Re: Interpreting debsecan output

To: debian-user@lists.debian.org
Subject: Re: Interpreting debsecan output
From: Andy Smith <andy@strugglers.net>
Date: Fri, 4 Nov 2022 20:56:43 +0000
Message-id: <[🔎] Y2V8i+pUMUMUFIee@bitfolk.com>
In-reply-to: <[🔎] 6365467A.4060605@fastmail.fm>
References: <Y2Hxj61Fcu5BZ/uv@bitfolk.com> <[🔎] slrntma9pd.5s8.curty@einstein.electron.org> <[🔎] Y2VCqYPvBrQf+mxJ@tuxteam.de> <[🔎] 6365467A.4060605@fastmail.fm>

Hello,

On Fri, Nov 04, 2022 at 01:06:02PM -0400, The Wanderer wrote:
> More relevantly to this thread, the equivalent check with 'apt-cache
> showsrc grub2' (since grub2 is the source-package name for the packages
> named in the CVE mentioned by debsecan, according to the OP) shows 49
> binary packages - no, that's not a typo, one short of fifty. Most of
> them follow the pattern of [name], [name]-bin, and [name]-dbg, but there
> are some outliers.
> 
> If any of those are installed (or possibly even just not purged?) on the
> machine in question, that might explain why debsecan shows the CVE as
> being applicable.

Good idea. Unfortunately that doesn't seem to be what's going on:

(All of the packages named start with "grub")

$ dpkg-query -l 'grub*'
Desired=Unknown/Install/Remove/Purge/Hold
| Status=Not/Inst/Conf-files/Unpacked/halF-conf/Half-inst/trig-aWait/Trig-pend
|/ Err?=(none)/Reinst-required (Status,Err: uppercase=bad)
||/ Name             Version        Architecture Description
+++-================-==============-============-=====================================================
un  grub             <none>         <none>       (no description available)
un  grub-cloud-amd64 <none>         <none>       (no description available)
ii  grub-common      2.06-3~deb11u2 i386         GRand Unified Bootloader (common files)
un  grub-coreboot    <none>         <none>       (no description available)
un  grub-doc         <none>         <none>       (no description available)
un  grub-efi         <none>         <none>       (no description available)
un  grub-efi-amd64   <none>         <none>       (no description available)
un  grub-efi-arm     <none>         <none>       (no description available)
un  grub-efi-arm64   <none>         <none>       (no description available)
un  grub-efi-ia32    <none>         <none>       (no description available)
un  grub-efi-ia64    <none>         <none>       (no description available)
un  grub-emu         <none>         <none>       (no description available)
un  grub-ieee1275    <none>         <none>       (no description available)
un  grub-legacy      <none>         <none>       (no description available)
un  grub-legacy-doc  <none>         <none>       (no description available)
un  grub-linuxbios   <none>         <none>       (no description available)
ii  grub-pc          2.06-3~deb11u2 i386         GRand Unified Bootloader, version 2 (PC/BIOS version)
ii  grub-pc-bin      2.06-3~deb11u2 i386         GRand Unified Bootloader, version 2 (PC/BIOS modules)
un  grub-uboot       <none>         <none>       (no description available)
un  grub-xen         <none>         <none>       (no description available)
un  grub-yeeloong    <none>         <none>       (no description available)
un  grub2            <none>         <none>       (no description available)
ii  grub2-common     2.06-3~deb11u2 i386         GRand Unified Bootloader (common files for version 2)

Maybe I need to file a bug on debsecan just so someone can tell me what
I am missing. 😀

Cheers,
Andy

-- 
https://bitfolk.com/ -- No-nonsense VPS hosting

Reply to:

References:
- Interpreting debsecan output
  - From: Andy Smith <andy@strugglers.net>
- Re: Interpreting debsecan output
  - From: Curt <curty@free.fr>
- Re: Interpreting debsecan output
  - From: <tomas@tuxteam.de>
- Re: Interpreting debsecan output
  - From: The Wanderer <wanderer@fastmail.fm>

Prev by Date: Re: Interpreting debsecan output
Next by Date: Re: loss of mbmon function
Previous by thread: Re: Interpreting debsecan output
Next by thread: Re: Interpreting debsecan output
Index(es):
- Date
- Thread