Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 108578 - glsa-check gives false alarm GLSA 200503-08
Summary: glsa-check gives false alarm GLSA 200503-08
Status: RESOLVED CANTFIX
Alias: None
Product: Gentoo Linux
Classification: Unclassified
Component: New packages (show other bugs)
Hardware: All Linux
: High normal (vote)
Assignee: Heinrich Wendel (RETIRED)
URL:
Whiteboard:
Keywords:
Depends on:
Blocks:
 
Reported: 2005-10-09 03:03 UTC by Richard Hartmann
Modified: 2008-01-04 11:31 UTC (History)
0 users

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Richard Hartmann 2005-10-09 03:03:26 UTC
glsa-check told me, that I was affected by 200503-08. 
As I had already applied 200502-07: (x11-libs/openmotif-2.1.30-r9), 
this is in my opinion a false alarm. 
 
As in the GLSA itself it says: 
 
[cut] 
 
      GLSA 200503-08: 
OpenMotif, LessTif: New libXpm buffer overflows 
============================================================================ 
Synopsis:          A new vulnerability has been discovered in libXpm, which 
                   is included in OpenMotif and LessTif, that can 
                   potentially lead to remote code execution. 
 
Affected package:  x11-libs/openmotif 
Affected archs:    All 
Vulnerable:        <2.2.3-r3 
Unaffected:        >=2.2.3-r3 >=~2.1.30-r9 
 
[cut] 

Reproducible: Didn't try
Steps to Reproduce:
1. glsa-check -f 200502-07    
2. glsa-check -l    
   
It says, that I am affected by GLSA 200503-08. 
     
Actual Results:  
It should not have complained about GLSA 200503-08, as GLSA 200502-07 fixed 
the problem and the version that was installed, is itself not affected by GLSA 
200503-08. 

Expected Results:  
It shouldn't have told me, that I was affected by GLSA 200503-08. 

Portage 2.0.51.22-r3 (default-linux/x86/2005.0/2.4, gcc-3.3.2, 
glibc-2.3.4.20040808-r1, 2.6.11-gentoo-r4 i686) 
================================================================= 
System uname: 2.6.11-gentoo-r4 i686 Pentium III (Katmai) 
Gentoo Base System version 1.4.16 
ccache version 2.3 [enabled] 
dev-lang/python:     2.3.4-r1 
sys-apps/sandbox:    1.2.11 
sys-devel/autoconf:  2.13, 2.59-r6 
sys-devel/automake:  1.4_p6, 1.5, 1.6.3, 1.7.9-r1, 1.8.5-r3, 1.9.6-r1 
sys-devel/binutils:  2.14.90.0.8-r3 
sys-devel/libtool:   1.4.3-r3 
virtual/os-headers:  2.4.22-r1 
ACCEPT_KEYWORDS="x86" 
AUTOCLEAN="yes" 
CBUILD="i686-pc-linux-gnu" 
CFLAGS="-O2 -march=pentium3 -fomit-frame-pointer" 
CHOST="i686-pc-linux-gnu" 
CONFIG_PROTECT="/etc /usr/kde/2/share/config /usr/kde/3.3/env /usr/kde/3.3/share/config /usr/kde/3.3/shutdown /usr/kde/3/share/config /usr/lib/X11/xkb /usr/share/config /var/qmail/control" 
CONFIG_PROTECT_MASK="/etc/gconf /etc/env.d" 
CXXFLAGS="-O2 -march=pentium3 -fomit-frame-pointer" 
DISTDIR="/usr/portage/distfiles" 
FEATURES="autoconfig ccache distlocks sandbox sfperms strict" 
GENTOO_MIRRORS="ftp://ftp.join.uni-muenster.de/pub/linux/distributions/gentoo 
ftp://ftp.wh2.tu-dresden.de/pub/mirrors/gentoo 
ftp://ftp.join.uni-muenster.de/pub/linux/distributions/gentoo 
ftp://ftp6.uni-muenster.de/pub/linux/distributions/gentoo" 
LC_ALL="de_DE@euro" 
LINGUAS="de" 
PKGDIR="/usr/portage/packages" 
PORTAGE_TMPDIR="/var/tmp" 
PORTDIR="/usr/portage" 
PORTDIR_OVERLAY="/usr/local/portage" 
SYNC="rsync://rsync.de.gentoo.org/gentoo-portage" 
USE="x86 X alsa apm arts avi bash-completion berkdb bitmap-fonts bonobo cdr 
crypt cups curl eds emboss encode esd fam flac foomaticdb fortran gd gdbm gif 
gnome gpm gstreamer gtk gtk2 gtkhtml guile imlib ipv6 java jpeg junit kde ldap 
libg++ libwww mad mikmod mmx motif mp3 mpeg ncurses nls ogg oggvorbis 
opengloss pam pdflib perl png python qt quicktime readline sdl slang spell sse 
ssl svga tcltk tcpd tiff truetype truetype-fonts type1-fonts vorbis xine xml 
xml2xmms xv zlib linguas_de userland_GNU kernel_linux elibc_glibc" 
Unset:  ASFLAGS, CTARGET, LANG, LDFLAGS, MAKEOPTS
Comment 1 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev 2005-10-09 03:15:40 UTC
Are you sure you don't have an old version installed? Try emerge unmerge -pv  
openmotif. 
Comment 2 Richard Hartmann 2005-10-09 03:21:23 UTC
Oh, you are right.  
 
But why hasn't "openmotif-2.1.30-r4" been removed, after "openmotif-2.1.30-r9" 
was installed? 
Comment 3 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev 2005-10-13 22:39:18 UTC
We leave it up to the maintainer to keep/delete affected versions. 
Comment 4 Richard Hartmann 2005-10-13 23:28:33 UTC
 
Ok, thanks.  
 
Shall I reopen the "bug" or could you forward my request to the responsible 
maintainer? (lanius?) 
Comment 5 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev 2005-10-14 00:10:55 UTC
Reopening for maintainer. 
Comment 6 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev 2005-10-14 00:11:40 UTC
Heinrich this one is for you. 
Comment 7 Heinrich Wendel (RETIRED) gentoo-dev 2006-02-16 07:52:19 UTC
motif-config declares x11-libs/openmotif-2.1.30-r4 as blocker so i don't know why it's left on your system has to be a portage bug