For a reason or another, glsa-check tries to emerge media-libs/musicbrainz-2.1.4 every time I run it, even though I have a version of it installed that should not be vulnerable by the GLSA that the glsa-check mentions. I have just synchronized the portage database (today) and I have the newest stable version of gentoolkit (0.2.3-r1) Reproducible: Always Steps to Reproduce: 1. Synhronize portage (emerge --sync) 2. Install media-libs/musicbrains-2.1.4 3. Run "glsa-check -f $(glsa-check -t all)", as suggested in Gentoo Security Handbook 4. Repeat step 3 Actual Results: GLSA says that there is a vulnerability in the musicbrainz, and it wants to install it again: ---- This system is affected by the following GLSAs: fixing 200610-09 >>> merging media-libs/musicbrainz-2.1.4 ... ---- Expected Results: Glsa-check should not claim the package to be vulnerable. On page http://www.gentoo.org/security/en/glsa/glsa-200610-09.xml it is said that versions >= 2.1.4 are unaffected by the said vulnerability. Same says also the file in /usr/portage/metadata/glsa/glsa-200610-09.xml (pasted as a whole below), relevant part here: <affected> <package name="media-libs/musicbrainz" auto="yes" arch="*"> <unaffected range="ge">2.1.4</unaffected> <vulnerable range="lt">2.1.4</vulnerable> </package> </affected> Below are the output of emerge --info, and also the glsa file itself. ---=[ emerge -info ]=--- Portage 2.1.4.4 (default-linux/x86/2006.1/desktop, gcc-4.1.2, glibc-2.5-r4, 2.6.23-tuxonice-r6 i686) ================================================================= System uname: 2.6.23-tuxonice-r6 i686 Intel(R) Pentium(R) III Mobile CPU 933MHz Timestamp of tree: Thu, 14 Feb 2008 11:00:02 +0000 app-shells/bash: 3.2_p17 dev-java/java-config: 1.3.7, 2.0.33-r1 dev-lang/python: 2.4.4-r4, 2.5.1-r5 dev-python/pycrypto: 2.0.1-r6 sys-apps/baselayout: 1.12.9-r2 sys-apps/sandbox: 1.2.18.1-r2 sys-devel/autoconf: 2.13, 2.61-r1 sys-devel/automake: 1.4_p6, 1.5, 1.6.3, 1.7.9-r1, 1.8.5-r3, 1.9.6-r2, 1.10 sys-devel/binutils: 2.17 sys-devel/gcc-config: 1.3.16 sys-devel/libtool: 1.5.24 virtual/os-headers: 2.6.17-r2 ACCEPT_KEYWORDS="x86" CBUILD="i686-pc-linux-gnu" CFLAGS="-O2 -march=pentium3m -pipe" CHOST="i686-pc-linux-gnu" CONFIG_PROTECT="/etc /usr/kde/3.5/env /usr/kde/3.5/share/config /usr/kde/3.5/shutdown /usr/share/X11/xkb /usr/share/config" CONFIG_PROTECT_MASK="/etc/env.d /etc/env.d/java/ /etc/fonts/fonts.conf /etc/gconf /etc/revdep-rebuild /etc/splash /etc/terminfo" CXXFLAGS="-O2 -march=pentium3m -pipe" DISTDIR="/usr/portage/distfiles" FEATURES="distlocks metadata-transfer sandbox sfperms strict unmerge-orphans userfetch" GENTOO_MIRRORS="http://trumpetti.atm.tut.fi/gentoo/ ftp://trumpetti.atm.tut.fi/gentoo/" LANG="fi_FI.UTF8" LC_ALL="fi_FI" LINGUAS="fi" MAKEOPTS="-j1" PKGDIR="/usr/portage/packages" PORTAGE_RSYNC_OPTS="--recursive --links --safe-links --perms --times --compress --force --whole-file --delete --stats --timeout=180 --exclude=/distfiles --exclude=/local --exclude=/packages" PORTAGE_TMPDIR="/var/tmp" PORTDIR="/usr/portage" SYNC="rsync://rsync.gentoo.org/gentoo-portage" USE="X acpi alsa arts berkdb bitmap-fonts cairo cdr cli cracklib crypt cups dbus dri dvd dvdr emboss encode esd fam firefox fortran gdbm gif glitz gnome gpm gstreamer gtk hal iconv ipv6 isdnlog jack jpeg kde kdeenablefinal kdehiddenvisibility ldap mad midi mikmod mmx mmx2 mp3 mpeg mudflap ncurses nls nptl nptlonly nsplugin ogg omnibook opengl openmp oss pam pcmcia pcre pdf perl png ppds pppd python qt3 qt4 quicktime readline reflection sdl session spell spl sse ssl svg tcpd truetype truetype-fonts type1-fonts unicode vorbis win32codecs wireless x86 xcb xinerama xml xorg xv zlib" ALSA_CARDS="maestro3 usb-audio" ALSA_PCM_PLUGINS="adpcm alaw asym copy dmix dshare dsnoop empty extplug file hooks iec958 ioplug ladspa lfloat linear meter mulaw multi null plug rate route share shm softvol" APACHE2_MODULES="access auth auth_dbm auth_anon auth_digest alias file-cache echo charset-lite cache disk-cache mem-cache ext-filter case_filter case-filter-in deflate mime-magic cern-meta expires headers usertrack unique-id proxy proxy-connect proxy-ftp proxy-http info include cgi cgid dav dav-fs vhost-alias speling rewrite log_config logio env setenvif mime status autoindex asis negotiation dir imap actions userdir so filter unique_id authz_host" ELIBC="glibc" INPUT_DEVICES="evdev keyboard mouse wacom synaptics" KERNEL="linux" LCD_DEVICES="bayrad cfontz cfontz633 glk hd44780 lb216 lcdm001 mtxorb ncurses text" LINGUAS="fi" USERLAND="GNU" VIDEO_CARDS="i810 vesa vga" Unset: CPPFLAGS, CTARGET, EMERGE_DEFAULT_OPTS, INSTALL_MASK, LDFLAGS, PORTAGE_COMPRESS, PORTAGE_COMPRESS_FLAGS, PORTAGE_RSYNC_EXTRA_OPTS, PORTDIR_OVERLAY ---=[ /usr/portage/metadata/glsa/glsa-200610-09.xml ]=--- <?xml-stylesheet href="/xsl/glsa.xsl" type="text/xsl"?> <?xml-stylesheet href="/xsl/guide.xsl" type="text/xsl"?> <!DOCTYPE glsa SYSTEM "http://www.gentoo.org/dtd/glsa.dtd"> <glsa id="200610-09"> <title>libmusicbrainz: Multiple buffer overflows</title> <synopsis> Multiple buffer overflows have been found in libmusicbrainz, which could lead to a Denial of Service or possibly the execution of arbitrary code. </synopsis> <product type="ebuild">libmusicbrainz</product> <announced>October 22, 2006</announced> <revised>October 22, 2006: 01</revised> <bug>144089</bug> <access>remote</access> <affected> <package name="media-libs/musicbrainz" auto="yes" arch="*"> <unaffected range="ge">2.1.4</unaffected> <vulnerable range="lt">2.1.4</vulnerable> </package> </affected> <background> <p> libmusicbrainz is a client library used to access MusicBrainz music meta data. </p> </background> <description> <p> Luigi Auriemma reported a possible buffer overflow in the MBHttp::Download function of lib/http.cpp as well as several possible buffer overflows in lib/rdfparse.c. </p> </description> <impact type="normal"> <p> A remote attacker could be able to execute arbitrary code or cause Denial of Service by making use of an overly long "Location" header in an HTTP redirect message from a malicious server or a long URL in malicious RDF feeds. </p> </impact> <workaround> <p> There is no known workaround at this time. </p> </workaround> <resolution> <p> All libmusicbrainz users should upgrade to the latest version: </p> <code> # emerge --sync # emerge --ask --oneshot --verbose ">=media-libs/musicbrainz-2.1.4"</code> </resolution> <references> <uri link="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-4197">CVE-2006-4197</uri> </references> <metadata tag="requester" timestamp="Wed, 18 Oct 2006 12:31:28 +0000"> falco </metadata> <metadata tag="submitter" timestamp="Thu, 19 Oct 2006 20:02:01 +0000"> vorlon078 </metadata> <metadata tag="bugReady" timestamp="Fri, 20 Oct 2006 14:53:09 +0000"> DerCorny </metadata> </glsa>
Do you have other musicbrainz versions installed? (emerge -Cpv media-libs/musicbrainz)
That's a good point, I indeed do. I didn't realize that musicbrainz was slotted, too. I guess the solution is to remove the old version, and do a revdep-rebuild in case there are some programs that are linked against the old version? Still, shouldn't glsa-check notice this, and at least notify about this, if it's unable to fix the vulnerability? If I hadn't been forced to run the glsa-check again because of a failed package, I would not have noticed that the system is still vulnerable.
Yes that is the solution to your situation. You would probably have noticed it the next time you run glsa-check. I'll close this one as invalid for now. If you want to post a feature request for glsa-check to support slots please file another bug.
