Summary: | glsamaker sometimes generates invalid XML (Was: Syntax error in glsa-202208-21.xml means it will never fire) | ||
---|---|---|---|
Product: | Gentoo Security | Reporter: | Hank Leininger <hlein> |
Component: | GLSA Errors | Assignee: | Gentoo Security <security> |
Status: | IN_PROGRESS --- | ||
Severity: | normal | CC: | dev-portage, sam |
Priority: | Normal | ||
Version: | unspecified | ||
Hardware: | All | ||
OS: | Linux | ||
See Also: |
https://github.com/gentoo/portage/pull/958 https://bugs.gentoo.org/show_bug.cgi?id=905660 |
||
Whiteboard: | |||
Package list: | Runtime testing required: | --- | |
Bug Depends on: | 884397 | ||
Bug Blocks: | 772272, 880543 |
Description
Hank Leininger
2022-11-24 17:17:35 UTC
Thanks for noticing! So, we have two obvious things to do here: fix the GLSA, fix glsamaker to not emit this kind of string. But also, why isn't Portage validating that string or erroring on it? Just pushed: commit be9dce898af341b1581822048910cec753530cb0 Author: John Helmert III <ajak@gentoo.org> Date: Thu Nov 24 18:01:54 2022 -0600 [ GLSA 202208-21 ] fix arch list syntax Signed-off-by: John Helmert III <ajak@gentoo.org> (In reply to John Helmert III from comment #1) > Thanks for noticing! Pure chance =) I went looking at how arch= is specified in existing GLSAs, for https://bugs.gentoo.org/880543#c6 > So, we have two obvious things to do here: fix the GLSA, fix glsamaker to > not emit this kind of string. > > But also, why isn't Portage validating that string or erroring on it? FWIW, I wondered about that, and did some spelunking. In https://github.com/gentoo/glsamaker/commit/30c1aa6d94c189d4ee19603f1dba6e9b3be846c7 for example, you can see validator regexes that do seem like they would have caught a comma-separated arch list. But... that's the old Ruby implementation. That was replaced with a big commit rewriting in Golang here: https://github.com/gentoo/glsamaker/commit/35a41e63ebd5f6cf9d17419c150eb53a005d2e87 (maybe there's incremental patches when that was developed, elsewhere), and I can't see any sign of validators in the current version of glsamaker. The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/proj/portage.git/commit/?id=6bb6452ee8c1cee1ee5de506f78b12336e89cb32 commit 6bb6452ee8c1cee1ee5de506f78b12336e89cb32 Author: Sam James <sam@gentoo.org> AuthorDate: 2022-12-05 05:05:48 +0000 Commit: Sam James <sam@gentoo.org> CommitDate: 2022-12-10 00:21:05 +0000 glsa: abort on incorrect arch delimiter Bug: https://bugs.gentoo.org/882797 Closes: https://github.com/gentoo/portage/pull/958 Signed-off-by: Sam James <sam@gentoo.org> NEWS | 6 +- lib/portage/glsa.py | 12 +++- lib/portage/tests/glsa/test_security_set.py | 105 +++++++++++++++++++++++++--- 3 files changed, 109 insertions(+), 14 deletions(-) The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=84b50e99241623bf5557cea8e00a8178b9f01e14 commit 84b50e99241623bf5557cea8e00a8178b9f01e14 Author: Sam James <sam@gentoo.org> AuthorDate: 2022-12-26 07:16:56 +0000 Commit: Sam James <sam@gentoo.org> CommitDate: 2022-12-26 07:17:16 +0000 sys-apps/portage: add 3.0.42 Bug: https://bugs.gentoo.org/881383 Bug: https://bugs.gentoo.org/882797 Closes: https://bugs.gentoo.org/884397 Closes: https://bugs.gentoo.org/884135 Closes: https://bugs.gentoo.org/884285 Closes: https://bugs.gentoo.org/887025 Signed-off-by: Sam James <sam@gentoo.org> sys-apps/portage/Manifest | 1 + sys-apps/portage/portage-3.0.42.ebuild | 283 +++++++++++++++++++++++++++++++++ 2 files changed, 284 insertions(+) Okay, so the only thing left here is to fix glsamaker itself. |