607704 – GLSA: add flag --continue-on-error in conjunction with --fix

Bug 607704 - GLSA: add flag --continue-on-error in conjunction with --fix

Summary: GLSA: add flag --continue-on-error in conjunction with --fix

Status:	UNCONFIRMED

Alias:	None

Product:	Portage Development
Classification:	Unclassified
Component:	Tools (show other bugs)
Hardware:	All Linux

Importance:	Normal normal (vote)
Assignee:	Portage team

URL:
Whiteboard:
Keywords:

Depends on:
Blocks:

Reported:	2017-01-30 09:54 UTC by Ján Regeš
Modified:	2019-08-19 05:53 UTC (History)
CC List:	0 users

See Also:
Package list:
Runtime testing required:	---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Ján Regeš 2017-01-30 09:54:33 UTC

Hi,

when i call "glsa-check --fix all" (and there are 10 GLSAs), script exits on first GLSA with error "cannot fix GLSA, no unaffected packages available".

In this case, i have to run one-by-one "glsa-check --fix NUMBER".

When there will be flag like a "--continue-on-error", it would be better.

Thank you.

DETAIL:

elk ~ # glsa-check -t all   
This system is affected by the following GLSAs:
201603-15
201612-16
201701-74
201701-47
201701-37
201701-46
201701-56
elk ~ # glsa-check -f $(glsa-check -t all)
This system is affected by the following GLSAs:
Fixing GLSA 201603-15
>>> cannot fix GLSA, no unaffected packages available
elk ~ #

Comment 1 Ján Regeš 2017-01-30 10:23:37 UTC

Btw, for now i simulate "--continue-on-error" by this command:

glsa-check -t all | while read line ; do glsa-check -f $line ; done

Comment 2 Ján Regeš 2017-01-30 11:03:08 UTC

This issue is related to https://bugs.gentoo.org/show_bug.cgi?id=585462

GLSA reports also really-unaffected GLSA.

For example.. I have installed OpenSSL-1.0.2k and glsa-check reports affected "201603-15" and "201612-16" which was already fixed in OpenSSL-1.0.2j.

When this bug will be fixed, problem "cannot fix GLSA, no unaffected packages available" does not appear.

Comment 3 Michael Palimaka (kensington) gentoo-dev

2017-02-01 13:50:02 UTC

CCing portage team too because I don't know which is the "one true glsa-check" these days. :-)

Comment 4 Ján Regeš 2017-03-17 12:59:17 UTC

Hi, portage team.. could you answer to this issue please?

Glsa-check does not work properly. It reports also unaffected vulnerabilities.

See example below with OpenSSL. I have OpenSSL 1.0.2k, but glsa-check reports some old vulnerabilities from previous versions.

Thank you.

> elk ~ # glsa-check --list
> [A] means this GLSA was marked as applied (injected),
> [U] means the system is not affected and
> [N] indicates that the system might be affected.
> 
> 201603-15 [N] OpenSSL: Multiple vulnerabilities ( dev-libs/openssl )
> 201612-16 [N] OpenSSL: Multiple vulnerabilities ( dev-libs/openssl )
> 201702-07 [N] OpenSSL: Multiple vulnerabilities ( dev-libs/openssl )
> elk ~ # emerge -av dev-libs/openssl 
> 
>  * IMPORTANT: 15 news items need reading for repository 'gentoo'.
>  * Use eselect news read to view new items.
> 
> These are the packages that would be merged, in order:
> 
> Calculating dependencies... done!
> [ebuild   R    ] dev-libs/openssl-1.0.2k::gentoo  USE="asm sslv3 tls heartbeat zlib -bindist -gmp -kerberos -rfc3779 -sctp -sslv2 -static-libs {-> test} -vanilla" ABI_X86="(64) -32 (-x32)" CPU_FLAGS_X86="(sse2)" 0 KiB
> 
> Total: 1 package (1 reinstall), Size of downloads: 0 KiB</nowiki>

Comment 5 Zac Medico gentoo-dev

2017-03-17 17:03:41 UTC

You might still have a vulnerable version of dev-libs/openssl in the 0.9.8 slot. Try this:


     emerge -pv --nodeps dev-libs/openssl:0.9.8

Comment 6 Zac Medico gentoo-dev

2019-08-19 05:53:14 UTC

glsa-check is included with >=sys-apps/portage-2.3.72 (bug 463952).