Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 228911

Summary: Multiple GLSAs contain wrong package versions
Product: Gentoo Security Reporter: Krzysztof Pawlik (RETIRED) <nelchael>
Component: GLSA ErrorsAssignee: Gentoo Security <security>
Status: RESOLVED FIXED    
Severity: enhancement    
Priority: High    
Version: unspecified   
Hardware: All   
OS: Linux   
Whiteboard:
Package list:
Runtime testing required: ---
Bug Depends on: 106677    
Bug Blocks:    

Description Krzysztof Pawlik (RETIRED) gentoo-dev 2008-06-22 15:43:51 UTC 
I have following package installed:

 dev-java/sun-jdk
    selected: 1.4.2.17 1.5.0.15 1.6.0.06

glsa-check tool shows that system is affected by 3 GLSAs:

200705-23 [N] Sun JDK/JRE: Multiple vulnerabilities ( dev-java/sun-jre-bin  dev-java/sun-jdk )
200702-07 [N] Sun JDK/JRE: Execution of arbitrary code ( dev-java/sun-jre-bin  dev-java/sun-jdk )
200701-15 [N] Sun JDK/JRE: Multiple vulnerabilities ( dev-java/sun-jre-bin  dev-java/sun-jdk )

All 3 of them contain similar package versions:

  <affected>
    <package name="dev-java/sun-jdk" auto="yes" arch="*">
      <unaffected range="ge">1.5.0.11</unaffected>
      <unaffected range="rge">1.4.2.14</unaffected>
      <unaffected range="rge">1.4.2.15</unaffected>
      <vulnerable range="lt">1.5.0.11</vulnerable>
    </package>
  ...
  </affected>

<unaffected> doesn't contain JDKs >1.4.2.15, so .16 and .17 are considered vulnerable, as DTD for glsa says:

The r* range information is revision-specific. For instance,
rge foo-1.2.3-r4  ==  >=foo-1.2.3-r4 && <foo-1.2.4

I propose small change to <package> tag: adding slot attribute to denote SLOT (with default value of "0"), that way it would be possible to create entries like:

  <affected>
    <package name="dev-java/sun-jdk" slot="1.4" auto="yes" arch="*">
      <unaffected range="ge">1.4.2.14</unaffected>
      <vulnerable range="lt">1.4.2.14</vulnerable>
    </package>
    <package name="dev-java/sun-jdk" slot="1.5" auto="yes" arch="*">
      <unaffected range="ge">1.5.0.11</unaffected>
      <vulnerable range="lt">1.5.0.11</vulnerable>
    </package>
  ...
  </affected>
Comment 1 Robert Buchholz (RETIRED) gentoo-dev 2008-07-06 22:30:19 UTC 
GLSA slot dependencies are being discussed in bug 106677. We need to update the old GLSAs to reflect the new versions still :-(
Comment 2 Matthias Geerdsen (RETIRED) gentoo-dev 2008-07-16 15:29:14 UTC 
Updated all three GLSAs, thanks for the report. Please reopen if I missed something.

Let's just hope we can get slot support soon.