo3:typo3 found in Debian.
warning: CVE-2008-1810 in NVD is not refering to cpe:/a:sap:maxdb found in Debian.
warning: CVE-2008-0732 in NVD is not refering to cpe:/a:apache:geronimo found in Debian.
warning: CVE-2008-0646 in NVD is not refering to cpe:/a:rasterbar_software:libtorrent found in Debian.
warning: CVE-2008-0618 in NVD is not refering to cpe:/a:wordpress:wordpress found in Debian.
warning: CVE-2008-0617 in NVD is not refering to cpe:/a:wordpress:wordpress found in Debian.
warning: CVE-2008-0616 in NVD is not refering to cpe:/a:wordpress:wordpress found in Debian.
warning: CVE-2008-0615 in NVD is not refering to cpe:/a:wordpress:wordpress found in Debian.
warning: CVE-2008-0491 in NVD is not refering to cpe:/a:wordpress:wordpress found in Debian.
warning: CVE-2008-0462 in NVD is not refering to cpe:/a:drupal:drupal found in Debian.
warning: CVE-2008-0358 in NVD is not refering to cpe:/a:pixelpost:pixelpost found in Debian.
warning: CVE-2008-0238 in NVD is not refering to cpe:/a:xine:xine-lib found in Debian.
warning: CVE-2008-0198 in NVD is not refering to cpe:/a:wordpress:wordpress found in Debian.

Happy hacking,
-- 
Petter Reinholdtsen

More information about the Secure-testing-team mailing list