Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 551482 - glsa-check false-alarms on Python 2.7.10
Summary: glsa-check false-alarms on Python 2.7.10
Status: RESOLVED FIXED
Alias: None
Product: Gentoo Security
Classification: Unclassified
Component: Misc (show other bugs)
Hardware: All Linux
: Normal normal (vote)
Assignee: Gentoo Security
URL:
Whiteboard:
Keywords:
Depends on:
Blocks:
 
Reported: 2015-06-08 08:05 UTC by Tobias Klausmann (RETIRED)
Modified: 2019-03-21 09:17 UTC (History)
2 users (show)

See Also:
Package list:
Runtime testing required: ---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Tobias Klausmann (RETIRED) gentoo-dev 2015-06-08 08:05:40 UTC 
$ glsa-check -l affected
201401-04 [N] Python: Multiple vulnerabilities ( dev-lang/python )
201503-10 [N] Python: Multiple vulnerabilities ( dev-lang/python )
$ glsa-check --print 201401-04
             GLSA 201401-04: 
Python: Multiple vulnerabilities              
============================================================================
Synopsis:          Multiple vulnerabilities have been found in Python, the
                   worst of which allow remote attackers to cause a Denial
                   of Service condition.
Announced on:      January 06, 2014
Last revised on:   July 07, 2014 : 04

Affected package:  dev-lang/python
Affected archs:    All
Vulnerable:        <3.3.2-r1
Unaffected:        >=~3.2.5-r1, >=~2.6.8, >=~2.7.3-r1, >=3.3.2-r1, >=~2.6.9, >=~2.7.4, >=~2.7.5, >=~2.7.6, >=~2.7.7, >=~2.7.8, >=~2.7.9


Related bugs:      325593, 355927, 358663, 396329, 403437, 469988
[...]

The system only has 2.7.10 and 3.4.3 installed.

To me this looks like glsa-check erroneously believes that 2.7.10 < 2.7.9, maybe because it does string-sort/-comparison instead of looking at version components.

The second GLSA above (201503-10) exhibits the same symptoms, with these version markers:

Vulnerable:        <3.3.5-r1
Unaffected:        >=3.3.5-r1, >=~2.7.9-r1
Comment 1 Neil Bothwick 2015-06-10 14:50:01 UTC 
I see the same here.

% glsa-check -t all
This system is affected by the following GLSAs:
201401-04
201503-10


% qlist -ICve python
dev-lang/python-2.7.10
dev-lang/python-3.3.5-r1
dev-lang/python-3.4.3
Comment 2 Paul Varner (RETIRED) gentoo-dev 2015-06-16 15:31:33 UTC 
I was investigating glsa-check to make sure that it did not have a bug with these GLSAs and it does not.  

The GLSAs need to be updated to account for 2.7.10 since the current GLSAs are using the "rge" range operator for the 2.7.9 versions of python, that is stating that 2.7.10 is vulnerable when it is not.
Comment 3 Tobias Heinlein (RETIRED) gentoo-dev 2015-06-17 19:38:06 UTC 
This is another instance of the current GLSA format not properly supporting SLOTs. I have just added a few more unaffected versions (up to Python 2.7.15) which will hopefully fix this for quite some time.
Comment 4 Neil Bothwick 2019-03-15 08:43:51 UTC 
That time is up as glsa-check is now reporting a problem with python-2.7.16
Comment 5 Aaron Bauman (RETIRED) gentoo-dev 2019-03-20 18:02:39 UTC 
(In reply to Neil Bothwick from comment #4)
> That time is up as glsa-check is now reporting a problem with python-2.7.16

Fixed now.  Missing slot on the GLSA.
Comment 6 Neil Bothwick 2019-03-21 09:17:11 UTC 
Thanks, ignoring GLSAs makes me nervous.