GLSA 200611-02 includes the following unaffected range: <unaffected range="rge">3.3.8</unaffected> which I believe should only include 3.3.8 and all 3.3.8-r*, but glsa-check interprets it to also include 3.3.8b and all 3.3.8b-r*. The best information I can find about the meaning of 'rge' is in gentoo's glsa.dtd , which says: The r* range information is revision-specific. For instance, rge foo-1.2.3-r4 == >=foo-1.2.3-r4 && <foo-1.2.4 Reproducible: Always Steps to Reproduce: 1. glsa-check -l 200611-02 Actual Results: 200611-02 [U] Qt: Integer overflow ( x11-libs/qt ) (showing my x11-libs/qt-3.3.8b is unaffected) Expected Results: Should show [N] indicating the package may be affected, since 3.3.8b is not a "revision" of 3.3.8 glsa.dtd with some info about rge in the comments: http://www.gentoo.org/dtd/glsa.dtd glsa coordinator guide with some info, but no specifics on 'rge': http://www.gentoo.org/security/en/coordinator_guide.xml # emerge --info Portage 2.1.6.4 (default/linux/amd64/2008.0/desktop, gcc-4.3.2, glibc-2.9_p20081201-r1, 2.6.28 x86_64) ================================================================= System uname: Linux-2.6.28-x86_64-Intel-R-_Core-TM-2_Duo_CPU_T7500_@_2.20GHz-with-glibc2.2.5 Timestamp of tree: Mon, 05 Jan 2009 23:05:01 +0000 app-shells/bash: 3.2_p48 dev-java/java-config: 1.3.7-r1, 2.1.6-r1 dev-lang/python: 2.5.2-r8 dev-util/cmake: 2.6.2-r1 sys-apps/baselayout: 2.0.0 sys-apps/openrc: 0.4.1-r1 sys-apps/sandbox: 1.3.2 sys-devel/autoconf: 2.13, 2.63 sys-devel/automake: 1.5, 1.7.9-r1, 1.8.5-r3, 1.9.6-r2, 1.10.2 sys-devel/binutils: 2.19 sys-devel/gcc-config: 1.4.0-r4 sys-devel/libtool: 2.2.6a virtual/os-headers: 2.6.28-r1 ACCEPT_KEYWORDS="amd64 ~amd64" CBUILD="x86_64-pc-linux-gnu" CFLAGS="-O2 -pipe -march=core2 -fomit-frame-pointer" CHOST="x86_64-pc-linux-gnu" CONFIG_PROTECT="/etc /usr/share/config" CONFIG_PROTECT_MASK="/etc/ca-certificates.conf /etc/env.d /etc/env.d/java/ /etc/fonts/fonts.conf /etc/gconf /etc/gentoo-release /etc/revdep-rebuild /etc/sandbox.d /etc/terminfo /etc/udev/rules.d" CXXFLAGS="-O2 -pipe -march=core2 -fomit-frame-pointer" DISTDIR="/usr/portage/distfiles" FEATURES="distlocks fixpackages parallel-fetch protect-owned sandbox sfperms strict unmerge-orphans userfetch" GENTOO_MIRRORS="http://distfiles.gentoo.org http://distro.ibiblio.org/pub/linux/distributions/gentoo" LDFLAGS="-Wl,-O1" LINGUAS="en_US" PKGDIR="/usr/portage/packages" PORTAGE_RSYNC_OPTS="--recursive --links --safe-links --perms --times --compress --force --whole-file --delete --stats --timeout=180 --exclude=/distfiles --exclude=/local --exclude=/packages" PORTAGE_TMPDIR="/var/tmp" PORTDIR="/usr/portage" SYNC="rsync://rsync.gentoo.org/gentoo-portage" USE="X acl acpi alsa amd64 berkdb bluetooth branding bzip2 cairo cdr cli cracklib crypt cups dbus dri dvd dvdr dvdread eds emboss encode evo fam firefox fortran gdbm gif gnome gpm gstreamergtk hal iconv ipv6 isdnlog jpeg kde ldap libnotify mad midi mikmod mmx mp3 mpeg mudflap multilib ncurses nls nptl nptlonly ogg opengl openmp pam pcre pdf perl png ppds pppd python qt3 qt3support qt4 quicktime readline reflection sdl session spell spl sse sse2 ssl ssse3 startup-notification svg sysfs tcpd theora tiff truetype unicode usb vorbis x264 xml xorg xulrunner xv xvid zlib" ALSA_CARDS="ali5451 als4000 atiixp atiixp-modem bt87x ca0106 cmipci emu10k1x ens1370 ens1371 es1938 es1968 fm801 hda-intel intel8x0 intel8x0m maestro3 trident usb-audio via82xx via82xx-modem ymfpci" ALSA_PCM_PLUGINS="adpcm alaw asym copy dmix dshare dsnoop empty extplug file hooks iec958 ioplug ladspa lfloat linear meter mmap_emul mulaw multi null plug rate route share shmsoftvol" APACHE2_MODULES="actions alias auth_basic authn_alias authn_anon authn_dbm authn_default authn_file authz_dbm authz_default authz_groupfile authz_host authz_owner authz_user autoindex cache dav dav_fs dav_lock deflate dir disk_cache env expires ext_filter file_cache filter headers include info log_config logio mem_cache mime mime_magic negotiation rewrite setenvif speling status unique_id userdir usertrack vhost_alias" ELIBC="glibc" INPUT_DEVICES="keyboard mouse synaptics" KERNEL="linux" LCD_DEVICES="bayrad cfontz cfontz633 glk hd44780 lb216 lcdm001 mtxorb ncurses text" LINGUAS="en_US" USERLAND="GNU" VIDEO_CARDS="i810 vesa" Unset: CPPFLAGS, CTARGET, EMERGE_DEFAULT_OPTS, FFLAGS, INSTALL_MASK, LANG, LC_ALL, MAKEOPTS, PORTAGE_COMPRESS, PORTAGE_COMPRESS_FLAGS, PORTAGE_RSYNC_EXTRA_OPTS, PORTDIR_OVERLAY
Another example I noticed today, kde-base/kdelibs-3.5.10-r2 and glsa 200804-30: <affected> <package name="kde-base/kdelibs" auto="yes" arch="*"> <unaffected range="rge">3.5.8-r4</unaffected> <unaffected range="rge">3.5.9-r3</unaffected> <unaffected range="gt">4.0</unaffected> <unaffected range="lt">3.5.5</unaffected> <vulnerable range="lt">4.0</vulnerable> </package> </affected> As far as I can tell, ~kde-base/kdelibs-3.5.10 is not included in any of the "unaffected" ranges, yet glsa-check is saying that 3.5.10-r2 is unaffected: ------------- # glsa-check -t 200804-30 This system is not affected by any of the listed GLSAs # emerge -pv kdelibs:3.5 These are the packages that would be merged, in order: Calculating dependencies... done! [ebuild R ] kde-base/kdelibs-3.5.10-r2 USE="acl alsa branding cups fam spell tiff -arts avahi -bindist -debug -doc -jpeg2k -kdehiddenvisibility -kerberos -legacyssl -lua -openexr -utempter" 0 kB [?=>0] Total: 1 package (1 reinstall), Size of downloads: 0 kB Portage tree and overlays: [0] /usr/portage [?] indicates that the source repository could not be determined #
another problem glsa: dev-java/sun-jdk-1.5.0.17 is showing unaffected by glsa 200804-20, which lists in affected: <package name="dev-java/sun-jdk" auto="yes" arch="*"> <unaffected range="ge">1.6.0.05</unaffected> <unaffected range="rge">1.5.0.16</unaffected> <unaffected range="rge">1.5.0.15</unaffected> <unaffected range="rge">1.4.2.17</unaffected> <vulnerable range="lt">1.6.0.05</vulnerable> </package>
The problem isn't in the operators. It's that glsa.Glsa.isVulnerable() only returns true when glsa.getMinUpgrade() returns finds an upgrade to solve a given vulnerability. It will take some time for me to analyze all of the existing glsas, identify the ones that need to be fixed, and fix them. I have to fix those before I release a fixed glsa check, so that users don't experience "false positives".
As far as I can tell, that glsa also contains <unaffected range="rge">3.3.8b</unaffected> ... do you have another example?
(In reply to comment #4) > As far as I can tell, that glsa also contains <unaffected > range="rge">3.3.8b</unaffected> > > ... do you have another example? > ...sigh-- ignore that, I apparently have a bad case of buglag
It seems that this patch from bug 244803 might solve the issue which is described in comment #3: http://git.goodpoint.de/?p=glsa-check.git;a=commit;h=e6f26cc02b5207ff33289c20d751a0d4fb1122bc
(In reply to comment #6) > It seems that this patch from bug 244803 might solve the issue which is > described in comment #3: In fact, it does. However I don't know if changing that behaviour would have implications for the Portage 2.2 security set. Zac, if you want to review the patches as they are, feel free to. Otherwise, I think they need some polishing with respect to the latest glsa.py in Portage trunk.
Closing this, as the "example case" is no longer in portage. I'll open a new bug if I find another case with a problem.
