Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 228911 - Multiple GLSAs contain wrong package versions
Summary: Multiple GLSAs contain wrong package versions
Status: RESOLVED FIXED
Alias: None
Product: Gentoo Security
Classification: Unclassified
Component: GLSA Errors (show other bugs)
Hardware: All Linux
: High enhancement (vote)
Assignee: Gentoo Security
URL:
Whiteboard:
Keywords:
Depends on: 106677
Blocks:
  Show dependency tree
 
Reported: 2008-06-22 15:43 UTC by Krzysztof Pawlik (RETIRED)
Modified: 2008-07-16 15:29 UTC (History)
0 users

See Also:
Package list:
Runtime testing required: ---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Krzysztof Pawlik (RETIRED) gentoo-dev 2008-06-22 15:43:51 UTC 
I have following package installed:

 dev-java/sun-jdk
    selected: 1.4.2.17 1.5.0.15 1.6.0.06

glsa-check tool shows that system is affected by 3 GLSAs:

200705-23 [N] Sun JDK/JRE: Multiple vulnerabilities ( dev-java/sun-jre-bin  dev-java/sun-jdk )
200702-07 [N] Sun JDK/JRE: Execution of arbitrary code ( dev-java/sun-jre-bin  dev-java/sun-jdk )
200701-15 [N] Sun JDK/JRE: Multiple vulnerabilities ( dev-java/sun-jre-bin  dev-java/sun-jdk )

All 3 of them contain similar package versions:

  <affected>
    <package name="dev-java/sun-jdk" auto="yes" arch="*">
      <unaffected range="ge">1.5.0.11</unaffected>
      <unaffected range="rge">1.4.2.14</unaffected>
      <unaffected range="rge">1.4.2.15</unaffected>
      <vulnerable range="lt">1.5.0.11</vulnerable>
    </package>
  ...
  </affected>

<unaffected> doesn't contain JDKs >1.4.2.15, so .16 and .17 are considered vulnerable, as DTD for glsa says:

The r* range information is revision-specific. For instance,
rge foo-1.2.3-r4  ==  >=foo-1.2.3-r4 && <foo-1.2.4

I propose small change to <package> tag: adding slot attribute to denote SLOT (with default value of "0"), that way it would be possible to create entries like:

  <affected>
    <package name="dev-java/sun-jdk" slot="1.4" auto="yes" arch="*">
      <unaffected range="ge">1.4.2.14</unaffected>
      <vulnerable range="lt">1.4.2.14</vulnerable>
    </package>
    <package name="dev-java/sun-jdk" slot="1.5" auto="yes" arch="*">
      <unaffected range="ge">1.5.0.11</unaffected>
      <vulnerable range="lt">1.5.0.11</vulnerable>
    </package>
  ...
  </affected>
Comment 1 Robert Buchholz (RETIRED) gentoo-dev 2008-07-06 22:30:19 UTC 
GLSA slot dependencies are being discussed in bug 106677. We need to update the old GLSAs to reflect the new versions still :-(
Comment 2 Matthias Geerdsen (RETIRED) gentoo-dev 2008-07-16 15:29:14 UTC 
Updated all three GLSAs, thanks for the report. Please reopen if I missed something.

Let's just hope we can get slot support soon.