222861 – glsa-check -f 200705-23 downgrades unaffected sun-jdk-1.6.0.05

Bug 222861 - glsa-check -f 200705-23 downgrades unaffected sun-jdk-1.6.0.05

Summary: glsa-check -f 200705-23 downgrades unaffected sun-jdk-1.6.0.05

Status:	RESOLVED FIXED

Alias:	None

Product:	Gentoo Security
Classification:	Unclassified
Component:	GLSA Errors (show other bugs)
Hardware:	All Linux

Importance:	High minor (vote)
Assignee:	Gentoo Security

URL:
Whiteboard:
Keywords:

Depends on:
Blocks:

Reported:	2008-05-19 21:37 UTC by Hannes Erven
Modified:	2008-07-16 14:52 UTC (History)
CC List:	2 users (show)

See Also:
Package list:
Runtime testing required:	---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Hannes Erven 2008-05-19 21:37:12 UTC

When applying GLSA advisories on this system, glsa-check attempts to downgrade an unaffected version of sun-jdk :

# glsa-check -p 200705-23
Checking GLSA 200705-23
The following updates will be performed for this GLSA:
     dev-java/sun-jdk-1.5.0.15 (1.6.0.05)

According to glsa-check -d 200705-23 , the installed version is not affected by this GLSA:

# glsa-check -d 200705-23
           GLSA 200705-23: 
Sun JDK/JRE: Multiple vulnerabilities           
============================================================================
Synopsis:          Multiple vulnerabilities have been identified in Sun Java
                   Development Kit (JDK) and Java Runtime Environment (JRE).
Announced on:      May 31, 2007
Last revised on:   October 02, 2007: 03

Affected package:  dev-java/sun-jre-bin
Affected archs:    All
Vulnerable:        <1.6.0.01
Unaffected:        >=~1.5.0.11 >=~1.4.2.14 >=1.6.0.01 >=~1.4.2.15 >=~1.5.0.12



Reproducible: Always



Expected Results:  
Since sun-jdk-1.6.0.05 seems to be not affected by the GLSA, glsa-check should  not attempt to apply it.

Comment 1 Pascal HERAUD 2008-07-15 15:11:50 UTC

I have same behaviour with this GLSA on my system but occurs with the "200804-20" one.

#glsa-check -p affected
Checking GLSA 200804-20
The following updates will be performed for this GLSA:
     dev-java/sun-jdk-1.6.0.05 (1.5.0.16)

The sun-jdk package is uptodate because in version 1.5.0.16 while 1.5.0.15 is required by this GLSA.:

#emerge -pv "<dev-java/sun-jdk-1.6.0"

These are the packages that would be merged, in order:

Calculating dependencies... done!
[ebuild   R   ] dev-java/sun-jdk-1.5.0.16  USE="alsa -X -doc -examples -jce (-nsplugin) -odbc" 0 kB

Comment 2 Daniel Nilsson 2008-07-16 06:30:49 UTC

I have similar issue too. I have the latest amd64-stable sun-jdk 1.5, 1.6 and blackdown 1.4.2. No emul-linux-x86-java. My system should not be affected by the GLSA but still:

# glsa-check -t all
This system is affected by the following GLSAs:
200804-20

Letting glsa-check apply the fix results in a unneeded downgrade:
# glsa-check -p 200804-20
Checking GLSA 200804-20
The following updates will be performed for this GLSA:
     dev-java/sun-jdk-1.6.0.05 (1.6.0.07)

Running any of the emerges suggested by "glsa-check -d" either results in a new package being installed or a reemerge of an installed one (the latest 1.6 in all cases).

Comment 3 Pascal HERAUD 2008-07-16 07:54:44 UTC

I'm also on amd64 arch.
I have no lib sun-jre-bin or emul-linux-x86-java installed.

Comment 4 Matthias Geerdsen (RETIRED) gentoo-dev

2008-07-16 14:52:59 UTC

I just commited an updated GLSA 200804-20 which adds the 1.5.0.16 versions as unaffected. 
Due to bug 106677 we are unfortunately not able to deal with slotted packages in a better way.

I also updated GLSA 200705-23 with the latest versions.
Please reopen the bug when there are any issues left after the updates have propagated to the rsync mirrors and you have resynced your trees.