| Summary: | GLSA 200412-16 remains open, though up-to-date versions of kde have been installed | ||
|---|---|---|---|
| Product: | Gentoo Security | Reporter: | Richard Hartmann <rick4711> |
| Component: | GLSA Errors | Assignee: | Gentoo Security <security> |
| Status: | RESOLVED INVALID | ||
| Severity: | normal | ||
| Priority: | High | ||
| Version: | unspecified | ||
| Hardware: | x86 | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Package list: | Runtime testing required: | --- | |
You can watch the same behaviour for the following KDE related GLSAs: 200410-30 [N] GPdf, KPDF, KOffice: Vulnerabilities in included xpdf ( app-text/gpdf kde-base/kdegraphics app-office/koffice ) 200412-16 [N] kdelibs, kdebase: Multiple vulnerabilities ( kde-base/kdelibs kde-base/kdebase ) 200412-17 [N] kfax: Multiple overflows in the included TIFF library ( kde-base/kdegraphics ) 200408-13 [N] kdebase, kdelibs: Multiple security issues ( kde-base/kdelibs kde-base/kdebase ) 200408-23 [N] kdelibs: Cross-domain cookie injection vulnerability ( kde-base/kdelibs ) 200501-16 [N] Konqueror: Java sandbox vulnerabilities ( kde-base/kdelibs ) 200501-17 [N] KPdf, KOffice: More vulnerabilities in included Xpdf ( kde-base/kdegraphics app-office/koffice ) 200501-18 [N] KDE FTP KIOslave: Command injection ( kde-base/kdelibs ) 200405-11 [N] KDE URI Handler Vulnerabilities ( kde-base/kdelibs ) I can not recreate this. Are you sure you didn't forget to unmerge old KDE versions? equery list | egrep 'kde.*3\.2\.0' | xargs emerge -Cv You might need to change the kde version and remember to check wich packages are unmerged. As you can see
* kde-base/kdelibs :
[ I] 3.2.0 (3.2)
[ I] 3.3.2-r2 (3.3)
* kde-base/kdebase :
[ I] 3.2.0 (3.2)
[ I] 3.3.2-r1 (3.3)
the old versions are still installed and I don't plan to uninstall the old KDE version 3.2.0 right soon as I don't want to loose the old settings.
I had hoped, that GLSA-check would recognize, that the new KDE packages are installed. Obviously it finds the old packages first and thinks, that the
security flaws are still open.
3.2.0 is vulnerable so I don't see this as any error in the GLSA. After reading "glsa-check is not SLOT-aware. This might result in false positives. Please check your system for old versions that are in a different SLOT" under http://www.gentoo.org/proj/en/portage/glsa-integration.xml I have to admit that you are right. Sorry for wasting your time. |
I have manually upgraded "kdelibs" and "kdebase" to the recent stable versions. Before I had been running version 3.2.0 of both packages. * kde-base/kdelibs : [ I] 3.2.0 (3.2) [ I] 3.3.2-r2 (3.3) * kde-base/kdebase : [ I] 3.2.0 (3.2) [ I] 3.3.2-r1 (3.3) In the effect the GLSA 200412-16 should now be closed. Unfortunately "glsa-check -p 200412-16" does not recognize, that the GLSA is closed. Reproducible: Didn't try Steps to Reproduce: 1. 2. 3. Actual Results: Checking GLSA 200412-16 The following updates will be performed for this GLSA: kde-base/kdelibs-3.2.3-r5 (3.2.0) kde-base/kdebase-3.2.3-r3 (3.2.0) Expected Results: "glsa-check" should see, that the GLSA 200412-16 is closed, as recent versions of "kdebase" and "kdelibs" are installed and not try to install older versions of the installed packages. Portage 2.0.51-r14 (default-linux/x86/2004.0, gcc-3.3.2, glibc-2.3.4.20040808-r1, 2.4.26-gentoo-r13 i686) ================================================================= System uname: 2.4.26-gentoo-r13 i686 Pentium III (Katmai) Gentoo Base System version 1.4.3.13 Python: dev-lang/python-2.3.3 [2.3.3 (#1, Jun 23 2004, 23:14:51)] dev-lang/python: 2.3.3 sys-devel/autoconf: 2.59-r5 sys-devel/automake: 1.8.5-r1 sys-devel/binutils: 2.14.90.0.7-r4 sys-devel/libtool: 1.4.3-r3 virtual/os-headers: 2.4.21 ACCEPT_KEYWORDS="x86" AUTOCLEAN="yes" CFLAGS="-O2 -march=pentium3 -fomit-frame-pointer" CHOST="i686-pc-linux-gnu" CONFIG_PROTECT="/etc /usr/X11R6/lib/X11/xkb /usr/kde/2/share/config /usr/kde/3.2/share/config /usr/kde/3.3/env /usr/kde/3.3/share/config /usr/kde/3.3/shutdown /usr/kde/3/share/config /usr/lib/mozilla/defaults/pref /usr/share/config /var/qmail/control" CONFIG_PROTECT_MASK="/etc/gconf /etc/env.d" CXXFLAGS="-O2 -march=pentium3 -fomit-frame-pointer" DISTDIR="/usr/portage/distfiles" FEATURES="autoaddcvs autoconfig ccache distlocks sandbox sfperms" GENTOO_MIRRORS="http://ftp-stud.fht-esslingen.de/pub/Mirrors/gentoo/" MAKEOPTS="-j2" PKGDIR="/usr/portage/packages" PORTAGE_TMPDIR="/var/tmp" PORTDIR="/usr/portage" SYNC="rsync://rsync.gentoo.org/gentoo-portage/" USE="x86 X apm arts avi berkdb bitmap-fonts bonobo cdr crypt cups encode esd f77 fam flac font-server foomaticdb fortran gdbm gif gnome gpm gtk gtk2 gtkhtml guile imlib ipv6 java jpeg junit kde ldap libg++ libwww mad mikmod mmx motif mozilla mpeg mysql ncurses nls oggvorbis opengl oss pam pdflib perl png python qt quicktime readline sdl slang spell sse ssl svga tcltk tcpd tiff truetype truetype-fonts type1-fonts xml xml2 xmms xv zlib linguas_de" Unset: ASFLAGS, CBUILD, CTARGET, LDFLAGS, PORTDIR_OVERLAY