Not sure what's going on with these newly published GLSAs but for example: # glsa-check -t 202305-23 Traceback (most recent call last): File "/usr/lib/python-exec/python3.11/glsa-check", line 406, in <module> myglsa = Glsa(myid, portage.settings, vardb, portdb) ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ File "/usr/lib/python3.11/site-packages/portage/glsa.py", line 521, in __init__ self.read() File "/usr/lib/python3.11/site-packages/portage/glsa.py", line 542, in read self.parse(f) File "/usr/lib/python3.11/site-packages/portage/glsa.py", line 656, in parse tmp["vul_vers"] = [ ^ File "/usr/lib/python3.11/site-packages/portage/glsa.py", line 657, in <listcomp> makeVersion(v) for v in p.getElementsByTagName("vulnerable") ^^^^^^^^^^^^^^ File "/usr/lib/python3.11/site-packages/portage/glsa.py", line 295, in makeVersion op = opMapping[versionNode.getAttribute("range")] ~~~~~~~~~^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ KeyError: 'None' # These are the only affected ones as far as I can tell with my testing.
They are related to the presence of the line : <vulnerable range="None">None</vulnerable>
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/data/glsa.git/commit/?id=aae8e98bfe8e27bd9c54f0cb63208830ae6e84eb commit aae8e98bfe8e27bd9c54f0cb63208830ae6e84eb Author: Sam James <sam@gentoo.org> AuthorDate: 2023-05-03 23:26:47 +0000 Commit: Sam James <sam@gentoo.org> CommitDate: 2023-05-03 23:28:06 +0000 [ GLSA 202305-19 ] Fix affected version range Bug: https://bugs.gentoo.org/905660 Signed-off-by: Sam James <sam@gentoo.org> glsa-202305-19.xml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) https://gitweb.gentoo.org/data/glsa.git/commit/?id=b0193c5f5d36670c88c482b97893c39b745a98dc commit b0193c5f5d36670c88c482b97893c39b745a98dc Author: Sam James <sam@gentoo.org> AuthorDate: 2023-05-03 23:26:05 +0000 Commit: Sam James <sam@gentoo.org> CommitDate: 2023-05-03 23:28:05 +0000 [ GLSA 202305-15 ] Fix affected version range Bug: https://bugs.gentoo.org/905660 Signed-off-by: Sam James <sam@gentoo.org> glsa-202305-15.xml | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) https://gitweb.gentoo.org/data/glsa.git/commit/?id=7d6911ebd7e0795b40d8b32e37ba9b1001a4cb56 commit 7d6911ebd7e0795b40d8b32e37ba9b1001a4cb56 Author: Sam James <sam@gentoo.org> AuthorDate: 2023-05-03 23:25:43 +0000 Commit: Sam James <sam@gentoo.org> CommitDate: 2023-05-03 23:28:05 +0000 [ GLSA 202305-01 ] Fix affected version range Bug: https://bugs.gentoo.org/905660 Signed-off-by: Sam James <sam@gentoo.org> glsa-202305-01.xml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-)
Okay, I've fixed the GLSAs (see bug 905652), but we should really have better error handling for invalid GLSAs, so let's use this bug for that.
Given how many ways a GLSA can be malformed, I think it would be best to implement some kind of "real" validation against the GLSA DTD in Portage's GLSA handling. I'm not sure Python has any such native facility, though. Nonetheless, I've written a set of patches to correct this particular failure mode (and test that it's fixed): https://github.com/gentoo/portage/pull/1056
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/proj/portage.git/commit/?id=bc9342d07f5a46f9ef5a220144decb9553342669 commit bc9342d07f5a46f9ef5a220144decb9553342669 Author: John Helmert III <ajak@gentoo.org> AuthorDate: 2023-06-16 02:26:57 +0000 Commit: John Helmert III <ajak@gentoo.org> CommitDate: 2023-06-16 02:26:57 +0000 tests/glsa/test_security_set: test glsa with invalid range attribute Bug: https://bugs.gentoo.org/905660 Closes: https://github.com/gentoo/portage/pull/1056 Signed-off-by: John Helmert III <ajak@gentoo.org> lib/portage/tests/glsa/test_security_set.py | 10 ++++++++++ 1 file changed, 10 insertions(+) https://gitweb.gentoo.org/proj/portage.git/commit/?id=63691996a5c2bcebf93c27ee8548c7520f9517d7 commit 63691996a5c2bcebf93c27ee8548c7520f9517d7 Author: John Helmert III <ajak@gentoo.org> AuthorDate: 2023-06-16 02:26:50 +0000 Commit: John Helmert III <ajak@gentoo.org> CommitDate: 2023-06-16 02:26:50 +0000 lib/portage/glsa: raise GlsaFormatException on invalid range types Bug: https://bugs.gentoo.org/905660 Signed-off-by: John Helmert III <ajak@gentoo.org> NEWS | 3 +++ lib/portage/glsa.py | 14 ++++++++++++-- 2 files changed, 15 insertions(+), 2 deletions(-)
The bug has been closed via the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=9502761c5bef818dbec90f062909d46dc22289df commit 9502761c5bef818dbec90f062909d46dc22289df Author: Sam James <sam@gentoo.org> AuthorDate: 2023-06-21 19:09:31 +0000 Commit: Sam James <sam@gentoo.org> CommitDate: 2023-06-21 19:11:05 +0000 sys-apps/portage: add 3.0.49 Closes: https://bugs.gentoo.org/485100 Cloess: https://bugs.gentoo.org/592880 Closes: https://bugs.gentoo.org/596664 Closes: https://bugs.gentoo.org/631490 Closes: https://bugs.gentoo.org/764365 Closes: https://bugs.gentoo.org/793992 Closes: https://bugs.gentoo.org/890812 Closes: https://bugs.gentoo.org/905660 Closes: https://bugs.gentoo.org/907949 Signed-off-by: Sam James <sam@gentoo.org> sys-apps/portage/Manifest | 1 + sys-apps/portage/portage-3.0.49.ebuild | 296 +++++++++++++++++++++++++++++++++ 2 files changed, 297 insertions(+)