Having dev-lang/php-5.4.34 installed, glsa-check warns: 201408-11 [N] [remote ] PHP: Multiple vulnerabilities ( dev-lang/php-5.4.34 ) Tried with stable app-portage/gentoolkit-0.3.0.8-r2 and app-portage/gentoolkit-0.3.0.9-r1. Portage 2.2.8-r2 (default/linux/amd64/13.0, gcc-4.7.3, glibc-2.19-r1, 3.14.17-gentoo x86_64) ================================================================= System Settings ================================================================= System uname: Linux-3.14.17-gentoo-x86_64-Intel-R-_Xeon-R-_CPU_E5606_@_2.13GHz-with-gentoo-2.2 KiB Mem: 3000036 total, 1683056 free KiB Swap: 0 total, 0 free Timestamp of tree: Fri, 24 Oct 2014 03:45:01 +0000 ld GNU ld (Gentoo 2.23.2 p1.0) 2.23.2 app-shells/bash: 4.2_p53 dev-lang/perl: 5.18.2-r1 dev-lang/python: 2.7.7, 3.3.5-r1 dev-util/cmake: 2.8.12.2-r1 dev-util/pkgconfig: 0.28-r1 sys-apps/baselayout: 2.2 sys-apps/openrc: 0.12.4 sys-apps/sandbox: 2.6-r1 sys-devel/autoconf: 2.69 sys-devel/automake: 1.13.4 sys-devel/binutils: 2.23.2 sys-devel/gcc: 4.7.3-r1 sys-devel/gcc-config: 1.7.3 sys-devel/libtool: 2.4.2-r1 sys-devel/make: 3.82-r4 sys-kernel/linux-headers: 3.13 (virtual/os-headers) sys-libs/glibc: 2.19-r1 Repositories: gentoo hydra ACCEPT_KEYWORDS="amd64" ACCEPT_LICENSE="*" CBUILD="x86_64-pc-linux-gnu" CFLAGS="-mtune=native -O2 -pipe" CHOST="x86_64-pc-linux-gnu" CONFIG_PROTECT="/etc /var/bind" CONFIG_PROTECT_MASK="/etc/ca-certificates.conf /etc/env.d /etc/gconf /etc/gentoo-release /etc/php/apache2-php5.4/ext-active/ /etc/php/cgi-php5.4/ext-active/ /etc/php/cli-php5.4/ext-active/ /etc/revdep-rebuild /etc/sandbox.d /etc/terminfo" CXXFLAGS="-mtune=native -O2 -pipe" DISTDIR="/usr/portage/distfiles" FCFLAGS="-O2 -pipe" FEATURES="assume-digests binpkg-logs config-protect-if-modified distlocks ebuild-locks fixlafiles merge-sync news parallel-fetch preserve-libs protect-owned sandbox sfperms strict unknown-features-warn unmerge-logs unmerge-orphans userfetch userpriv usersandbox usersync" FFLAGS="-O2 -pipe" GENTOO_MIRRORS="http://tux.rainside.sk/gentoo/ http://gentoo.wheel.sk/" LDFLAGS="-Wl,-O1 -Wl,--as-needed" MAKEOPTS="-j4" PKGDIR="/usr/portage/packages" PORTAGE_CONFIGROOT="/" PORTAGE_RSYNC_OPTS="--recursive --links --safe-links --perms --times --omit-dir-times --compress --force --whole-file --delete --stats --human-readable --timeout=180 --exclude=/distfiles --exclude=/local --exclude=/packages" PORTAGE_TMPDIR="/var/tmp" PORTDIR="/usr/portage" PORTDIR_OVERLAY="/var/lib/layman/hydra" USE="acl amd64 berkdb bindist bzip2 cli cracklib crypt cxx dri fortran gdbm iconv mmx modules multilib ncurses nls nptl openmp pam pcre readline session sse sse2 ssl tcpd unicode zlib" ABI_X86="64" ALSA_CARDS="ali5451 als4000 atiixp atiixp-modem bt87x ca0106 cmipci emu10k1x ens1370 ens1371 es1938 es1968 fm801 hda-intel intel8x0 intel8x0m maestro3 trident usb-audio via82xx via82xx-modem ymfpci" APACHE2_MODULES="authn_core authz_core authz_host dir mime unixd socache_shmcb log_config rewrite vhost_alias log_forensic proxy proxy_http deflate filter remoteip headers expires auth_basic authn_file authz_groupfile authz_owner authz_user" CALLIGRA_FEATURES="kexi words flow plan sheets stage tables krita karbon braindump author" CAMERAS="ptp2" COLLECTD_PLUGINS="df interface irq load memory rrdtool swap syslog" ELIBC="glibc" GPSD_PROTOCOLS="ashtech aivdm earthmate evermore fv18 garmin garmintxt gpsclock itrax mtk3301 nmea ntrip navcom oceanserver oldstyle oncore rtcm104v2 rtcm104v3 sirf superstar2 timing tsip tripmate tnt ublox ubx" INPUT_DEVICES="keyboard mouse evdev" KERNEL="linux" LCD_DEVICES="bayrad cfontz cfontz633 glk hd44780 lb216 lcdm001 mtxorb ncurses text" LIBREOFFICE_EXTENSIONS="presenter-console presenter-minimizer" OFFICE_IMPLEMENTATION="libreoffice" PHP_TARGETS="php5-4" PYTHON_SINGLE_TARGET="python2_7" PYTHON_TARGETS="python2_7 python3_3" RUBY_TARGETS="ruby19 ruby20" USERLAND="GNU" VIDEO_CARDS="fbdev glint intel mach64 mga nouveau nv r128 radeon savage sis tdfx trident vesa via vmware dummy v4l" XTABLES_ADDONS="quota2 psd pknock lscan length2 ipv4options ipset ipp2p iface geoip fuzzy condition tee tarpit sysrq steal rawnat logmark ipmark dhcpmac delude chaos account" Unset: CPPFLAGS, CTARGET, EMERGE_DEFAULT_OPTS, INSTALL_MASK, LANG, LC_ALL, PORTAGE_BUNZIP2_COMMAND, PORTAGE_COMPRESS, PORTAGE_COMPRESS_FLAGS, PORTAGE_RSYNC_EXTRA_OPTS, USE_PYTHON ================================================================= Package Settings ================================================================= app-portage/gentoolkit-0.3.0.8-r2 was built with the following: USE="" ABI_X86="64" PYTHON_TARGETS="python2_7 python3_3 -python3_2" app-portage/gentoolkit-0.3.0.9-r1 was built with the following: USE="" ABI_X86="64" PYTHON_TARGETS="python2_7 python3_3 -pypy -python3_2"
Please post your `emerge --info dev-lang/php; emerge -vpq dev-lang/php' output in a comment.
# emerge --info dev-lang/php dev-lang/php-5.4.34 was built with the following: USE="apache2 bcmath berkdb bzip2 calendar cli crypt ctype curl fileinfo filter gdbm gmp hash iconv inifile intl json mhash mysql mysqli nls pdo phar posix readline session simplexml soap sockets ssl sysvipc tokenizer unicode xml xmlreader xmlwriter zip zlib -cdb -cgi -cjk -curlwrappers -debug -embed -enchant -exif (-firebird) -flatfile -fpm -ftp -gd -imap -iodbc -ipv6 -kerberos -ldap -ldap-sasl -libedit -mssql -mysqlnd -oci8-instant-client -odbc -pcntl -postgres -qdbm -recode (-selinux) -sharedmem -snmp -spell -sqlite (-sybase-ct) -systemd -threads -tidy -truetype -wddx -xmlrpc -xpm -xslt" ABI_X86="64" # emerge -vpq dev-lang/php [ebuild R ] dev-lang/php-5.4.34 USE="apache2 bcmath berkdb bzip2 calendar cli crypt ctype curl fileinfo filter gdbm gmp hash iconv inifile intl json mhash mysql mysqli nls pdo phar posix readline session simplexml soap sockets ssl sysvipc tokenizer unicode xml xmlreader xmlwriter zip zlib -cdb -cgi -cjk -curlwrappers -debug -embed -enchant -exif (-firebird) -flatfile -fpm -ftp -gd -imap -iodbc -ipv6 -kerberos -ldap -ldap-sasl -libedit -mssql -mysqlnd -oci8-instant-client -odbc -pcntl -postgres -qdbm -recode (-selinux) -sharedmem -snmp -spell -sqlite (-sybase-ct) -systemd -threads -tidy -truetype -wddx -xmlrpc -xpm -xslt"
I can confirm that. 'glsa-check' as well as 'cave report' seem to think the GLSA applies to 5.4. The culprit seems to be the 'rge' instead of just an 'ge' here: <unaffected range="ge">5.5.16</unaffected> <unaffected range="rge">5.4.32</unaffected> <unaffected range="rge">5.3.29</unaffected> <vulnerable range="lt">5.5.16</vulnerable> According to the documentation (see below), this limits the unaffected only to version 5.4 and 5.3. Don't know what the intention was, but I suspect a copy-and-paste accident here. > handler for the special >~, >=~, <=~ and <~ atoms that are supposed to behave > as > and < except that they are limited to the same version, the range only > applies to the revision part. I assume as soon as a version >5.3.29 appears, it will be marked accordingly. I will attach a patch, which removes the prefixed "r" and adds "lt" entries for slots 5.3 and 5.4 as well, just to be thorough.
Created attachment 388434 [details, diff] correct the range of affected versions for GLSA 201408-11
I apologize for this taking so long. I have updated GLSA 201408-11 with the new, unaffected version. We should have a new GLSA released soon for bug 525960. Please re-sync and re-open this bug if you continue to have any glsa-check warnings on =dev-lang/php-5.4.34.
Thanks, it works. However is it correct this way? <package name="dev-lang/php" auto="yes" arch="*"> <unaffected range="ge">5.5.16</unaffected> <unaffected range="rge">5.4.32</unaffected> <unaffected range="rge">5.3.29</unaffected> <unaffected range="rge">5.4.34</unaffected> <vulnerable range="lt">5.5.16</vulnerable> </package>
I have the same suspicion as Tomas. Set like this, we probably will re-open this bug or someone will make a new one as soon as some new version like 5.4.35 stabilizes in the Gentoo tree. This could go on forever. Could you explain the reason behind doing it that way? The patch I supplied would probably work in the long term. What am I missing? PS: I just saw an oversight in my last comment, I meant to say: > According to the documentation (see below), this limits the unaffected only to > version ~5.4.32 and ~5.3.29
(In reply to Christian Burger from comment #7) > Could you explain the reason behind doing it that way? The patch I supplied > would probably work in the long term. This is a long standing issue, see bug 106677 for more information. Thanks for your patch, but I'm afraid it won't work like that. The ranges in your patch don't understand SLOTs, so just using <unaffected range="ge">5.3.29</unaffected> instead of <unaffected range="rge">5.3.29</unaffected> will also mark *any* 5.4 and 5.5 greater than or equal to 5.3.29 as unaffected. Our workaround for now has always been to update the GLSA and add 'rge' entries for all new versions in SLOTs except the "highest" one, or update the GLSA with a version that's available in the Portage tree, depending on the case. Sean chose the latter here.
(In reply to Tobias Heinlein from comment #8) > This is a long standing issue, see bug 106677 for more information. Ah, thank you for taking the time to quench my curiosity. > Thanks for your patch, but I'm afraid it won't work like that. The ranges in > your patch don't understand SLOTs, so just using > <unaffected range="ge">5.3.29</unaffected> > instead of > <unaffected range="rge">5.3.29</unaffected> > will also mark *any* 5.4 and 5.5 greater than or equal to 5.3.29 as > unaffected. This was my first assumption, when I saw the "rge" parameter, but then I took a look around and found this in /usr/portage/metadata/glsa/glsa-201209-03.xml <unaffected range="ge">5.3.15</unaffected> <unaffected range="ge">5.4.5</unaffected> <vulnerable range="lt">5.3.15</vulnerable> <vulnerable range="lt">5.4.5</vulnerable> thus I assumed copy-n-paste error. So basically, in 201209-03 every 5.4.* is in the clear because of <unaffected range="ge">5.3.15</unaffected> ? And this GLSA is incorrect -- though it doesn't hurt anymore? While I was poking around in the Paludis code I saw a "slot" parameter for <unaffected/> and <vulnerable/>, but when I was trying it, 'cave report' warned me that it's not safe to use. Saw the code for handling "slot" in 'glsa-check', too. Anyway, I will take any further opinion of mine over to #106677 -- should I come to one.
