Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 652874 - sys-apps/portage: glsa-check crashes on GLSA referring to non-existent atom
Summary: sys-apps/portage: glsa-check crashes on GLSA referring to non-existent atom
Status: RESOLVED FIXED
Alias: None
Product: Portage Development
Classification: Unclassified
Component: Tools (show other bugs)
Hardware: All Linux
: Normal normal (vote)
Assignee: Portage team
URL:
Whiteboard:
Keywords: InVCS
Depends on:
Blocks: 691278
  Show dependency tree
 
Reported: 2018-04-09 18:25 UTC by Daniel Pouzzner
Modified: 2019-11-02 00:32 UTC (History)
0 users

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Daniel Pouzzner 2018-04-09 18:25:18 UTC
sync -a this morning brought in /usr/portage/metadata/glsa/glsa-201804-10.xml, which warns for dev-php/ZendFramework, which no longer exists in /usr/portage (which is fine and good).  glsa-check apparently can't cope with such a reference (see below).


Reproducible: Always

Steps to Reproduce:
1. emaint sync -a, creating metadata/glsa/glsa-201804-10.xml
2. emerge --ask --oneshot =app-portage/gentoolkit-0.4.0 =sys-apps/portage-2.3.24-r1
   or
   emerge --ask --oneshot =app-portage/gentoolkit-0.4.2-r1 =sys-apps/portage-2.3.28
3. glsa-check -t affected

Actual Results:  
with app-portage/gentoolkit-0.4.0 and sys-apps/portage-2.3.24-r1 (amd64 stable):

-* glsa-check -v -t affected
Traceback (most recent call last):
  File "/usr/lib/python-exec/python3.5/glsa-check", line 186, in <module>
    if myglsa.isVulnerable():
  File "/usr/lib64/python3.5/site-packages/gentoolkit/glsa/__init__.py", line 683, in isVulnerable
    or (None != getMinUpgrade([v,], path["unaff_atoms"]))
  File "/usr/lib64/python3.5/site-packages/gentoolkit/glsa/__init__.py", line 411, in getMinUpgrade
    u_installed = reduce(operator.add, [match(u, "vartree") for u in unaffectedList], [])
  File "/usr/lib64/python3.5/site-packages/gentoolkit/glsa/__init__.py", line 411, in <listcomp>
    u_installed = reduce(operator.add, [match(u, "vartree") for u in unaffectedList], [])
  File "/usr/lib64/python3.5/site-packages/gentoolkit/glsa/__init__.py", line 347, in match
    return db.match(atom)
  File "/usr/lib64/python3.5/site-packages/portage/dbapi/vartree.py", line 575, in match
    origdep, mydb=self, use_cache=use_cache, settings=self.settings)
  File "/usr/lib64/python3.5/site-packages/portage/dbapi/dep_expand.py", line 35, in dep_expand
    mydep = Atom(mydep, allow_repo=True)
  File "/usr/lib64/python3.5/site-packages/portage/dep/__init__.py", line 1270, in __init__
    raise InvalidAtom(self)
portage.exception.InvalidAtom: >=dev-php/ZendFramework-
-* glsa-check -v -t affected
Traceback (most recent call last):
  File "/usr/lib/python-exec/python3.5/glsa-check", line 186, in <module>
    if myglsa.isVulnerable():
  File "/usr/lib64/python3.5/site-packages/gentoolkit/glsa/__init__.py", line 683, in isVulnerable
    or (None != getMinUpgrade([v,], path["unaff_atoms"]))
  File "/usr/lib64/python3.5/site-packages/gentoolkit/glsa/__init__.py", line 411, in getMinUpgrade
    u_installed = reduce(operator.add, [match(u, "vartree") for u in unaffectedList], [])
  File "/usr/lib64/python3.5/site-packages/gentoolkit/glsa/__init__.py", line 411, in <listcomp>
    u_installed = reduce(operator.add, [match(u, "vartree") for u in unaffectedList], [])
  File "/usr/lib64/python3.5/site-packages/gentoolkit/glsa/__init__.py", line 347, in match
    return db.match(atom)
  File "/usr/lib64/python3.5/site-packages/portage/dbapi/vartree.py", line 575, in match
    origdep, mydb=self, use_cache=use_cache, settings=self.settings)
  File "/usr/lib64/python3.5/site-packages/portage/dbapi/dep_expand.py", line 35, in dep_expand
    mydep = Atom(mydep, allow_repo=True)
  File "/usr/lib64/python3.5/site-packages/portage/dep/__init__.py", line 1270, in __init__
    raise InvalidAtom(self)
portage.exception.InvalidAtom: >=dev-php/ZendFramework-


with app-portage/gentoolkit-0.4.2-r1 and sys-apps/portage-2.3.28 (~amd64):

-* glsa-check -v -t affected
Traceback (most recent call last):
  File "/usr/lib/python-exec/python3.5/glsa-check", line 186, in <module>
    if myglsa.isVulnerable():
  File "/usr/lib64/python3.5/site-packages/gentoolkit/glsa/__init__.py", line 683, in isVulnerable
    or (None != getMinUpgrade([v,], path["unaff_atoms"]))
  File "/usr/lib64/python3.5/site-packages/gentoolkit/glsa/__init__.py", line 411, in getMinUpgrade
    u_installed = reduce(operator.add, [match(u, "vartree") for u in unaffectedList], [])
  File "/usr/lib64/python3.5/site-packages/gentoolkit/glsa/__init__.py", line 411, in <listcomp>
    u_installed = reduce(operator.add, [match(u, "vartree") for u in unaffectedList], [])
  File "/usr/lib64/python3.5/site-packages/gentoolkit/glsa/__init__.py", line 347, in match
    return db.match(atom)
  File "/usr/lib64/python3.5/site-packages/portage/dbapi/vartree.py", line 576, in match
    origdep, mydb=self, use_cache=use_cache, settings=self.settings)
  File "/usr/lib64/python3.5/site-packages/portage/dbapi/dep_expand.py", line 35, in dep_expand
    mydep = Atom(mydep, allow_repo=True)
  File "/usr/lib64/python3.5/site-packages/portage/dep/__init__.py", line 1273, in __init__
    raise InvalidAtom(self)
portage.exception.InvalidAtom: >=dev-php/ZendFramework-


Expected Results:  
-* glsa-check -v -t affected
This system is not affected by any of the listed GLSAs


Expected result achieved by first doing

mv /usr/portage/metadata/glsa/glsa-201804-10.xml /usr/portage/metadata/glsa/glsa-201804-10.xml.hold
Comment 1 Zac Medico gentoo-dev 2018-04-09 19:34:13 UTC
I can reproduce the problem by reverting this fix:

https://gitweb.gentoo.org/data/glsa.git/commit/?id=6d341a6c00fd52a41ddaf7e932d941b6c7f9bf88
Comment 2 Aaron Bauman Gentoo Infrastructure gentoo-dev Security 2018-04-09 19:35:45 UTC
(In reply to Daniel Pouzzner from comment #0)
> sync -a this morning brought in
> /usr/portage/metadata/glsa/glsa-201804-10.xml, which warns for
> dev-php/ZendFramework, which no longer exists in /usr/portage (which is fine
> and good).  glsa-check apparently can't cope with such a reference (see
> below).
> 
> 
> Reproducible: Always
> 
> Steps to Reproduce:
> 1. emaint sync -a, creating metadata/glsa/glsa-201804-10.xml
> 2. emerge --ask --oneshot =app-portage/gentoolkit-0.4.0
> =sys-apps/portage-2.3.24-r1
>    or
>    emerge --ask --oneshot =app-portage/gentoolkit-0.4.2-r1
> =sys-apps/portage-2.3.28
> 3. glsa-check -t affected
> 
> Actual Results:  
> with app-portage/gentoolkit-0.4.0 and sys-apps/portage-2.3.24-r1 (amd64
> stable):
> 
> -* glsa-check -v -t affected
> Traceback (most recent call last):
>   File "/usr/lib/python-exec/python3.5/glsa-check", line 186, in <module>
>     if myglsa.isVulnerable():
>   File "/usr/lib64/python3.5/site-packages/gentoolkit/glsa/__init__.py",
> line 683, in isVulnerable
>     or (None != getMinUpgrade([v,], path["unaff_atoms"]))
>   File "/usr/lib64/python3.5/site-packages/gentoolkit/glsa/__init__.py",
> line 411, in getMinUpgrade
>     u_installed = reduce(operator.add, [match(u, "vartree") for u in
> unaffectedList], [])
>   File "/usr/lib64/python3.5/site-packages/gentoolkit/glsa/__init__.py",
> line 411, in <listcomp>
>     u_installed = reduce(operator.add, [match(u, "vartree") for u in
> unaffectedList], [])
>   File "/usr/lib64/python3.5/site-packages/gentoolkit/glsa/__init__.py",
> line 347, in match
>     return db.match(atom)
>   File "/usr/lib64/python3.5/site-packages/portage/dbapi/vartree.py", line
> 575, in match
>     origdep, mydb=self, use_cache=use_cache, settings=self.settings)
>   File "/usr/lib64/python3.5/site-packages/portage/dbapi/dep_expand.py",
> line 35, in dep_expand
>     mydep = Atom(mydep, allow_repo=True)
>   File "/usr/lib64/python3.5/site-packages/portage/dep/__init__.py", line
> 1270, in __init__
>     raise InvalidAtom(self)
> portage.exception.InvalidAtom: >=dev-php/ZendFramework-
> -* glsa-check -v -t affected
> Traceback (most recent call last):
>   File "/usr/lib/python-exec/python3.5/glsa-check", line 186, in <module>
>     if myglsa.isVulnerable():
>   File "/usr/lib64/python3.5/site-packages/gentoolkit/glsa/__init__.py",
> line 683, in isVulnerable
>     or (None != getMinUpgrade([v,], path["unaff_atoms"]))
>   File "/usr/lib64/python3.5/site-packages/gentoolkit/glsa/__init__.py",
> line 411, in getMinUpgrade
>     u_installed = reduce(operator.add, [match(u, "vartree") for u in
> unaffectedList], [])
>   File "/usr/lib64/python3.5/site-packages/gentoolkit/glsa/__init__.py",
> line 411, in <listcomp>
>     u_installed = reduce(operator.add, [match(u, "vartree") for u in
> unaffectedList], [])
>   File "/usr/lib64/python3.5/site-packages/gentoolkit/glsa/__init__.py",
> line 347, in match
>     return db.match(atom)
>   File "/usr/lib64/python3.5/site-packages/portage/dbapi/vartree.py", line
> 575, in match
>     origdep, mydb=self, use_cache=use_cache, settings=self.settings)
>   File "/usr/lib64/python3.5/site-packages/portage/dbapi/dep_expand.py",
> line 35, in dep_expand
>     mydep = Atom(mydep, allow_repo=True)
>   File "/usr/lib64/python3.5/site-packages/portage/dep/__init__.py", line
> 1270, in __init__
>     raise InvalidAtom(self)
> portage.exception.InvalidAtom: >=dev-php/ZendFramework-
> 
> 
> with app-portage/gentoolkit-0.4.2-r1 and sys-apps/portage-2.3.28 (~amd64):
> 
> -* glsa-check -v -t affected
> Traceback (most recent call last):
>   File "/usr/lib/python-exec/python3.5/glsa-check", line 186, in <module>
>     if myglsa.isVulnerable():
>   File "/usr/lib64/python3.5/site-packages/gentoolkit/glsa/__init__.py",
> line 683, in isVulnerable
>     or (None != getMinUpgrade([v,], path["unaff_atoms"]))
>   File "/usr/lib64/python3.5/site-packages/gentoolkit/glsa/__init__.py",
> line 411, in getMinUpgrade
>     u_installed = reduce(operator.add, [match(u, "vartree") for u in
> unaffectedList], [])
>   File "/usr/lib64/python3.5/site-packages/gentoolkit/glsa/__init__.py",
> line 411, in <listcomp>
>     u_installed = reduce(operator.add, [match(u, "vartree") for u in
> unaffectedList], [])
>   File "/usr/lib64/python3.5/site-packages/gentoolkit/glsa/__init__.py",
> line 347, in match
>     return db.match(atom)
>   File "/usr/lib64/python3.5/site-packages/portage/dbapi/vartree.py", line
> 576, in match
>     origdep, mydb=self, use_cache=use_cache, settings=self.settings)
>   File "/usr/lib64/python3.5/site-packages/portage/dbapi/dep_expand.py",
> line 35, in dep_expand
>     mydep = Atom(mydep, allow_repo=True)
>   File "/usr/lib64/python3.5/site-packages/portage/dep/__init__.py", line
> 1273, in __init__
>     raise InvalidAtom(self)
> portage.exception.InvalidAtom: >=dev-php/ZendFramework-
> 
> 
> Expected Results:  
> -* glsa-check -v -t affected
> This system is not affected by any of the listed GLSAs
> 
> 
> Expected result achieved by first doing
> 
> mv /usr/portage/metadata/glsa/glsa-201804-10.xml
> /usr/portage/metadata/glsa/glsa-201804-10.xml.hold

The issue is fixed by the commit zmedico is referring too.  Please resync and let us know if you continue to have issues.
Comment 3 Daniel Pouzzner 2018-04-09 19:41:19 UTC
Yup, fixed.  Thanks!
Comment 4 Aaron Bauman Gentoo Infrastructure gentoo-dev Security 2018-04-09 19:54:43 UTC
My apologies.  Zac intend to look into this.  He has reported that Portage's glsa-check does not encounter the error (possibly silently ignoring it), but gentoolkit glsa-check does.
Comment 5 Daniel Pouzzner 2018-04-09 20:01:59 UTC
Yeah that makes sense.  I didn't realize there were two of them (dubious in itself).  Confirmed that behavior:

-* ls -l /usr/lib/portage/python3.5/glsa-check /usr/lib/python-exec/python3.5/glsa-check
-rwxr-xr-x 1 root root 11682 Apr  9 13:16 /usr/lib/portage/python3.5/glsa-check
-rwxr-xr-x 1 root root 13358 Apr  9 12:44 /usr/lib/python-exec/python3.5/glsa-check
-* /usr/lib/portage/python3.5/glsa-check -v -t affected
This system is not affected by any of the listed GLSAs
-* /usr/lib/python-exec/python3.5/glsa-check -v -t affected
Traceback (most recent call last):
  File "/usr/lib/python-exec/python3.5/glsa-check", line 186, in <module>
    if myglsa.isVulnerable():
  File "/usr/lib64/python3.5/site-packages/gentoolkit/glsa/__init__.py", line 683, in isVulnerable
    or (None != getMinUpgrade([v,], path["unaff_atoms"]))
  File "/usr/lib64/python3.5/site-packages/gentoolkit/glsa/__init__.py", line 411, in getMinUpgrade
    u_installed = reduce(operator.add, [match(u, "vartree") for u in unaffectedList], [])
  File "/usr/lib64/python3.5/site-packages/gentoolkit/glsa/__init__.py", line 411, in <listcomp>
    u_installed = reduce(operator.add, [match(u, "vartree") for u in unaffectedList], [])
  File "/usr/lib64/python3.5/site-packages/gentoolkit/glsa/__init__.py", line 347, in match
    return db.match(atom)
  File "/usr/lib64/python3.5/site-packages/portage/dbapi/vartree.py", line 576, in match
    origdep, mydb=self, use_cache=use_cache, settings=self.settings)
  File "/usr/lib64/python3.5/site-packages/portage/dbapi/dep_expand.py", line 35, in dep_expand
    mydep = Atom(mydep, allow_repo=True)
  File "/usr/lib64/python3.5/site-packages/portage/dep/__init__.py", line 1273, in __init__
    raise InvalidAtom(self)
portage.exception.InvalidAtom: >=dev-php/ZendFramework-
Comment 6 Zac Medico gentoo-dev 2018-04-09 20:48:22 UTC
(In reply to Daniel Pouzzner from comment #5)
> Yeah that makes sense.  I didn't realize there were two of them (dubious in
> itself).  Confirmed that behavior:
> 
> -* ls -l /usr/lib/portage/python3.5/glsa-check
> /usr/lib/python-exec/python3.5/glsa-check
> -rwxr-xr-x 1 root root 11682 Apr  9 13:16
> /usr/lib/portage/python3.5/glsa-check
> -rwxr-xr-x 1 root root 13358 Apr  9 12:44
> /usr/lib/python-exec/python3.5/glsa-check
> -* /usr/lib/portage/python3.5/glsa-check -v -t affected

That's interesting because I'm not seeing the error here with portage, as though it's being silently ignored, so I need to look into it some more.
Comment 7 Daniel Pouzzner 2018-04-09 21:05:10 UTC
bugzilla swallowed the linebreaks, so you may have missed my confirmation that indeed the Portage edition of the script works right, with the same GLSA database that crashes gentoolkit glsa-check:
.
-* /usr/lib/portage/python3.5/glsa-check -v -t affected
This system is not affected by any of the listed GLSAs
.
If you look at the source for the Portage and gentoolkit editions of glsa-check, they obviously have a common origin, but have been evolving independently for some time.  This is clearly not good, but someone will need to take the time to cross-port gentoolkit glsa-check's unique capabilities to the Portage edition before the gentoolkit one can be EOL'd.

FWIW the only command line switch I could identify as unique to gentoolkit was --quiet.  Maybe this will be easy?
Comment 8 Daniel Pouzzner 2018-04-09 21:06:41 UTC
(Actually, it wasn't bugzilla that swallowed the line breaks -- they were just missing in the first place.)
Comment 9 Zac Medico gentoo-dev 2019-08-19 05:44:48 UTC
glsa-check is included with >=sys-apps/portage-2.3.72 (bug 463952).