717246 – GLSA 202003-43 false-positive for =www-servers/tomcat-7.0.103, needs conversion to slots

Bug 717246 - GLSA 202003-43 false-positive for =www-servers/tomcat-7.0.103, needs conversion to slots

Summary: GLSA 202003-43 false-positive for =www-servers/tomcat-7.0.103, needs conversi...

Status:	RESOLVED FIXED

Alias:	None

Product:	Gentoo Security
Classification:	Unclassified
Component:	GLSA Errors (show other bugs)
Hardware:	All Linux

Importance:	Normal normal
Assignee:	Gentoo Security

URL:
Whiteboard:
Keywords:

Depends on:
Blocks:

Reported:	2020-04-12 19:00 UTC by Hank Leininger
Modified:	2020-06-26 19:41 UTC (History)
CC List:	1 user (show)

See Also:
Package list:
Runtime testing required:	---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Hank Leininger 2020-04-12 19:00:00 UTC

glsa-check complains that www-servers/tomcat-7.0.103 is affected by 202003-43, despite >=7.0.100 being safe.

glsa-check 202003-43 states in English:

Affected package:  www-servers/tomcat
Affected archs:    All
Vulnerable:        <8.5.51
Unaffected:        >=~8.5.51, >=~7.0.100

And in glsa-202003-43.xml:

  <affected>
    <package name="www-servers/tomcat" auto="yes" arch="*">
      <unaffected range="rge">8.5.51</unaffected>
      <unaffected range="rge">7.0.100</unaffected>
      <vulnerable range="lt">8.5.51</vulnerable>
    </package>
  </affected>

And yet:

# equery l www-servers/tomcat
 * Searching for tomcat in www-servers ...
[IP-] [  ] www-servers/tomcat-7.0.103:7


# glsa-check -t -v -c 202003-43
This system is affected by the following GLSAs:
[A] means this GLSA was marked as applied (injected),
[U] means the system is not affected and
[N] indicates that the system might be affected.

202003-43 [N] [remote  ] Apache Tomcat: Multiple vulnerabilities ( www-servers/tomcat-7.0.103 ) CVE-2019-0221,CVE-2019-12418,CVE-2019-17563,CVE-2020-1938

This is my first time digging into the machinery under the hood of glsa-check, but I think for slotted packages, that ought to be something like:

  <affected>
    <package name="www-servers/tomcat" auto="yes" arch="*">
      <unaffected range="ge" slot="7">7.0.100</unaffected>
      <unaffected range="ge" slot="8.5">8.5.51</unaffected>
      <vulnerable range="lt" slot="7">7.0.100</vulnerable>
      <vulnerable range="lt" slot="8">8.0.54</vulnerable>
      <vulnerable range="lt" slot="8.5">8.5.51</vulnerable>
    </package>
  </affected>

I'm not sure about the slot="8" entry: there _used_ to be tomcat-8.0 packages in tree, in slot 8, those are EOL and replaced with 8.5. If anyone still has 8.0.x installed, they are likely vulnerable, but I don't see how to specify "anything still using this slot is vulnerable" so I made up the nonexistent 8.0.54 version.

Comment 1 Sam James archtester

2020-04-12 19:02:37 UTC

(moving to correct component, have not assessed yet.)

Comment 2 Miroslav Šulc gentoo-dev

2020-04-18 09:20:49 UTC

i can confirm this issue. had it myself too. i used glsa inject to avoid it but a proper fix would be better.

Comment 3 Larry the Git Cow gentoo-dev

2020-06-26 19:41:46 UTC

The bug has been closed via the following commit(s):

https://gitweb.gentoo.org/data/glsa.git/commit/?id=09c33520f8549f6a3210280c21940e14768be95d

commit 09c33520f8549f6a3210280c21940e14768be95d
Author:     Thomas Deutschmann <whissi@gentoo.org>
AuthorDate: 2020-06-26 19:41:24 +0000
Commit:     Thomas Deutschmann <whissi@gentoo.org>
CommitDate: 2020-06-26 19:41:24 +0000

    [ GLSA 202003-43 ] Add slots
    
    Closes: https://bugs.gentoo.org/717246
    Signed-off-by: Thomas Deutschmann <whissi@gentoo.org>

 glsa-202003-43.xml | 11 ++++++-----
 1 file changed, 6 insertions(+), 5 deletions(-)