I've been using glsa-check in my standard updating procedure, but the last few times I've tried it (in about the last 3 weeks or so), it has repeatedly wanted to merge qt-3.3.3, as per GLSA 200408-20. I let it go the first time, but it keeps doing it. I tried searching and couldn't find anything but the GLSA kernel problem, which this definitely isn't. Reproducible: Always Steps to Reproduce: 1. glsa-check -f all 2. Injected the GLSA. 3. glsa-check -f all still wants to remerge qt-3.3.3. Actual Results: Repeated merging Expected Results: I expected glsa-check to fix the security problem. Portage 2.0.50-r11 (default-x86-2004.0, gcc-3.3.4, glibc-2.3.3.20040420-r1, 2.6.8-rc2-love3) ================================================================= System uname: 2.6.8-rc2-love3 i686 Intel(R) Pentium(R) 4 CPU 1300MHz Gentoo Base System version 1.5.3 Autoconf: sys-devel/autoconf-2.59-r4 Automake: sys-devel/automake-1.8.5-r1 ACCEPT_KEYWORDS="x86" AUTOCLEAN="yes" CFLAGS="-march=pentium4 -O3 -pipe -fomit-frame-pointer" CHOST="i686-pc-linux-gnu" COMPILER="" CONFIG_PROTECT="/etc /usr/X11R6/lib/X11/xkb /usr/kde/2/share/config /usr/kde/3/share/config /usr/share/config /var/qmail/control" CONFIG_PROTECT_MASK="/etc/gconf /etc/terminfo /etc/env.d" CXXFLAGS="-march=pentium4 -O3 -pipe -fomit-frame-pointer" DISTDIR="/usr/portage/distfiles" FEATURES="autoaddcvs ccache sandbox" GENTOO_MIRRORS="http://open-systems.ufl.edu/mirrors/gentoo ftp://ftp.ndlug.nd.edu/pub/gentoo/ ftp://mirrors.tds.net/gentoo ftp://ibiblio.org/pub/Linux/distributions/gentoo/" MAKEOPTS="-j2" PKGDIR="/usr/portage/packages" PORTAGE_TMPDIR="/var/tmp" PORTDIR="/usr/portage" PORTDIR_OVERLAY="/usr/local/portage /usr/local/fluidportage/trunk" SYNC="rsync://rsync.gentoo.org/gentoo-portage" USE="X aalib alsa apm avi berkdb bitmap-fonts bzlib cdr crypt directfb dvd encode esd fbcon gdbm gif gnome gpm gtk gtk2 imlib java jpeg libg++ libwww mad mmx motif mpeg ncurses nls opengl pam pdflib perl png python qt quicktime readline sdl slang spell sse ssl svga tcltk tcpd truetype x86 xml2 xmms xosd xprint xv zlib"
I suspect you have multiple versions of qt installed (with different SLOTs) and that even when you upgrade qt, you only upgrade (or reinstall) the latest SLOT, leaving the old SLOT installed and vulnerable. Could you check what versions of qt you have installed by running : # qpkg -I -v qt and report back here ?
You're right; I have qt-3.3.3 and qt-2.3.2. dep -r tells me that no package needs the older one specifically, so I'm going to remove it. Thanks for the help.