145104 – glsa 200605-08 false positives

Bug 145104 - glsa 200605-08 false positives

Summary: glsa 200605-08 false positives

Status:	RESOLVED FIXED

Alias:	None

Product:	Gentoo Security
Classification:	Unclassified
Component:	GLSA Errors (show other bugs)
Hardware:	All Linux

Importance:	High normal (vote)
Assignee:	Gentoo Security

URL:
Whiteboard:
Keywords:

Duplicates (1):	146231 (view as bug list)
Depends on:
Blocks:

Reported:	2006-08-25 13:18 UTC by Ian Stakenvicius
Modified:	2007-05-15 08:31 UTC (History)
CC List:	3 users (show)

See Also:
Package list:
Runtime testing required:	---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Ian Stakenvicius 2006-08-25 13:18:46 UTC

As per my comments in bug 133524, please update GLSA 200605-08 with slotted wrappers:

--- old/glsa-200605-08.xml       2006-07-30 15:37:02.000000000 -0400
+++ glsa-200605-08.xml  2006-08-25 16:11:43.000000000 -0400
@@ -20,13 +20,17 @@
   <affected>
     <package name="dev-lang/php" auto="yes" arch="arm hppa ppc s390 sh sparc x86 x86-fbsd">
       <unaffected range="ge">5.1.4</unaffected>
-      <unaffected range="rge">4.4.2-r2</unaffected>
       <vulnerable range="lt">5.1.4</vulnerable>
+      <vulnerable range="ge">5.0</vulnerable>
+      <unaffected range="ge">4.4.2-r2</unaffected>
+      <vulnerable range="lt">4.4.2-r2</vulnerable>
     </package>
     <package name="dev-lang/php" auto="yes" arch="alpha amd64 ia64 ppc64">
       <unaffected range="ge">5.1.4-r4</unaffected>
-      <unaffected range="rge">4.4.2-r6</unaffected>
       <vulnerable range="lt">5.1.4-r4</vulnerable>
+      <vulnerable range="ge">5.0</vulnerable>
+      <unaffected range="ge">4.4.2-r6</unaffected>
+      <vulnerable range="lt">4.4.2-r6</vulnerable>
     </package>
   </affected>
   <background>

Comment 1 Stefan Cornelius (RETIRED) gentoo-dev

2006-08-29 11:55:24 UTC

php team, is is php-4.4.3-r1 patched wrt this, or is it vulnerable? thanks

Comment 2 Stefan Cornelius (RETIRED) gentoo-dev

2006-08-29 12:06:00 UTC

Should be fixed in cvs, thank you

Comment 3 Ian Stakenvicius 2006-08-31 09:54:42 UTC

Fixed for x86, but could you add the unaffected section to alpha/amd64/ia64/ppc64?

Comment 4 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev

2006-09-02 04:01:18 UTC

Thx for the notification. It's fixed in CVS now.

Comment 5 Jakub Moc (RETIRED) gentoo-dev

2006-09-04 02:12:46 UTC

*** Bug 146231 has been marked as a duplicate of this bug. ***

Comment 6 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev

2006-09-05 02:18:03 UTC

Reopening still glsa-check still marks 4.4.3-r1 as vulnerable, at least on amd64. Perhaps glsa-check is not happy with the "more complex than usual" arch section?

Comment 7 Lorand Kelemen 2006-09-05 02:54:59 UTC

I can test and provide info if needed.

Comment 8 Raphael Marichez (Falco) (RETIRED) gentoo-dev

2006-09-07 11:52:12 UTC

(In reply to comment #7)
> I can test and provide info if needed.
> 

it's our fault. If we merge :

   <package name="dev-lang/php" auto="yes" arch="arm hppa ppc s390 sh sparc x86 x86-fbsd">
      <unaffected range="ge">FOO</unaffected>
    </package>
    <package name="dev-lang/php" auto="yes" arch="alpha amd64 ia64 ppc64">
      <unaffected range="rge">FOO</unaffected>
    </package>

in one single entry :

    <package name="dev-lang/php" auto="yes" arch="*">
      <unaffected range="rge">4.4.3-r1</unaffected>
    </package>


whereas there are still arches entry elsewhere, glsa-check seems not happy.

I've just corrected this in CVS. Please reopen if glsa-check still complains.

Comment 9 Ian Stakenvicius 2007-03-07 13:51:37 UTC

Reopening, due to php-4.4.6 getting flagged now (at least on amd64)

I'm assuming that this bug doesn't affect 4.4.6 ...  Also GLSA's 200608-28 and 200610-14 i believe are affected by this.

Remind me again why slotting the affected/unaffected ranges wouldn't be better than using 'rge's?

Comment 10 Stefan Cornelius (RETIRED) gentoo-dev

2007-03-07 18:36:45 UTC

i *hope* that i fixed them all (correctly), thanks for reporting this.

note to self: push slotted GLSAs

Comment 11 Honza 2007-05-15 08:12:30 UTC

php-4.4.7 is flagged now ... with four glsa:
200605-08 [N] PHP: Multiple vulnerabilities ( dev-lang/php )
200608-28 [N] PHP: Arbitary code execution ( dev-lang/php )
200610-14 [N] PHP: Integer overflow ( dev-lang/php )
200703-21 [N] PHP: Multiple vulnerabilities ( dev-lang/php )

[I--] [  ] dev-lang/php-4.4.7 (4)
[I--] [  ] dev-lang/php-5.2.2-r1 (5)

Portage 2.1.2.2 (default-linux/x86/2007.0/desktop, gcc-3.3.6, glibc-2.3.6-r4, 2.6.14-gentoo-r2 i686)

... why can't I reopen this bug ?

Comment 12 Jakub Moc (RETIRED) gentoo-dev

2007-05-15 08:19:45 UTC

Sigh...

Comment 13 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev

2007-05-15 08:31:45 UTC

Thanks for notifying us.

Fixed in CVS.

Now I just wish for better range support in glsa-check.