Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 183209 - PostgreSQL false positives
Summary: PostgreSQL false positives
Status: RESOLVED FIXED
Alias: None
Product: Gentoo Security
Classification: Unclassified
Component: GLSA Errors (show other bugs)
Hardware: All Linux
: High normal
Assignee: Gentoo Security
URL:
Whiteboard:
Keywords:
Depends on:
Blocks:
 
Reported: 2007-06-26 05:46 UTC by Christian Gut
Modified: 2007-09-23 00:25 UTC (History)
2 users (show)

See Also:
Package list:
Runtime testing required: ---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Christian Gut 2007-06-26 05:46:39 UTC 
I am experiencing a weird behaviour by glsa-check:

% glsa-check -l affected                                                ~
[A] means this GLSA was already applied,
[U] means the system is not affected and
[N] indicates that the system might be affected.

200502-08 [N] PostgreSQL: Multiple vulnerabilities ( dev-db/postgresql )
200502-19 [N] PostgreSQL: Buffer overflows in PL/PgSQL parser ( dev-db/postgresql )
200505-12 [N] PostgreSQL: Multiple vulnerabilities ( dev-db/postgresql )
200607-04 [N] PostgreSQL: SQL injection ( dev-db/postgresql )
200703-15 [N] PostgreSQL: Multiple vulnerabilities ( dev-db/postgresql )

% equery l postgresql
[ Searching for package 'postgresql' in all categories among: ]
 * installed packages
[I--] [  ] dev-db/postgresql-7.4.17 (0)

So from the equery output, I should have a fixed version. But glsa-check says im  vulnerable to fairly old GLSAs.
Comment 1 Christian Gut 2007-06-26 05:47:20 UTC 
Could this have something in common with bug 152081
Comment 2 Jakub Moc (RETIRED) gentoo-dev 2007-06-26 06:55:45 UTC 
> Could this have something in common with bug 152081

Yeah... all below appear bogus:

dev-db/postgresql-7.3.19: vulnerable via glsa(200410-16) ( ver-rev <= 7.4.5-r1 && ver-rev not >= 7.4.5-r2 && not ( ver = 7.3.7 && ver-rev >= 7.3.7-r2 ) && ver not = 7.3.15 && ver not = 7.3.16 && ver not = 7.3.18 ), keywords ('alpha', 'amd64', 'arm', 'hppa', 'ia64', 'mips', 'ppc', 'ppc64', 's390', 'sh', 'sparc', 'x86')
dev-db/postgresql-7.3.19: vulnerable via glsa(200607-04) ( ver < 8.0.8 && ver not = 7.4.13 && ver not = 7.4.14 && ver not = 7.4.16 ), keywords ('alpha', 'amd64', 'arm', 'hppa', 'ia64', 'mips', 'ppc', 'ppc64', 's390', 'sh', 'sparc', 'x86')
dev-db/postgresql-7.3.19: vulnerable via glsa(200505-12) ( ver-rev < 8.0.2-r1 && ver not = 7.3.10 && ver not = 7.3.15 && ver not = 7.3.16 && ver not = 7.3.18 && not ( ver = 7.4.7 && ver-rev >= 7.4.7-r2 ) && ver not = 7.4.13 && ver not = 7.4.14 && ver not = 7.4.16 && not ( ver = 8.0.1 && ver-rev >= 8.0.1-r3 ) ), keywords ('alpha', 'amd64', 'arm', 'hppa', 'ia64', 'mips', 'ppc', 'ppc64', 's390', 'sh', 'sparc', 'x86')
dev-db/postgresql-7.3.19: vulnerable via glsa(200502-08) ( ver < 8.0.1 && ver not = 7.3.10 && ver not = 7.3.15 && ver not = 7.3.16 && ver not = 7.3.18 && ver not = 7.4.7 && ver not = 7.4.13 && ver not = 7.4.14 && ver not = 7.4.16 ), keywords ('alpha', 'amd64', 'arm', 'hppa', 'ia64', 'mips', 'ppc', 'ppc64', 's390', 'sh', 'sparc', 'x86')
dev-db/postgresql-7.3.19: vulnerable via glsa(200502-19) ( ver-rev < 8.0.1-r1 && not ( ver = 7.3.9 && ver-rev >= 7.3.9-r1 ) && ver not = 7.3.15 && ver not = 7.3.16 && ver not = 7.3.18 && not ( ver = 7.4.7 && ver-rev >= 7.4.7-r1 ) && ver not = 7.4.13 && ver not = 7.4.14 && ver not = 7.4.16 ), keywords ('alpha', 'amd64', 'arm', 'hppa', 'ia64', 'mips', 'ppc', 'ppc64', 's390', 'sh', 'sparc', 'x86')
dev-db/postgresql-7.3.19: vulnerable via glsa(200703-15) ( ver < 8.0.11 && ver not = 7.4.16 && ver not = 7.3.13 ), keywords ('alpha', 'amd64', 'arm', 'hppa', 'ia64', 'mips', 'ppc', 'ppc64', 's390', 'sh', 'sparc', 'x86')
dev-db/postgresql-7.4.17: vulnerable via glsa(200607-04) ( ver < 8.0.8 && ver not = 7.4.13 && ver not = 7.4.14 && ver not = 7.4.16 ), keywords ('alpha', 'amd64', 'arm', 'hppa', 'ia64', 'mips', 'ppc', 'ppc64', 's390', 'sh', 'sparc', 'x86')
dev-db/postgresql-7.4.17: vulnerable via glsa(200505-12) ( ver-rev < 8.0.2-r1 && ver not = 7.3.10 && ver not = 7.3.15 && ver not = 7.3.16 && ver not = 7.3.18 && not ( ver = 7.4.7 && ver-rev >= 7.4.7-r2 ) && ver not = 7.4.13 && ver not = 7.4.14 && ver not = 7.4.16 && not ( ver = 8.0.1 && ver-rev >= 8.0.1-r3 ) ), keywords ('alpha', 'amd64', 'arm', 'hppa', 'ia64', 'mips', 'ppc', 'ppc64', 's390', 'sh', 'sparc', 'x86')
dev-db/postgresql-7.4.17: vulnerable via glsa(200502-08) ( ver < 8.0.1 && ver not = 7.3.10 && ver not = 7.3.15 && ver not = 7.3.16 && ver not = 7.3.18 && ver not = 7.4.7 && ver not = 7.4.13 && ver not = 7.4.14 && ver not = 7.4.16 ), keywords ('alpha', 'amd64', 'arm', 'hppa', 'ia64', 'mips', 'ppc', 'ppc64', 's390', 'sh', 'sparc', 'x86')
dev-db/postgresql-7.4.17: vulnerable via glsa(200502-19) ( ver-rev < 8.0.1-r1 && not ( ver = 7.3.9 && ver-rev >= 7.3.9-r1 ) && ver not = 7.3.15 && ver not = 7.3.16 && ver not = 7.3.18 && not ( ver = 7.4.7 && ver-rev >= 7.4.7-r1 ) && ver not = 7.4.13 && ver not = 7.4.14 && ver not = 7.4.16 ), keywords ('alpha', 'amd64', 'arm', 'hppa', 'ia64', 'mips', 'ppc', 'ppc64', 's390', 'sh', 'sparc', 'x86')
Comment 3 Christian Gut 2007-06-26 06:59:46 UTC 
But that bug was marked fixed, wasn't it?
Comment 4 Jakub Moc (RETIRED) gentoo-dev 2007-06-26 07:23:08 UTC 
(In reply to comment #3)
> But that bug was marked fixed, wasn't it?

It was fixed at the time it was fixed; as you can see from comment #1, GLSA syntax clearly sucks for cases like this.
Comment 5 Raphael Marichez (Falco) (RETIRED) gentoo-dev 2007-06-26 11:14:31 UTC 
fixed in CVS, should appear in the distfiles soon. Thanks for the report.