Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 718844 - GLSA 202003-57 lists unaffected ebuild(s) as vulnerable
Summary: GLSA 202003-57 lists unaffected ebuild(s) as vulnerable
Status: RESOLVED FIXED
Alias: None
Product: Gentoo Security
Classification: Unclassified
Component: GLSA Errors (show other bugs)
Hardware: All Linux
: Normal normal
Assignee: Gentoo Security
URL:
Whiteboard:
Keywords:
: 718600 (view as bug list)
Depends on:
Blocks:
 
Reported: 2020-04-22 14:03 UTC by Thomas Deutschmann (RETIRED)
Modified: 2020-12-23 20:24 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Thomas Deutschmann (RETIRED) gentoo-dev 2020-04-22 14:03:51 UTC
See bug 713484 comment 16 for more details.
Comment 1 alexander haensch 2020-04-23 08:01:44 UTC
I think the xml should have this package contents:


  <affected>
    <package name="dev-lang/php" auto="yes" arch="*">
      <unaffected range="ge">7.2.29</unaffected>
      <unaffected range="ge">7.3.16</unaffected>
      <unaffected range="ge">7.4.4</unaffected>
      <vulnerable range="lt">7.2.29</vulnerable>
      <vulnerable range="lt">7.3.16</vulnerable>
      <vulnerable range="lt">7.4.4</vulnerable>
    </package>
  </affected>


can this be fixed upstream?
Comment 2 Thomas Deutschmann (RETIRED) gentoo-dev 2020-04-23 12:51:28 UTC
We are working in this, but it's not that easy. See the following pseudo example with some debug output:

> (chroot) dev1 ~ # # eshowkw dev-lang/php
> Keywords for dev-lang/php:
>           |                             |   u     |
>           | a   a     p         s a r   |   n     |
>           | m   r i   p   h m s p l i m | e u s   | r
>           | d a m a p c x p 6 3 a p s i | a s l   | e
>           | 6 r 6 6 p 6 8 p 8 9 r h c p | p e o   | p
>           | 4 m 4 4 c 4 6 a k 0 c a v s | i d t   | o
> ----------+-----------------------------+---------+-------
>    7.2.29 | + + + ~ + + + + o ~ + ~ o ~ | 7 # 7.2 | gentoo
>    7.2.30 | + + + ~ + + + + o ~ + ~ o ~ | 7 o     | gentoo
> ----------+-----------------------------+---------+-------
>    7.3.16 | + + + ~ + + + + o ~ + ~ o ~ | 7 # 7.3 | gentoo
> [I]7.3.17 | + + + ~ + + + + o ~ + ~ o ~ | 7 o     | gentoo
> ----------+-----------------------------+---------+-------
>  [I]7.4.4 | + + + ~ + + + + o ~ + ~ o ~ | 7 # 7.4 | gentoo
>     7.4.5 | + + + ~ + + + + o ~ + ~ o ~ | 7 o     | gentoo


> (chroot) dev1 ~ # grep -B 6 '</package>' /var/db/repos/gentoo/metadata/glsa/glsa-202003-57.xml
> <unaffected range="ge">7.2.29</unaffected>
> <unaffected range="ge">7.3.18</unaffected>
> <unaffected range="ge">7.4.5</unaffected>
> <vulnerable range="lt">7.2.29</vulnerable>
> <vulnerable range="lt">7.3.18</vulnerable>
> <vulnerable range="lt">7.4.5</vulnerable>
>     </package>


> (chroot) dev1 ~ # glsa-check -t 202003-57
> {'arch': '*', 'auto': True, 'vul_vers': ['<7.4.5'], 'unaff_vers': ['>=7.2.29', '>=7.3.18', '>=7.4.5'], 'vul_atoms': ['<d
> ev-lang/php-7.4.5'], 'unaff_atoms': ['>=dev-lang/php-7.2.29', '>=dev-lang/php-7.3.18', '>=dev-lang/php-7.4.5']}
> v_installed: ['dev-lang/php-7.3.17', 'dev-lang/php-7.4.4']
> u_installed: ['dev-lang/php-7.3.17', 'dev-lang/php-7.4.4', 'dev-lang/php-7.4.4']
> v_installed reduced: []
> This system is not affected by any of the listed GLSAs

As you can see, the lowest unaffected range will clear out everything else which is wrong.
Using rge helped here but only at revision level which is not the case.
Comment 3 Larry the Git Cow gentoo-dev 2020-04-23 15:25:54 UTC
The bug has been closed via the following commit(s):

https://gitweb.gentoo.org/data/glsa.git/commit/?id=5f514a6bc0b6082d08328fcc290cbba6761ee102

commit 5f514a6bc0b6082d08328fcc290cbba6761ee102
Author:     Thomas Deutschmann <whissi@gentoo.org>
AuthorDate: 2020-04-23 15:25:14 +0000
Commit:     Thomas Deutschmann <whissi@gentoo.org>
CommitDate: 2020-04-23 15:25:14 +0000

    [ GLSA 202003-57 ] Use slots
    
    Closes: https://bugs.gentoo.org/718844
    Signed-off-by: Thomas Deutschmann <whissi@gentoo.org>

 glsa-202003-57.xml | 20 +++++++++++---------
 1 file changed, 11 insertions(+), 9 deletions(-)
Comment 4 Thomas Deutschmann (RETIRED) gentoo-dev 2020-12-23 20:24:28 UTC
*** Bug 718600 has been marked as a duplicate of this bug. ***