Fixing CVE-2018-6913 + CVE-2018-6797 on Debian GNU/Linux buster

loic · December 15, 2020, 10:26pm

The recently deployed wazuh module to report CVE on Debian GNU/Linux hosts reported CVE-2018-6913 on a number of hosts where libperl5.24=5.24.1-3+deb9u6 is installed. It was a little surprising because the CVE is both Critical and two years old.

It turns out that this package is a leftover not used by anyone on Debian GNU/Linux buster:

$ apt-cache rdepends libperl5.24
libperl5.24
Reverse Depends:

It can safely be removed to avoid confusion and is harmless because it is not used by anyone.

$ sudo apt-get remove libperl5.24
The following packages will be REMOVED:
  libperl5.24
0 upgraded, 0 newly installed, 1 to remove

pilou · December 16, 2020, 7:50am

Should not other potential leftovers be checked and removed ? For example using apt-forktracer or deborphan ?

loic · December 16, 2020, 9:36am

I never used deborphan and tried it today on a Debian GNU/Linux buster installed this year.

 (eǝ) debian@icinga-host:~$ deborphan
apt-transport-https
libgnutls-dane0
libnss3
libopts25
libxss1
python-certbot-nginx

I’m sure apt-transport-https is used, although only when ansible runs. libgnutls-dane0 is also seen by apt autoremove and I’m confident it can be removed. But libunbound8 is also seen by autoremove but not by deborphan. I’m slightly confused Do you use deborphan on a regular basis?

loic · December 16, 2020, 9:41am

CVE-2018-18928 is found because of libicu57. It is not deinstalled by apt autoremove because php7.0-intl depends on it. However, php7.3 is now used and php7.0* is not used for anything, which apt remove has no way of dedecting (nor deborphan). The libicu57 package was deinstalled.

CVE-2018-1126 is found because of libprocps6 on Debian GNU/Linux buster: it can be removed because libprocps7 is installed.

pilou · December 17, 2020, 6:58am

https support has been moved into the apt package in 1.5. apt-transport-https package can be safely removed (https://packages.debian.org/buster/apt-transport-https).

loic · December 17, 2020, 7:04am

Thanks for fixing my false sense of certainty

pilou · December 17, 2020, 9:29am

I use apt-forktracer first, then deborphan.

On icinga host apt-forktracer found several packages which provided by the current Debian stable anymore:

$ apt-forktracer 
libdns-export162 (1:9.10.3.dfsg.P4-12.3+deb9u5)
manpages-fr (3.65d1p1-1)
php7.0-cli (7.0.33-0+deb9u7)
php7.0-fpm (7.0.33-0+deb9u7)
php7.0-opcache (7.0.33-0+deb9u7)
php7.0 (7.0.33-0+deb9u7)
php7.0-common (7.0.33-0+deb9u7)
gcc-6-base (6.3.0-18+deb9u1)
php7.0-json (7.0.33-0+deb9u7)
libisc-export160 (1:9.10.3.dfsg.P4-12.3+deb9u5)
php7.0-readline (7.0.33-0+deb9u7)
php7.0-xml (7.0.33-0+deb9u7)
libgdbm3 (1.8.3-14)
libcryptsetup4 (2:1.7.3-4)
libunistring0 (0.9.6+really0.9.3-0.1)
liblogging-stdlog0 (1.0.5-2+b2)
libssl1.0.2 (1.0.2u-1~deb9u1)

I guess all these packages should be removed.

Note that i manually removed from this output the following packages: grafana, influxdb, wazuh, icinga.
apt-forktracer can be configured to not display these packages, for example for the icinga packages:

Package: php-icinga
Accept-Origin: debian icinga-buster
Track-Origin: debian icinga-buster
Track-Version: =candidate

Package: icingaweb2-module-monitoring
Accept-Origin: debian icinga-buster
Track-Origin: debian icinga-buster
Track-Version: =candidate

Package: icinga2-bin
Accept-Origin: debian icinga-buster
Track-Origin: debian icinga-buster
Track-Version: 2.12.3-1.buster

Package: icingacli
Accept-Origin: debian icinga-buster
Track-Origin: debian icinga-buster
Track-Version: 2.8.2-1.buster

Package: icingaweb2-common
Accept-Origin: debian icinga-buster
Track-Origin: debian icinga-buster
Track-Version: =candidate

Package: icinga2-ido-mysql
Accept-Origin: debian icinga-buster
Track-Origin: debian icinga-buster
Track-Version: 2.12.3-1.buster

Package: icinga2
Accept-Origin: debian icinga-buster
Track-Origin: debian icinga-buster
Track-Version: 2.12.3-1.buster

Package: icinga2-common
Accept-Origin: debian icinga-buster
Track-Origin: debian icinga-buster
Track-Version: 2.12.3-1.buster

Package: icingaweb2
Accept-Origin: debian icinga-buster
Track-Origin: debian icinga-buster
Track-Version: 2.8.2-1.buster

The apt-forktracer configuration file is quite tedious to do. The non default value for the Track-Version field is only required when a newer version is available and not installed.