glsa-check/automake-wrapper false alarm <snip> porkoo ~ # glsa-check -t all WARNING: This ... This system is affected by the following GLSA: 200404-08 </snip> <snip> GLSA 200404-08: GNU Automake symbolic link vulnerability ============================================================================ Synopsis: ... Affected package: sys-devel/automake Affected archs: All Vulnerable: <1.8.3 Unaffected: >=1.8.3 </snip> <snip> porkoo ~ # equery l -p automake [ Searching for package 'automake' in all categories among: ] * installed packages [I--] [ ] sys-devel/automake-1.4_p6 (1.4) [I--] [ ] sys-devel/automake-1.5 (1.5) [I--] [ ] sys-devel/automake-1.6.3 (1.6) [I--] [ ] sys-devel/automake-1.7.9 (1.7) [I--] [ ] sys-devel/automake-1.9.3 (1.9) [I--] [ ] sys-devel/automake-1.8.5-r2 (1.8) [I--] [ ] sys-devel/automake-wrapper-1 (0) * Portage tree (/usr/portage) [-P-] [ ] sys-devel/automake-1.8.5-r1 (1.5) </snip>
GLSA says all automake < 1.8.3 is vulnerable. You have automake-1.4_p6, automake-1.5, automake-1.6.3 and automake-1.7.9 installed. glsa-check says you are affected. Looks like glsa-check is right. Please explain how this is an error.
After a little chat it's a little more clear... automake-wrapper has the following RDEPENDS: RDEPEND="=sys-devel/automake-1.4* =sys-devel/automake-1.5* =sys-devel/automake-1.6* =sys-devel/automake-1.7* =sys-devel/automake-1.8.5-r2 =sys-devel/automake-1.9*" [M~] sys-devel/automake-1.5 (1.5) [M~] sys-devel/automake-1.4_p6 (1.4) [M~] sys-devel/automake-1.6.3 (1.6) [M~] sys-devel/automake-1.7.9 (1.7) [ ] sys-devel/automake-1.8.5-r1 (1.5) [M~] sys-devel/automake-1.8.5-r2 (1.8) [M~] sys-devel/automake-1.9.3 (1.9) So portage still contains (probably) vulnerable versions... And automake-wrapper even requires them. base-system, please advise... Are all these versions fixed ? Will they be ? If not, can they be removed ?
can/will they be removed ? no, probably never those versions have always been in the tree ... 1.8.5-r1 and earlier always packaged the older versions in one ebuild are they fixed ? i have nfc what the bug is so i couldnt tell you
clue: GLSA 200404-08, bug 45646 Looks like a tempfile vuln, was fixed by solar through : - epatch ${FILESDIR}/${P}-infopage-namechange.patch + epatch ${FILESDIR}/${PN}-1.8.2-infopage-namechange.patch I suppose the other versions (other than the stable 1.8.* slot) are not fixed.
the vuln seems to have been introduced during the 1.7.x cycle that means 1.4_p6, 1.5, and 1.6.3 are not affected ive added the patch to 1.7.9, 1.8.5-r2, and made a new patch for 1.9.3 ... i thought this was supposed to be fixed upstream ?
Hmm it was before my time, so I don't know if it was forwarded upstream. Obviously it wasn't, or upstream didn't care. Could you revbump to 1.7.9-r1 and 1.9.3-r1 so that we can update the old GLSA instructions to match ? About 1.8.5-r2, didn't it already have the patch ? If not, then revbump to -r3 too (and remove once-affected -r2 to simplify)
*** Bug 75477 has been marked as a duplicate of this bug. ***
The problem still exists...
This bug has been here for months... any idea when it might get fixed?
Hi, I'm just did an emerge sync, and I'm noticing that Portage suddenly wants to install half a dozen versions of automake (and a few of autoconf). Can someone on this thread tell me why automake-wrapper tries to install so many versions of automake, and why we suddenly need them all now, when we didn't need them before?
Chris: this bug hasn't been sitting there for months, but just for a month. It's partially fixed (portage does not carry any vulnerable version anymore) but still needs a few revbumps and an updated GLSA so that glsa-check does not report you're vulnerable while you're not. vapier: currently portage has : sys-devel/automake-1.4_p6 (1.4) -> not affected sys-devel/automake-1.5 (1.5) -> not affected sys-devel/automake-1.6.3 (1.6) -> not affected sys-devel/automake-1.7.9 (1.7) -> patched, requires revbump sys-devel/automake-1.8.5-r2 (1.8) -> patched, requires revbump ? sys-devel/automake-1.9.4 (1.9) -> patched (SLOT always included the patch) Please revbump those who need it, and tell me which 1.8.5 version includes the fix, so that we can update GLSA 200404-08 as : Unaffected : sys-devel/automake < 1.7 sys-devel/automake *>= 1.7.9-r1 sys-devel/automake >= 1.8.5-r3 (or is it 1.8.5 ?) Affected : sys-devel/automake < 1.8.5-r3 (or is it 1.8.5 ?)
How does one revbump? I'm confused. And there is no automake-1.8.5-r3 at least not in portage. r2 is the highest I see.
All what is below "vapier:" in my latest comment is for vapier (the package maintainer) not for you. He is the one that will do the revbumping (i.e. create new ebuild revisions).
sys-devel/automake-1.7.9-r1 and sys-devel/automake-1.8.5-r3 have both been rev bumped
alpha, sparc, mips, ppc, ppc64: Do you plan on using the new SLOTed automake(s) anytime soon ? I have to update the GLSA for the arches who do (amd64,arm,hppa,ia64,s390,sh,x86), but it may be simpler to wait for you to use them too, if it's soon. To make the switch you have to mark stable : sys-devel/automake-1.4_p6 (1.4) sys-devel/automake-1.5 (1.5) sys-devel/automake-1.6.3 (1.6) sys-devel/automake-1.7.9-r1 (1.7) sys-devel/automake-1.8.5-r3 (1.8) sys-devel/automake-1.9.4 (1.9) If you can't do it for whatever reason, please comment so that I don't wait for you to fix the GLSA.
Well, sys-devel/automake-1.8.5-r3 is in portage today, but sys-devel/automake-1.8.5-r2 is now masked and since automake-wrapper still specifies sys-devel/automake-1.8.5-r2 in it's dependencies now "emerge -uD anything" or "emerge -e anything" no longer work. Can we please have an updated autmake-wrapper that has a sensible depends like "=sys-devel/automake-1.8*" and avoid this problem?
vapier: automake-wrapper needs a quick fix to handle the new rev...
Yes it does, see the pile-up on bug #79926 May be mark this bug as blocker for #79926 ?
stable on ppc64
I can confirm that automake-1.8.5-r3 was installed on my box but glsa-check still removes automake-1.5 (and installs automake-1.8.5-r1 in it's place). So, I'm assuming this means that the glsa-check script will simply be changed sometime in the future for this.
err, sorry, fixed automake-wrapper we cant depend on 1.8* yet because 1.8.5-r1 will match that
Stable on ppc.
Alpha keyworded.
Still needing sparc to mark stable as detailed in comment #15. Then we'll proceed in updating the GLSA as detailed in comment #11.
sparc done.
new GLSA 200404-08 committed to Portage. Should be on mirrors in 30 minutes, please test that it accurately reports vulnerability status.
glsa-check -f 200404-08 This re-emerged 1.8.5-r3 So it was still complaining.. I needed to: emerge =automake-1.7.9-r1 then the glsa-check showed clear.... Cheers all..
I'll suppose this means it works... Please reopen if it doesn't.
Mips done.