Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 585462

Summary: glsa-check report some package as vulnerable incorrectly
Product: Portage Development Reporter: LABBE Corentin <clabbe.montjoie>
Component: ToolsAssignee: Portage Tools Team <tools-portage>
Status: RESOLVED DUPLICATE    
Severity: normal    
Priority: Normal    
Version: unspecified   
Hardware: All   
OS: Linux   
Whiteboard:
Package list:
Runtime testing required: ---

Description LABBE Corentin 2016-06-09 12:50:59 UTC 
When running glsa-check I got:
glsa-check -t all
This system is affected by the following GLSAs:
201010-01
201603-15
201206-15
For 201010-01 and 201206-15 (libpng), my libpng versions are:
equery l libpng
[IP-] [  ] media-libs/libpng-1.2.56:1.2
[IP-] [  ] media-libs/libpng-1.6.21:0/16
So libpng cannot be vulnerable according to the dump of the glsa
Vulnerable:        <1.5.10
Unaffected:        >=1.5.10, >=~1.2.49, >=~1.2.50, >=~1.2.51, >=~1.2.52, >=~1.2.53, >=~1.2.54, >=~1.2.55


Same for 201603-15(openssl)
[IP-] [  ] dev-libs/openssl-0.9.8z_p8:0.9.8
[IP-] [  ] dev-libs/openssl-1.0.2h:0


Reproducible: Always
Comment 1 Ján Regeš 2017-01-30 10:54:04 UTC 
Hi,

please check this bug. We have a lot of servers in Nagios with glsa-check and it reports vulnerabilities for unaffected packages. So lot of false positives.

Thank you.
Comment 2 Zac Medico gentoo-dev 2017-01-30 17:28:29 UTC 
These GLSAs have had lots of revisions that might have affected glsa-check behavior:

https://gitweb.gentoo.org/data/glsa.git/log/glsa-201010-01.xml
https://gitweb.gentoo.org/data/glsa.git/log/glsa-201206-15.xml

Please file a new bug if you fund incorrect behavior with the latest revisions of GLSAs and the latest version of gentoolkit.

*** This bug has been marked as a duplicate of bug 575214 ***