Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 692134

Summary: sys-apps/portage: glsa-check truncates CVE ids in listmode
Product: Gentoo Linux Reporter: Georg Weiss <gentoo>
Component: Current packagesAssignee: Portage team <dev-portage>
Status: RESOLVED FIXED    
Severity: normal CC: jstein
Priority: Normal Keywords: InVCS
Version: unspecified   
Hardware: All   
OS: Linux   
Whiteboard:
Package list:
Runtime testing required: ---
Bug Depends on:    
Bug Blocks: 691278    

Description Georg Weiss 2019-08-14 12:56:47 UTC 
when using -c|--cve to include cve ids in the output AND also using -l|--list to get a compressed view the cve ids are always truncated.
The code wrongly assumes that cve ids are always 13 character size which isn't true (anymore?).

Reproducible: Always

Steps to Reproduce:
glsa-check --quiet --nocolor --cve --list affected


Actual Results:  
# example GLSA 201908-01
201908-01 [N] Binutils: Multiple vulnerabilities ( sys-devel/binutils ) CVE-2018                                                         -1037,CVE-2018-1037,CVE-2018-1053,CVE-2018-1053,CVE-2018-1264,CVE-2018-1269,CVE-                                                         2018-1269,CVE-2018-1269,CVE-2018-1270,CVE-2018-1303,CVE-2018-1993,CVE-2018-1993,                                                         CVE-2018-2000,CVE-2018-2065


Expected Results:  
201908-01 [N] Binutils: Multiple vulnerabilities ( sys-devel/binutils ) CVE-2018-10372,CVE-2018-10373,CVE-2018-10534,CVE-2018-10535,CVE-2018-12641,CVE-2018-12697,CVE-2018-12698,CVE-2018-12699,CVE-2018-12700,CVE-2018-13033,CVE-2018-19931,CVE-2018-19932,CVE-2018-20002,CVE-2018-20651


# glsa-check --version
glsa-check (0.4.2-r1)
Author: Marius Mauch <genone@gentoo.org>
This program is licensed under the GPL, version 2

propossed patch:
--- glsa-check  2019-08-14 14:52:11.331584490 +0200
+++ glsa-check.new      2019-08-14 14:50:46.462188447 +0200
@@ -252,7 +252,7 @@

                fd1.write(")")
                if list_cve:
-                       fd1.write(" "+(",".join([r[:13] for r in myglsa.references if r[:4] in ["CAN-", "CVE-"]])))
+                       fd1.write(" "+(",".join([r.partition(':')[0] for r in myglsa.references if r[:4] in ["CAN-", "CVE-"]])))
                fd1.write("\n")
        return 0
Comment 1 Zac Medico gentoo-dev 2019-08-19 01:46:32 UTC 
(In reply to Georg Weiss from comment #0)
> propossed patch:
> --- glsa-check  2019-08-14 14:52:11.331584490 +0200
> +++ glsa-check.new      2019-08-14 14:50:46.462188447 +0200
> @@ -252,7 +252,7 @@
> 
>                 fd1.write(")")
>                 if list_cve:
> -                       fd1.write(" "+(",".join([r[:13] for r in
> myglsa.references if r[:4] in ["CAN-", "CVE-"]])))
> +                       fd1.write(" "+(",".join([r.partition(':')[0] for r
> in myglsa.references if r[:4] in ["CAN-", "CVE-"]])))
>                 fd1.write("\n")
>         return 0

I don't see any references that contain a colon, so maybe we should simply use the full reference string here, or possibly use r.split()[0] instead.
Comment 2 Zac Medico gentoo-dev 2019-08-19 05:49:52 UTC 
glsa-check is included with >=sys-apps/portage-2.3.72 (bug 463952).
Comment 3 Zac Medico gentoo-dev 2019-08-31 21:56:29 UTC 
If we use a regular expression like this then we really don't need a separator:

> >>> import re
> >>> re.search(r'(CAN|CVE)-[\d-]+', '  CVE-2018-10534  ')
> <_sre.SRE_Match object; span=(2, 16), match='CVE-2018-10534'>
Comment 5 Larry the Git Cow gentoo-dev 2019-09-01 18:26:54 UTC 
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/proj/portage.git/commit/?id=ea1e8468c971e99dc317c3f2e8d8242366ffb426

commit ea1e8468c971e99dc317c3f2e8d8242366ffb426
Author:     Zac Medico <zmedico@gentoo.org>
AuthorDate: 2019-09-01 03:54:54 +0000
Commit:     Zac Medico <zmedico@gentoo.org>
CommitDate: 2019-09-01 17:56:20 +0000

    glsa-check: fix truncated CVE ids in listmode (bug 692134)
    
    Use a regular expression to search for CVE ids in GLSA references.
    Import unicode_literals from __future__ since portage's Glsa class
    returns unicode strings for all python versions.
    
    Reported-by: Georg Weiss <gentoo@georgweiss.de>
    Bug: https://bugs.gentoo.org/692134
    Signed-off-by: Zac Medico <zmedico@gentoo.org>

 bin/glsa-check | 11 +++++++++--
 1 file changed, 9 insertions(+), 2 deletions(-)
Comment 6 Larry the Git Cow gentoo-dev 2019-09-01 21:20:46 UTC 
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=fc1ee19f135a3446d16deac8f783472b464e3a2e

commit fc1ee19f135a3446d16deac8f783472b464e3a2e
Author:     Zac Medico <zmedico@gentoo.org>
AuthorDate: 2019-09-01 21:12:24 +0000
Commit:     Zac Medico <zmedico@gentoo.org>
CommitDate: 2019-09-01 21:20:36 +0000

    sys-apps/portage: Bump to version 2.3.75
    
     #235970 glsa-check: add --reverse option
     #692134 glsa-check: fix truncated CVE ids in listmode
     #692746 missed virtual/libmysqlclient update
     #693242 premature backtracking termination
    
    Bug: https://bugs.gentoo.org/691278
    Bug: https://bugs.gentoo.org/235970
    Bug: https://bugs.gentoo.org/692134
    Bug: https://bugs.gentoo.org/692746
    Bug: https://bugs.gentoo.org/693242
    Package-Manager: Portage-2.3.75, Repoman-2.3.17
    Signed-off-by: Zac Medico <zmedico@gentoo.org>

 sys-apps/portage/Manifest              |   1 +
 sys-apps/portage/portage-2.3.75.ebuild | 261 +++++++++++++++++++++++++++++++++
 2 files changed, 262 insertions(+)