[Plugins-writers] False positive on Fedora (and other?) RPM checks

From: Jason Haar (Jason.Haar@private)
Date: Tue Oct 11 2005 - 16:33:50 PDT

I'm getting quite a few FPs on our Squid install from the likes of
fedora_2004-338.nasl, etc

They claim a Squid install is vulnerable, but we are running the latest
and I think the RPM version checking is to blame.

It has

if ( rpm_check( reference:"squid-2.5.STABLE5-4.fc2.2", release:"FC2") )
#otherwise vuln

Which I guess means if we are *exactly* running
squid-2.5.STABLE5-4.fc2.2, then we're OK, but as we're running
squid-2.5.STABLE9-1.FC2.2 (rather a lot newer) - we must be vulnerable?

Shouldn't such checks be extracting the version numbers out of the rpm
filenames, and then doing a simple "<" check instead? e.g. like is done
in AV pattern file number checks.


Jason Haar
Information Security Manager, Trimble Navigation Ltd.
Phone: +64 3 9635 377 Fax: +64 3 9635 417
PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D 66D1

Plugins-writers mailing list

This archive was generated by hypermail 2.1.3 : Tue Oct 11 2005 - 16:34:26 PDT