First Last Prev Next    No search results available      Search page      Enter new bug
Bug#: 64601
Alias:
Product:
Component:
Status: RESOLVED
Resolution: FIXED
Assigned To: Gentoo Security <security@gentoo.org>
Hardware:
OS:
Version:
Priority:
Severity:
Reporter: Evgeny Stambulchik <fnevgeny@weizmann.ac.il>
Add CC:
CC:
Remove selected CCs
URL:
Summary:
Status Whiteboard:
Keywords:
Flags: Requestee:
 
 
jaervosz: ()

Filename Description Type Creator Created Size Actions
Create a New Attachment (proposed patch, testcase, etc.) View All

Bug 64601 depends on: Show dependency tree
Bug 64601 blocks:

Additional Comments: (this is where you put emerge --info)


Not eligible to see or edit group visibility for this bug.






View Bug Activity   |   Format For Printing   |   XML   |   Clone This Bug

Description:   Opened: 2004-09-19 01:05 0000 
It contains, among others,
    <package name="sys-kernel/gentoo-dev-sources" auto="yes" arch="*">
      <unaffected range="ge">2.6.7-r7</unaffected>
      <vulnerable range="ge">2.6</vulnerable>
    </package>

And whatever you do, glsa-check will report the system affected.

      <vulnerable range="lt">2.6.7-r7</vulnerable>

corrects this (same for other kernel source flavours).

Reproducible: Always
Steps to Reproduce:

------- Comment #1 From Thierry Carrez (RETIRED) 2004-09-19 14:00:59 0000 ------- 
This is a problem with the GLSA, which is incompatible with the way glsa-check
handles ranges. We'll correct it soon.

------- Comment #2 From Tim Yamin (RETIRED) 2004-09-21 11:10:40 0000 ------- 
This isn't a bug with the GLSA - although this can be changed to "lt" for
gentoo-dev-sources, it cannot for aa and ck sources (and a few others) since
they have 2.4 trees that are /not/ vulnerable and "lt" would pick them up as
such.

Hence, glsa-check should evaluate vulnerable ranges and then subtract
unaffected ranges rather than the current algorithm of doing things and no
false errors should occur. Adding genone to the CC so he can have a look at
this.

------- Comment #3 From Sune Kloppenborg Jeppesen 2004-09-21 13:11:09 0000 ------- 
Plasmaroo this style from the Coordinator Guide should work with glsa-check:

unaffected<=1.2.8-r2 
unaffected>=1.2.10 
affected<1.2.10

------- Comment #4 From Evgeny Stambulchik 2004-09-22 07:53:19 0000 ------- 
glsa-200409-28 has a similar problem (except there is no easy workaround).

    <package name="x11-libs/gtk+" auto="yes" arch="*">
      <unaffected range="ge">2.4.9-r1</unaffected>
      <unaffected range="lt">2.0.0</unaffected>
      <vulnerable range="lt">2.4.9-r1</vulnerable>
    </package>

Here, <vulnerable range="lt">2.4.9-r1</vulnerable> shadows the whole unaffected 1.2 slot.

All in all, it seems the scheme currently used is ambiguos at best. I think each <vulnarable> should have "min" and "max" attributes; then <unaffected> becomes redundant.

------- Comment #5 From Marius Mauch (RETIRED) 2004-09-22 08:19:00 0000 ------- 
Yes, lack of ranges is a known problem, however this won't be changed until
portage itself has proper support for it.

------- Comment #6 From Sune Kloppenborg Jeppesen 2004-09-22 14:10:49 0000 ------- 
Tim will you fix GLSA 200407-12 with my workaround from comment #3?

------- Comment #7 From Thierry Carrez (RETIRED) 2004-09-28 04:53:00 0000 ------- 
Re: comment #4 and comment #5 : 
It's a problem in glsa-check that is being addressed in bug 65664

This bug should only address the issue in 200407-12.

------- Comment #8 From Thierry Carrez (RETIRED) 2004-10-10 05:22:30 0000 ------- 
I fixed GLSA 200407-12 (+ added development-sources fixed version and CAN
reference).

Evgeny: it should work now, please double-check.

------- Comment #9 From inode77 2004-10-11 02:17:37 0000 ------- 
Is solved, doesn't appear anymore.

------- Comment #10 From Thierry Carrez (RETIRED) 2004-10-11 04:47:30 0000 ------- 
Then it's closed :)
First Last Prev Next    No search results available      Search page      Enter new bug