64601 – glsa-200407-12.xml is incorrect (or glsa-check is buggy)

Bug 64601 - glsa-200407-12.xml is incorrect (or glsa-check is buggy)

Summary: glsa-200407-12.xml is incorrect (or glsa-check is buggy)

Status:	RESOLVED FIXED

Alias:	None

Product:	Gentoo Security
Classification:	Unclassified
Component:	GLSA Errors (show other bugs)
Hardware:	All Linux

Importance:	High normal (vote)
Assignee:	Gentoo Security

URL:
Whiteboard:
Keywords:

Depends on:
Blocks:

Reported:	2004-09-19 01:05 UTC by Evgeny Stambulchik
Modified:	2004-10-11 04:47 UTC (History)
CC List:	1 user (show)

See Also:
Package list:
Runtime testing required:	---

Flags:	jaervosz: Assigned_To? (plasmaroo)

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Evgeny Stambulchik 2004-09-19 01:05:02 UTC

It contains, among others,
    <package name="sys-kernel/gentoo-dev-sources" auto="yes" arch="*">
      <unaffected range="ge">2.6.7-r7</unaffected>
      <vulnerable range="ge">2.6</vulnerable>
    </package>

And whatever you do, glsa-check will report the system affected.

      <vulnerable range="lt">2.6.7-r7</vulnerable>

corrects this (same for other kernel source flavours).

Reproducible: Always
Steps to Reproduce:

Comment 1 Thierry Carrez (RETIRED) gentoo-dev

2004-09-19 14:00:59 UTC

This is a problem with the GLSA, which is incompatible with the way glsa-check handles ranges. We'll correct it soon.

Comment 2 Tim Yamin (RETIRED) gentoo-dev

2004-09-21 11:10:40 UTC

This isn't a bug with the GLSA - although this can be changed to "lt" for gentoo-dev-sources, it cannot for aa and ck sources (and a few others) since they have 2.4 trees that are /not/ vulnerable and "lt" would pick them up as such.

Hence, glsa-check should evaluate vulnerable ranges and then subtract unaffected ranges rather than the current algorithm of doing things and no false errors should occur. Adding genone to the CC so he can have a look at this.

Comment 3 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev

2004-09-21 13:11:09 UTC

Plasmaroo this style from the Coordinator Guide should work with glsa-check:

unaffected<=1.2.8-r2 
unaffected>=1.2.10 
affected<1.2.10

Comment 4 Evgeny Stambulchik 2004-09-22 07:53:19 UTC

glsa-200409-28 has a similar problem (except there is no easy workaround).

    <package name="x11-libs/gtk+" auto="yes" arch="*">
      <unaffected range="ge">2.4.9-r1</unaffected>
      <unaffected range="lt">2.0.0</unaffected>
      <vulnerable range="lt">2.4.9-r1</vulnerable>
    </package>

Here, <vulnerable range="lt">2.4.9-r1</vulnerable> shadows the whole unaffected 1.2 slot.

All in all, it seems the scheme currently used is ambiguos at best. I think each <vulnarable> should have "min" and "max" attributes; then <unaffected> becomes redundant.

Comment 5 Marius Mauch (RETIRED) gentoo-dev

2004-09-22 08:19:00 UTC

Yes, lack of ranges is a known problem, however this won't be changed until portage itself has proper support for it.

Comment 6 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev

2004-09-22 14:10:49 UTC

Tim will you fix GLSA 200407-12 with my workaround from comment #3?

Comment 7 Thierry Carrez (RETIRED) gentoo-dev

2004-09-28 04:53:00 UTC

Re: comment #4 and comment #5 : 
It's a problem in glsa-check that is being addressed in bug 65664

This bug should only address the issue in 200407-12.

Comment 8 Thierry Carrez (RETIRED) gentoo-dev

2004-10-10 05:22:30 UTC

I fixed GLSA 200407-12 (+ added development-sources fixed version and CAN reference).

Evgeny: it should work now, please double-check.

Comment 9 inode77 2004-10-11 02:17:37 UTC

Is solved, doesn't appear anymore.

Comment 10 Thierry Carrez (RETIRED) gentoo-dev

2004-10-11 04:47:30 UTC

Then it's closed :)