79242 – GLSA 200412-16 remains open, though up-to-date versions of kde have been installed

Bug 79242 - GLSA 200412-16 remains open, though up-to-date versions of kde have been installed

Summary: GLSA 200412-16 remains open, though up-to-date versions of kde have been inst...

Status:	RESOLVED INVALID

Alias:	None

Product:	Gentoo Security
Classification:	Unclassified
Component:	GLSA Errors (show other bugs)
Hardware:	x86 Linux

Importance:	High normal
Assignee:	Gentoo Security

URL:
Whiteboard:
Keywords:

Depends on:
Blocks:

Reported:	2005-01-23 12:03 UTC by Richard Hartmann
Modified:	2005-01-24 14:57 UTC (History)
CC List:	0 users

See Also:
Package list:
Runtime testing required:	---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Richard Hartmann 2005-01-23 12:03:16 UTC

I have manually upgraded "kdelibs" and "kdebase" to the recent stable versions. Before I had been running version 3.2.0 of both packages.

*  kde-base/kdelibs :
        [  I] 3.2.0 (3.2)
        [  I] 3.3.2-r2 (3.3)

*  kde-base/kdebase :
        [  I] 3.2.0 (3.2)
        [  I] 3.3.2-r1 (3.3)

In the effect the GLSA 200412-16 should now be closed.

Unfortunately 

"glsa-check -p 200412-16"

does not recognize, that the GLSA is closed.


Reproducible: Didn't try
Steps to Reproduce:
1.
2.
3.

Actual Results:  
Checking GLSA 200412-16 
The following updates will be performed for this GLSA: 
     kde-base/kdelibs-3.2.3-r5 (3.2.0) 
     kde-base/kdebase-3.2.3-r3 (3.2.0) 
 

Expected Results:  
"glsa-check" should see, that the GLSA 200412-16 is closed, as recent versions  
of "kdebase" and "kdelibs" are installed and not try to install older versions  
of the installed packages. 

Portage 2.0.51-r14 (default-linux/x86/2004.0, gcc-3.3.2, 
glibc-2.3.4.20040808-r1, 2.4.26-gentoo-r13 i686) 
================================================================= 
System uname: 2.4.26-gentoo-r13 i686 Pentium III (Katmai) 
Gentoo Base System version 1.4.3.13 
Python:              dev-lang/python-2.3.3 [2.3.3 (#1, Jun 23 2004, 23:14:51)] 
dev-lang/python:     2.3.3 
sys-devel/autoconf:  2.59-r5 
sys-devel/automake:  1.8.5-r1 
sys-devel/binutils:  2.14.90.0.7-r4 
sys-devel/libtool:   1.4.3-r3 
virtual/os-headers:  2.4.21 
ACCEPT_KEYWORDS="x86" 
AUTOCLEAN="yes" 
CFLAGS="-O2 -march=pentium3 -fomit-frame-pointer" 
CHOST="i686-pc-linux-gnu" 
CONFIG_PROTECT="/etc /usr/X11R6/lib/X11/xkb /usr/kde/2/share/config /usr/kde/3.2/share/config /usr/kde/3.3/env /usr/kde/3.3/share/config /usr/kde/3.3/shutdown /usr/kde/3/share/config /usr/lib/mozilla/defaults/pref /usr/share/config /var/qmail/control" 
CONFIG_PROTECT_MASK="/etc/gconf /etc/env.d" 
CXXFLAGS="-O2 -march=pentium3 -fomit-frame-pointer" 
DISTDIR="/usr/portage/distfiles" 
FEATURES="autoaddcvs autoconfig ccache distlocks sandbox sfperms" 
GENTOO_MIRRORS="http://ftp-stud.fht-esslingen.de/pub/Mirrors/gentoo/" 
MAKEOPTS="-j2" 
PKGDIR="/usr/portage/packages" 
PORTAGE_TMPDIR="/var/tmp" 
PORTDIR="/usr/portage" 
SYNC="rsync://rsync.gentoo.org/gentoo-portage/" 
USE="x86 X apm arts avi berkdb bitmap-fonts bonobo cdr crypt cups encode esd 
f77 fam flac font-server foomaticdb fortran gdbm gif gnome gpm gtk gtk2 
gtkhtml guile imlib ipv6 java jpeg junit kde ldap libg++ libwww mad mikmod mmx 
motif mozilla mpeg mysql ncurses nls oggvorbis opengl oss pam pdflib perl png 
python qt quicktime readline sdl slang spell sse ssl svga tcltk tcpd tiff 
truetype truetype-fonts type1-fonts xml xml2 xmms xv zlib linguas_de" 
Unset:  ASFLAGS, CBUILD, CTARGET, LDFLAGS, PORTDIR_OVERLAY

Comment 1 Richard Hartmann 2005-01-23 12:31:21 UTC

You can watch the same behaviour for the following KDE related GLSAs:

200410-30 [N] GPdf, KPDF, KOffice: Vulnerabilities in included xpdf ( app-text/gpdf kde-base/kdegraphics app-office/koffice )
200412-16 [N] kdelibs, kdebase: Multiple vulnerabilities ( kde-base/kdelibs kde-base/kdebase )
200412-17 [N] kfax: Multiple overflows in the included TIFF library ( kde-base/kdegraphics )
200408-13 [N] kdebase, kdelibs: Multiple security issues ( kde-base/kdelibs kde-base/kdebase )
200408-23 [N] kdelibs: Cross-domain cookie injection vulnerability ( kde-base/kdelibs )
200501-16 [N] Konqueror: Java sandbox vulnerabilities ( kde-base/kdelibs )
200501-17 [N] KPdf, KOffice: More vulnerabilities in included Xpdf ( kde-base/kdegraphics app-office/koffice )
200501-18 [N] KDE FTP KIOslave: Command injection ( kde-base/kdelibs )
200405-11 [N] KDE URI Handler Vulnerabilities ( kde-base/kdelibs )

Comment 2 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev

2005-01-24 09:06:30 UTC

I can not recreate this. Are you sure you didn't forget to unmerge old KDE versions?

equery list | egrep 'kde.*3\.2\.0' | xargs emerge -Cv 

You might need to change the kde version and remember to check wich packages are unmerged.

Comment 3 Richard Hartmann 2005-01-24 10:42:42 UTC

As you can see 

*  kde-base/kdelibs :
        [  I] 3.2.0 (3.2)
        [  I] 3.3.2-r2 (3.3)

*  kde-base/kdebase :
        [  I] 3.2.0 (3.2)
        [  I] 3.3.2-r1 (3.3)

the old versions are still installed and I don't plan to uninstall the old KDE version 3.2.0 right soon as I don't want to loose the old settings. 

I had hoped, that GLSA-check would recognize, that the new KDE packages are installed. Obviously it finds the old packages first and thinks, that the
security flaws are still open.

Comment 4 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev

2005-01-24 12:13:31 UTC

3.2.0 is vulnerable so I don't see this as any error in the GLSA.

Comment 5 Richard Hartmann 2005-01-24 14:57:03 UTC

After reading

"glsa-check is not SLOT-aware. This might result in false positives. Please check your system for old versions that are in a different SLOT"

under 

http://www.gentoo.org/proj/en/portage/glsa-integration.xml

I have to admit that you are right. Sorry for wasting your time.