glsa-check told me, that I was affected by 200503-08. As I had already applied 200502-07: (x11-libs/openmotif-2.1.30-r9), this is in my opinion a false alarm. As in the GLSA itself it says: [cut] GLSA 200503-08: OpenMotif, LessTif: New libXpm buffer overflows ============================================================================ Synopsis: A new vulnerability has been discovered in libXpm, which is included in OpenMotif and LessTif, that can potentially lead to remote code execution. Affected package: x11-libs/openmotif Affected archs: All Vulnerable: <2.2.3-r3 Unaffected: >=2.2.3-r3 >=~2.1.30-r9 [cut] Reproducible: Didn't try Steps to Reproduce: 1. glsa-check -f 200502-07 2. glsa-check -l It says, that I am affected by GLSA 200503-08. Actual Results: It should not have complained about GLSA 200503-08, as GLSA 200502-07 fixed the problem and the version that was installed, is itself not affected by GLSA 200503-08. Expected Results: It shouldn't have told me, that I was affected by GLSA 200503-08. Portage 2.0.51.22-r3 (default-linux/x86/2005.0/2.4, gcc-3.3.2, glibc-2.3.4.20040808-r1, 2.6.11-gentoo-r4 i686) ================================================================= System uname: 2.6.11-gentoo-r4 i686 Pentium III (Katmai) Gentoo Base System version 1.4.16 ccache version 2.3 [enabled] dev-lang/python: 2.3.4-r1 sys-apps/sandbox: 1.2.11 sys-devel/autoconf: 2.13, 2.59-r6 sys-devel/automake: 1.4_p6, 1.5, 1.6.3, 1.7.9-r1, 1.8.5-r3, 1.9.6-r1 sys-devel/binutils: 2.14.90.0.8-r3 sys-devel/libtool: 1.4.3-r3 virtual/os-headers: 2.4.22-r1 ACCEPT_KEYWORDS="x86" AUTOCLEAN="yes" CBUILD="i686-pc-linux-gnu" CFLAGS="-O2 -march=pentium3 -fomit-frame-pointer" CHOST="i686-pc-linux-gnu" CONFIG_PROTECT="/etc /usr/kde/2/share/config /usr/kde/3.3/env /usr/kde/3.3/share/config /usr/kde/3.3/shutdown /usr/kde/3/share/config /usr/lib/X11/xkb /usr/share/config /var/qmail/control" CONFIG_PROTECT_MASK="/etc/gconf /etc/env.d" CXXFLAGS="-O2 -march=pentium3 -fomit-frame-pointer" DISTDIR="/usr/portage/distfiles" FEATURES="autoconfig ccache distlocks sandbox sfperms strict" GENTOO_MIRRORS="ftp://ftp.join.uni-muenster.de/pub/linux/distributions/gentoo ftp://ftp.wh2.tu-dresden.de/pub/mirrors/gentoo ftp://ftp.join.uni-muenster.de/pub/linux/distributions/gentoo ftp://ftp6.uni-muenster.de/pub/linux/distributions/gentoo" LC_ALL="de_DE@euro" LINGUAS="de" PKGDIR="/usr/portage/packages" PORTAGE_TMPDIR="/var/tmp" PORTDIR="/usr/portage" PORTDIR_OVERLAY="/usr/local/portage" SYNC="rsync://rsync.de.gentoo.org/gentoo-portage" USE="x86 X alsa apm arts avi bash-completion berkdb bitmap-fonts bonobo cdr crypt cups curl eds emboss encode esd fam flac foomaticdb fortran gd gdbm gif gnome gpm gstreamer gtk gtk2 gtkhtml guile imlib ipv6 java jpeg junit kde ldap libg++ libwww mad mikmod mmx motif mp3 mpeg ncurses nls ogg oggvorbis opengloss pam pdflib perl png python qt quicktime readline sdl slang spell sse ssl svga tcltk tcpd tiff truetype truetype-fonts type1-fonts vorbis xine xml xml2xmms xv zlib linguas_de userland_GNU kernel_linux elibc_glibc" Unset: ASFLAGS, CTARGET, LANG, LDFLAGS, MAKEOPTS
Are you sure you don't have an old version installed? Try emerge unmerge -pv openmotif.
Oh, you are right. But why hasn't "openmotif-2.1.30-r4" been removed, after "openmotif-2.1.30-r9" was installed?
We leave it up to the maintainer to keep/delete affected versions.
Ok, thanks. Shall I reopen the "bug" or could you forward my request to the responsible maintainer? (lanius?)
Reopening for maintainer.
Heinrich this one is for you.
motif-config declares x11-libs/openmotif-2.1.30-r4 as blocker so i don't know why it's left on your system has to be a portage bug
