Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 598599 - GLSA 201610-10 marks www-plugins/adobe-flash-11.2.202.643 as affected
Summary: GLSA 201610-10 marks www-plugins/adobe-flash-11.2.202.643 as affected
Status: RESOLVED FIXED
Alias: None
Product: Gentoo Security
Classification: Unclassified
Component: GLSA Errors (show other bugs)
Hardware: All Linux
: Normal normal
Assignee: Gentoo Security
URL:
Whiteboard:
Keywords:
Depends on:
Blocks:
 
Reported: 2016-10-30 23:23 UTC by Maciej S. Szmigiero
Modified: 2016-11-01 18:14 UTC (History)
0 users

See Also:
Package list:
Runtime testing required: ---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Maciej S. Szmigiero 2016-10-30 23:23:47 UTC 
glsa-check says:
Checking GLSA 201610-10
>>> No upgrade path exists for these packages:
     www-plugins/adobe-flash-11.2.202.643

But version 11.2.202.643 isn't affected by this GLSA.
GLSA 201610-10 says that unaffected versions are >= 11.2.202.635,
while at least one CVE linked on it - CVE-2016-6992 - says that
11.2.202.637 is the minimal unaffected version.


Reproducible: Always
Comment 1 Ortwin Glueck 2016-11-01 16:45:49 UTC 
# glsa-check -l 201610-10
[A] means this GLSA was marked as applied (injected),
[U] means the system is not affected and
[N] indicates that the system might be affected.

201610-10 [N] Adobe Flash Player: Multiple vulnerabilities ( www-plugins/adobe-flash )
# equery l adobe-flash
 * Searching for adobe-flash ...
[IP-] [  ] www-plugins/adobe-flash-11.2.202.643:0
[IP-] [  ] www-plugins/adobe-flash-23.0.0.205:22

I am not sure how to express that correctly in the xml. It seems vulnerable overrules unaffected:
  <affected>
    <package name="www-plugins/adobe-flash" auto="yes" arch="*">
      <unaffected range="ge">23.0.0.205</unaffected>
      <unaffected range="rge">11.2.202.635</unaffected>
      <vulnerable range="lt">23.0.0.205</vulnerable>
    </package>
  </affected>

Maybe the vulnerable line should use rlt?
Comment 2 Kristian Fiskerstrand (RETIRED) gentoo-dev 2016-11-01 18:14:19 UTC 
(In reply to Ortwin Glueck from comment #1)


> I am not sure how to express that correctly in the xml. It seems vulnerable
> overrules unaffected:
>   <affected>
>     <package name="www-plugins/adobe-flash" auto="yes" arch="*">
>       <unaffected range="ge">23.0.0.205</unaffected>
>       <unaffected range="rge">11.2.202.635</unaffected>
>       <vulnerable range="lt">23.0.0.205</vulnerable>
>     </package>
>   </affected>
> 
> Maybe the vulnerable line should use rlt?

No, vulnerable is correct, it is the usual slot issue in GLSAs, so as new versions in lower slot gets added the GLSA gets updated. For predictable semantic versioning schemes this is normally done a few versions ahead to reduce noise. For something using build versions (or whatever) it won't work, so needs to be added afterwards. Just keep filing bugs.

commit d17f961554b3b54976858ac11a17ace2d2d90464
Author: Kristian Fiskerstrand <k_f@gentoo.org>
Date:   Tue Nov 1 19:13:33 2016 +0100

    GLSA 201610-10: Fix slot issue for lower version