553542 – GLSA 201408-11,201411-04,201503-03 false positives

Bug 553542 - GLSA 201408-11,201411-04,201503-03 false positives

Summary: GLSA 201408-11,201411-04,201503-03 false positives

Status:	RESOLVED FIXED

Alias:	None

Product:	Gentoo Security
Classification:	Unclassified
Component:	GLSA Errors (show other bugs)
Hardware:	All Linux

Importance:	Normal minor (vote)
Assignee:	Gentoo Security

URL:
Whiteboard:
Keywords:

Duplicates (1):	556208 (view as bug list)
Depends on:
Blocks:

Reported:	2015-06-29 11:35 UTC by Oleg Gawriloff
Modified:	2016-06-16 16:52 UTC (History)
CC List:	2 users (show)

See Also:
Package list:
Runtime testing required:	---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Oleg Gawriloff 2015-06-29 11:35:19 UTC

Unaffected:        >=5.5.16, >=~5.4.32, >=~5.3.29, >=~5.4.34, >=~5.4.35, >=~5.4.36, >=~5.4.37, >=~5.4.38
Unaffected:        >=5.5.21, >=~5.4.37, >=~5.4.38, >=~5.4.39
Unaffected:        >=5.5.18, >=~5.4.34, >=~5.3.29, >=~5.4.36, >=~5.4.37, >=~5.4.38, >=~5.4.39, >=~5.4.35

Now in tree we have stable 5.4.39,5.4.40 and 5.4.41. All of them are not affected but each run glsa-check shows it as affected.


Reproducible: Always

Comment 1 Yury German Gentoo Infrastructure

2015-06-29 20:48:46 UTC

For Versions:
5.4.41
5.5.25-r1 

are going through stabilizaiton.
Bug 549538

For the other versions GLSA is still pending and in the release stage.
We do not mention UNSTABLE versions in GLSA, they are patched as best effort allows as they are considered testing.

Comment 2 Oleg Gawriloff 2015-06-30 08:39:22 UTC

But for 549538 - there is a different GLSA. 5.4.40 and 5.4.41 is stable, why glsa-check is complaining?
gawriloff@falcon-cl3 ~ $ eix -I php
[I] dev-lang/php
     Available versions:
     (5.4)  5.4.39 5.4.40 5.4.41 ~5.4.42
     (5.5)  [m]5.5.22 [m]5.5.23 [m]5.5.24 [m]5.5.25 [m]5.5.25-r1 [m]~5.5.26
     (5.6)  [m]~5.6.7 [m]~5.6.8 [m]5.6.9 [m]~5.6.10
     (7.0)  [M]~7.0.0_alpha1 [M]~7.0.0_alpha2
       {apache2 bcmath berkdb bzip2 calendar cdb cgi cjk +cli crypt +ctype curl curlwrappers debug embed enchant exif +fileinfo +filter firebird flatfile fpm frontbase ftp gd gdbm gmp +hash +iconv imap inifile intl iodbc ipv6 +json kerberos ldap ldap-sasl libedit libmysqlclient mhash mssql mysql mysqli mysqlnd nls oci8-instant-client odbc +opcache pcntl pdo +phar +posix postgres qdbm readline recode selinux +session sharedmem +simplexml snmp soap sockets spell sqlite ssl sybase-ct systemd sysvipc threads tidy +tokenizer truetype unicode vpx wddx +xml xmlreader xmlrpc xmlwriter xpm xslt zip zlib}
     Installed versions:  5.4.41(5.4)(10:34:48 08.06.2015)(apache2 bcmath cli crypt ctype curl filter ftp gd hash iconv imap intl json ldap mhash mssql mysql mysqli odbc pcntl pdo phar posix postgres session sharedmem simplexml soap sockets sqlite ssl sysvipc tidy tokenizer truetype unicode xml xmlreader xmlrpc xmlwriter zip zlib -berkdb -bzip2 -calendar -cdb -cgi -cjk -curlwrappers -debug -embed -enchant -exif -fileinfo -firebird -flatfile -fpm -gdbm -gmp -inifile -iodbc -ipv6 -kerberos -ldap-sasl -libedit -mysqlnd -nls -oci8-instant-client -qdbm -readline -recode -selinux -snmp -spell -sybase-ct -systemd -threads -wddx -xpm -xslt)
     Homepage:            http://php.net/
     Description:         The PHP language runtime engine: CLI, CGI, FPM/FastCGI, Apache2 and embed SAPIs

gawriloff@falcon-cl3 ~ $ glsa-check -l affected
[A] means this GLSA was marked as applied (injected),
[U] means the system is not affected and
[N] indicates that the system might be affected.

201408-11 [N] PHP: Multiple vulnerabilities ( dev-lang/php )
201411-04 [N] PHP: Multiple vulnerabilities ( dev-lang/php )
201503-03 [N] PHP: Multiple vulnerabilities ( dev-lang/php )
gawriloff@falcon-cl3 ~ $

Comment 3 Johann Schmitz (ercpe) (RETIRED) gentoo-dev

2015-07-09 08:13:48 UTC

This is because the three GLSAs lists 

GLSA 201408-11:
Vulnerable:        <5.5.16

GLSA 201411-04:
Vulnerable:        <5.5.18

GLSA 201503-03:
Vulnerable:        <5.5.21

as vulnerable. Thus, every version is marked as affected despite the mention of 5.4 versions in Unaffacted.

So we should add the vulnerable 5.4 versions, probably with slots. The last time i checked, the GLSA XSD did not allow slots in the range specifier though.

Comment 4 Oleg Gawriloff 2015-07-21 11:53:13 UTC

We have dup of this at #550562

Also now we have the same with postgresql GLSA 201507-20: 
Vulnerable:        <9.4.3
Unaffected:        >=~9.0.21, >=~9.1.17, >=~9.2.12, >=~9.3.8, >=9.4.3

[I] dev-db/postgresql
     Available versions:
     (9.0)  9.0.21^t 9.0.22^t
     (9.1)  9.1.17^t 9.1.18^t
     (9.2)  9.2.12 9.2.13
     (9.3)  9.3.8{tbz2} 9.3.9{tbz2}
     Installed versions:  9.3.9(9.3){tbz2}(10:20:19 16.07.2015)(nls pam readline ssl zlib -doc -kerberos -ldap -perl -pg_legacytimestamp -python -selinux -server -static-libs -tcl -threads -uuid -xml KERNEL="linux" LINGUAS="en ru -af -cs -de -es -fa -fr -hr -hu -it -ko -nb -pl -pt_BR -ro -sk -sl -sv -tr -zh_CN -zh_TW" PYTHON_SINGLE_TARGET="python2_7 -python3_3 -python3_4" PYTHON_TARGETS="python2_7 -python3_3 -python3_4")

Comment 5 Tobias Heinlein (RETIRED) gentoo-dev

2015-08-22 22:41:09 UTC

Sorry for not fixing this faster.

These false positives arise due to a limitation of the current GLSA format: We can't properly supply information about SLOTs in GLSAs and have to explicitly enumerate older versions to make glsa-check recognize them as unaffected. I have just added PHP versions up to 5.4.46 (which doesn't exist yet) to the mentioned PHP GLSAs, as well as few future versions of PostgreSQL to the PostgreSQL GLSA to work around this issue.

Comment 6 Tobias Heinlein (RETIRED) gentoo-dev

2015-08-22 22:42:50 UTC

*** Bug 556208 has been marked as a duplicate of this bug. ***

Comment 7 Mattias Merilai 2016-06-16 16:52:07 UTC

Another false report?

# glsa-check -ql affected
201507-20 [N] PostgreSQL: Multiple vulnerabilities ( dev-db/postgresql )

# emerge -pq postgresql
[ebuild   R   ] dev-db/postgresql-9.3.12