572914 – GLSA 201412-29 affected despite appropriate tomcat installed

Bug 572914 - GLSA 201412-29 affected despite appropriate tomcat installed

Summary: GLSA 201412-29 affected despite appropriate tomcat installed

Status:	RESOLVED FIXED

Alias:	None

Product:	Gentoo Security
Classification:	Unclassified
Component:	GLSA Errors (show other bugs)
Hardware:	All Linux

Importance:	Normal normal
Assignee:	Gentoo Security

URL:
Whiteboard:
Keywords:

Depends on:
Blocks:

Reported:	2016-01-25 19:56 UTC by Daniel "Fremen" Llewellyn
Modified:	2016-03-20 14:17 UTC (History)
CC List:	1 user (show)

See Also:
Package list:
Runtime testing required:	---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Daniel "Fremen" Llewellyn 2016-01-25 19:56:39 UTC

glsa-check -l lists 201412-29 affecting tomcat:6 and tomcat:7. The GLSA reports that >=7.0.56, >=~6.0.41 are unaffected. The versions of tomcat installed on the system are:

dev-java/tomcat-servlet-api-6.0.44-r1:2.5
dev-java/tomcat-servlet-api-7.0.67:3.0
www-servers/tomcat-6.0.44-r2:6
www-servers/tomcat-7.0.67:7

emerge --info below:

Portage 2.2.20 (python 3.3.5-final-0, hardened/linux/amd64/no-multilib, gcc-4.9.3, glibc-2.21-r1, 3.14.14-gentoo x86_64)
=================================================================
                         System Settings
=================================================================
System uname: Linux-3.14.14-gentoo-x86_64-Intel-R-_Xeon-R-_CPU_X3430_@_2.40GHz-with-gentoo-2.2
KiB Mem:     1013468 total,    297268 free
KiB Swap:    4194300 total,   3660636 free
Timestamp of repository gentoo: Sun, 24 Jan 2016 20:30:01 +0000
sh bash 4.3_p42-r1
ld GNU ld (Gentoo 2.25.1 p1.1) 2.25.1
app-shells/bash:          4.3_p42-r1::gentoo
dev-java/java-config:     2.2.0::gentoo
dev-lang/perl:            5.20.2::gentoo
dev-lang/python:          2.7.10-r1::gentoo, 3.3.5-r2::gentoo, 3.4.3-r1::gentoo
dev-util/cmake:           2.8.12.2-r1::gentoo
sys-apps/baselayout:      2.2::gentoo
sys-apps/openrc:          0.19.1::gentoo
sys-apps/sandbox:         2.10-r1::gentoo
sys-devel/autoconf:       2.69::gentoo
sys-devel/automake:       1.11.6-r1::gentoo, 1.12.6::gentoo, 1.13.4::gentoo, 1.14.1::gentoo, 1.15::gentoo
sys-devel/binutils:       2.25.1-r1::gentoo
sys-devel/gcc:            4.3.6-r1::gentoo, 4.4.7::gentoo, 4.7.3-r1::gentoo, 4.8.4::gentoo, 4.9.3::gentoo
sys-devel/gcc-config:     1.7.3::gentoo
sys-devel/libtool:        2.4.6::gentoo
sys-devel/make:           4.1-r1::gentoo
sys-kernel/linux-headers: 4.3::gentoo (virtual/os-headers)
sys-libs/glibc:           2.21-r1::gentoo
Repositories:

gentoo
    location: /usr/portage
    sync-type: rsync
    sync-uri: rsync://rsync.gentoo.org/gentoo-portage
    priority: -1000

ACCEPT_KEYWORDS="amd64"
ACCEPT_LICENSE="* -@EULA Oracle-BCLA-JavaSE"
CBUILD="x86_64-pc-linux-gnu"
CFLAGS="-O2 -pipe"
CHOST="x86_64-pc-linux-gnu"
CONFIG_PROTECT="/etc /usr/share/gnupg/qualified.txt"
CONFIG_PROTECT_MASK="/etc/ca-certificates.conf /etc/env.d /etc/fonts/fonts.conf /etc/gconf /etc/gentoo-release /etc/php/apache2-php5.4/ext-active/ /etc/php/apache2-php5.5/ext-active/ /etc/php/apache2-php5.6/ext-active/ /etc/php/cgi-php5.4/ext-active/ /etc/php/cgi-php5.5/ext-active/ /etc/php/cgi-php5.6/ext-active/ /etc/php/cli-php5.4/ext-active/ /etc/php/cli-php5.5/ext-active/ /etc/php/cli-php5.6/ext-active/ /etc/revdep-rebuild /etc/sandbox.d /etc/terminfo"
CXXFLAGS="-O2 -pipe"
DISTDIR="/usr/portage/distfiles"
FCFLAGS="-O2 -pipe"
FEATURES="assume-digests binpkg-logs buildpkg config-protect-if-modified distlocks ebuild-locks fixlafiles merge-sync news parallel-fetch preserve-libs protect-owned sandbox sfperms strict unknown-features-warn unmerge-logs unmerge-orphans userfetch userpriv usersandbox usersync xattr"
FFLAGS="-O2 -pipe"
GENTOO_MIRRORS="http://www.mirrorservice.org/sites/www.ibiblio.org/gentoo/ ftp://ftp.mirrorservice.org/sites/www.ibiblio.org/gentoo/ http://mirror.qubenet.net/mirror/gentoo/ ftp://mirror.qubenet.net/mirror/gentoo/ http://gentoo.virginmedia.com/ ftp://gentoo.virginmedia.com/sites/gentoo "
LANG="en_GB.UTF-8"
LC_ALL="en_GB.UTF-8"
LDFLAGS="-Wl,-O1 -Wl,--as-needed"
MAKEOPTS="-j5"
PKGDIR="/usr/portage/packages"
PORTAGE_CONFIGROOT="/"
PORTAGE_RSYNC_OPTS="--recursive --links --safe-links --perms --times --omit-dir-times --compress --force --whole-file --delete --stats --human-readable --timeout=180 --exclude=/distfiles --exclude=/local --exclude=/packages"
PORTAGE_TMPDIR="/var/tmp"
USE="acl amd64 apache2 berkdb bzip2 cli cracklib crypt ctype curl cxx dlz dovecot-sasl dri gd gdbm gif gs hardened iconv ipv6 jpeg jpeg2k json justify mmx mmxext modules mysql mysqli ncurses nls nptl openmp pam pax_kernel pcre pdo php pie png readline sasl seccomp session simplexml soap sockets sqlite sse sse2 ssl ssp tcpd unicode urandom vhosts xattr xml xtpax zip zlib" ABI_X86="64" ALSA_CARDS="ali5451 als4000 atiixp atiixp-modem bt87x ca0106 cmipci emu10k1x ens1370 ens1371 es1938 es1968 fm801 hda-intel intel8x0 intel8x0m maestro3 trident usb-audio via82xx via82xx-modem ymfpci" APACHE2_MODULES="authn_core authz_core socache_shmcb unixd actions alias auth_basic authn_alias authn_anon authn_dbm authn_default authn_file authz_dbm authz_default authz_groupfile authz_host authz_owner authz_user autoindex cache cgi cgid dav dav_fs dav_lock deflate dir disk_cache env expires ext_filter file_cache filter headers include info log_config logio mem_cache mime mime_magic negotiation rewrite setenvif speling status unique_id userdir usertrack vhost_alias proxy proxy_http" CALLIGRA_FEATURES="kexi words flow plan sheets stage tables krita karbon braindump author" CAMERAS="ptp2" COLLECTD_PLUGINS="df interface irq load memory rrdtool swap syslog" CPU_FLAGS_X86="mmx mmxext sse sse2" ELIBC="glibc" GPSD_PROTOCOLS="ashtech aivdm earthmate evermore fv18 garmin garmintxt gpsclock itrax mtk3301 nmea ntrip navcom oceanserver oldstyle oncore rtcm104v2 rtcm104v3 sirf superstar2 timing tsip tripmate tnt ublox ubx" INPUT_DEVICES="keyboard mouse evdev" KERNEL="linux" LCD_DEVICES="bayrad cfontz cfontz633 glk hd44780 lb216 lcdm001 mtxorb ncurses text" LIBREOFFICE_EXTENSIONS="presenter-console presenter-minimizer" OFFICE_IMPLEMENTATION="libreoffice" PHP_TARGETS="php5-5" PYTHON_SINGLE_TARGET="python2_7" PYTHON_TARGETS="python2_7 python3_4" RUBY_TARGETS="ruby20 ruby21" USERLAND="GNU" VIDEO_CARDS="fbdev glint intel mach64 mga nouveau nv r128 radeon savage sis tdfx trident vesa via vmware dummy v4l" XTABLES_ADDONS="quota2 psd pknock lscan length2 ipv4options ipset ipp2p iface geoip fuzzy condition tee tarpit sysrq steal rawnat logmark ipmark dhcpmac delude chaos account"
Unset:  CC, CPPFLAGS, CTARGET, CXX, EMERGE_DEFAULT_OPTS, INSTALL_MASK, PORTAGE_BUNZIP2_COMMAND, PORTAGE_COMPRESS, PORTAGE_COMPRESS_FLAGS, PORTAGE_RSYNC_EXTRA_OPTS, USE_PYTHON

=================================================================
                        Package Settings
=================================================================

www-servers/tomcat-6.0.44-r2::gentoo was built with the following:
USE="-extra-webapps -source -test"

Comment 1 James Le Cuirot gentoo-dev

2016-01-25 20:50:27 UTC

Reassigning to security team because I don't understand this stuff (I did try) and Java team doesn't write the GLSAs.

Comment 2 Aaron Bauman (RETIRED) gentoo-dev

2016-03-19 08:34:27 UTC

You are good based on the GLSA and the reported applications installed.  Did GLSA check inform you that you *are* vulnerable or simply letting you know you *may* be?

Comment 3 Daniel "Fremen" Llewellyn 2016-03-19 16:31:14 UTC

the GLSA is reported when running `glsa-check -l`. No other GLSAs are listed when running this command and previously when I've fixed GLSAs that were listed by running this command they are removed from the list when re-running. Therefore I believe glsa-check is telling me that I am affected.

Comment 4 Tobias Heinlein (RETIRED) gentoo-dev

2016-03-19 21:14:14 UTC

This is a long standing bug because glsa-check does not support SLOTs properly. We will have to manually add 6.0.42, 6.0.43, ... as unaffected to the GLSA to workaround this. I will do so later unless someone else is faster.

Comment 5 Tobias Heinlein (RETIRED) gentoo-dev

2016-03-20 14:17:43 UTC

Done. GLSA 201206-24 was affected too.