-
Ticket
-
Resolution: Unresolved
-
Undefined
-
None
-
None
-
None
-
False
-
-
False
-
Very Likely
-
0
Description:
Questions Regarding Source Package Detection for Fixed Vulnerabilities
I have a couple of questions regarding the use of source packages in detecting fixed vulnerabilities.
According to the VEX for CVE-2020-10878, the source package named "perl" is fixed in version "4:5.26.3-419.el8".
{
"category": "product_name",
"name": "Red Hat Enterprise Linux AppStream (v. 8)",
"product": {
"name": "Red Hat Enterprise Linux AppStream (v. 8)",
"product_id": "AppStream-8.4.0.GA",
"product_identification_helper": {
"cpe": "cpe:/a:redhat:enterprise_linux:8::appstream"
}
}
},
{
"category": "product_version",
"name": "perl-4:5.26.3-419.el8.src",
"product": {
"name": "perl-4:5.26.3-419.el8.src",
"product_id": "perl-4:5.26.3-419.el8.src",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/perl@5.26.3-419.el8?arch=src&epoch=4"
}
}
},
{
"category": "default_component_of",
"full_product_name": {
"name": "perl-4:5.26.3-419.el8.src as a component of Red Hat Enterprise Linux AppStream (v. 8)",
"product_id": "AppStream-8.4.0.GA:perl-4:5.26.3-419.el8.src"
},
"product_reference": "perl-4:5.26.3-419.el8.src",
"relates_to_product_reference": "AppStream-8.4.0.GA"
},
"product_status": {
"fixed": [
...
"AppStream-8.4.0.GA:perl-4:5.26.3-419.el8.src",
VEX metadata:
"generator": {
"date": "2025-09-12T21:44:54+00:00",
"engine": {
"name": "Red Hat SDEngine",
"version": "4.6.7"
}
},
https://security.access.redhat.com/data/csaf/v2/vex/2020/cve-2020-10878.json
What concerns me is the epoch of the source package.
On one of my RHEL 8 systems, I checked packages whose source package is perl.
The results showed some packages with epoch 0 and others with epoch 4, as shown below:
$ rpm -qa --queryformat "%{NAME} %{EPOCHNUM} %{VERSION} %{RELEASE} %{ARCH} %{SOURCERPM}\n" | grep perl-5.26.3-423.el8_10.src.rpm
perl-Errno 0 1.28 423.el8_10 x86_64 perl-5.26.3-423.el8_10.src.rpm
perl-libs 4 5.26.3 423.el8_10 x86_64 perl-5.26.3-423.el8_10.src.rpm
perl-interpreter 4 5.26.3 423.el8_10 x86_64 perl-5.26.3-423.el8_10.src.rpm
The binary package perl has an epoch of 4:
$ sudo dnf install -y perl
$ rpm -qa --queryformat "%{NAME} %{EPOCHNUM} %{VERSION} %{RELEASE} %{ARCH} %{SOURCERPM}\n" | grep perl-5.26.3-423.el8_10.src.rpm
perl 4 5.26.3 423.el8_10 x86_64 perl-5.26.3-423.el8_10.src.rpm
However, for other packages like vim, the binary package name and the source package name do not always match, which makes it unclear how to determine the correct epoch for the source package:
$ rpm -qa --queryformat "%{NAME} %{EPOCHNUM} %{VERSION} %{RELEASE} %{ARCH} %{SOURCERPM}\n" | grep vim
vim-minimal 2 8.0.1763 19.el8_6.4 x86_64 vim-8.0.1763-19.el8_6.4.src.rpm
vim-filesystem 2 8.0.1763 19.el8_6.4 noarch vim-8.0.1763-19.el8_6.4.src.rpm
vim-common 2 8.0.1763 19.el8_6.4 x86_64 vim-8.0.1763-19.el8_6.4.src.rpm
vim-enhanced 2 8.0.1763 19.el8_6.4 x86_64 vim-8.0.1763-19.el8_6.4.src.rpm
My Questions:
1. For detecting fixed vulnerabilities, is it not recommended or not possible to rely on source packages?
2. How should the epoch of the source package be determined in such cases?
