Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 598599

Summary: GLSA 201610-10 marks www-plugins/adobe-flash-11.2.202.643 as affected
Product: Gentoo Security Reporter: Maciej S. Szmigiero <mail>
Component: GLSA ErrorsAssignee: Gentoo Security <security>
Status: RESOLVED FIXED    
Severity: normal    
Priority: Normal    
Version: unspecified   
Hardware: All   
OS: Linux   
Whiteboard:
Package list:
Runtime testing required: ---

Description Maciej S. Szmigiero 2016-10-30 23:23:47 UTC 
glsa-check says:
Checking GLSA 201610-10
>>> No upgrade path exists for these packages:
     www-plugins/adobe-flash-11.2.202.643

But version 11.2.202.643 isn't affected by this GLSA.
GLSA 201610-10 says that unaffected versions are >= 11.2.202.635,
while at least one CVE linked on it - CVE-2016-6992 - says that
11.2.202.637 is the minimal unaffected version.


Reproducible: Always
Comment 1 Ortwin Glueck 2016-11-01 16:45:49 UTC 
# glsa-check -l 201610-10
[A] means this GLSA was marked as applied (injected),
[U] means the system is not affected and
[N] indicates that the system might be affected.

201610-10 [N] Adobe Flash Player: Multiple vulnerabilities ( www-plugins/adobe-flash )
# equery l adobe-flash
 * Searching for adobe-flash ...
[IP-] [  ] www-plugins/adobe-flash-11.2.202.643:0
[IP-] [  ] www-plugins/adobe-flash-23.0.0.205:22

I am not sure how to express that correctly in the xml. It seems vulnerable overrules unaffected:
  <affected>
    <package name="www-plugins/adobe-flash" auto="yes" arch="*">
      <unaffected range="ge">23.0.0.205</unaffected>
      <unaffected range="rge">11.2.202.635</unaffected>
      <vulnerable range="lt">23.0.0.205</vulnerable>
    </package>
  </affected>

Maybe the vulnerable line should use rlt?
Comment 2 Kristian Fiskerstrand (RETIRED) gentoo-dev 2016-11-01 18:14:19 UTC 
(In reply to Ortwin Glueck from comment #1)


> I am not sure how to express that correctly in the xml. It seems vulnerable
> overrules unaffected:
>   <affected>
>     <package name="www-plugins/adobe-flash" auto="yes" arch="*">
>       <unaffected range="ge">23.0.0.205</unaffected>
>       <unaffected range="rge">11.2.202.635</unaffected>
>       <vulnerable range="lt">23.0.0.205</vulnerable>
>     </package>
>   </affected>
> 
> Maybe the vulnerable line should use rlt?

No, vulnerable is correct, it is the usual slot issue in GLSAs, so as new versions in lower slot gets added the GLSA gets updated. For predictable semantic versioning schemes this is normally done a few versions ahead to reduce noise. For something using build versions (or whatever) it won't work, so needs to be added afterwards. Just keep filing bugs.

commit d17f961554b3b54976858ac11a17ace2d2d90464
Author: Kristian Fiskerstrand <k_f@gentoo.org>
Date:   Tue Nov 1 19:13:33 2016 +0100

    GLSA 201610-10: Fix slot issue for lower version