Gentoo Forums
Gentoo Forums
Gentoo Forums
Quick Search: in
Can't fix GSLA's.[SOLVED]
View unanswered posts
View posts from last 24 hours

 
Reply to topic    Gentoo Forums Forum Index Networking & Security
View previous topic :: View next topic  
Author Message
Budoka
l33t
l33t


Joined: 03 Jun 2012
Posts: 693
Location: Tokyo, Japan

PostPosted: Fri Jan 09, 2015 8:38 pm    Post subject: Can't fix GSLA's.[SOLVED] Reply with quote

I have been struggling to fix these to GLSA's for a while now and am stuck.

Quote:
# glsa-check -l
[A] means this GLSA was marked as applied (injected),
[U] means the system is not affected and
[N] indicates that the system might be affected.

201010-01 [N] Libpng: Multiple vulnerabilities ( media-libs/libpng )
201206-15 [N] libpng: Multiple vulnerabilities ( media-libs/libpng )


Quote:
# glsa-check --fix 201010-01
Fixing GLSA 201010-01
>>> cannot fix GLSA, no unaffected packages available
# glsa-check --fix 201206-15
Fixing GLSA 201206-15
>>> cannot fix GLSA, no unaffected packages available


So I know that
Code:
glsa-check --fix
is experimental so it doesn't bother me so much it can't apply them but if I try to do it manually as instructed in the GLSA it still doesn't work.

GLSA 201010-01 http://www.gentoo.org/security/en/glsa/glsa-201010-01.xml
GLSA 201206-15http://www.gentoo.org/security/en/glsa/glsa-201206-15.xml

Quote:
# eix -I libpng
[I] media-libs/libpng
Available versions:
(1.2) 1.2.51 1.2.52
(1.5) 1.5.20 1.5.21
(0) 1.6.10(0/16) 1.6.12(0/16) 1.6.15(0/16) 1.6.16(0/16)
{apng neon static-libs ABI_MIPS="n32 n64 o32" ABI_PPC="32 64" ABI_S390="32 64" ABI_X86="32 64 x32"}
Installed versions: 1.2.52(1.2)(12:24:07 AM 12/16/2014)(ABI_MIPS="-n32 -n64 -o32" ABI_PPC="-32 -64" ABI_S390="-32 -64" ABI_X86="64 -32 -x32") 1.6.16(11:00:41 AM 12/27/2014)(apng -neon -static-libs ABI_MIPS="-n32 -n64 -o32" ABI_PPC="-32 -64" ABI_S390="-32 -64" ABI_X86="64 -32 -x32")
Homepage: http://www.libpng.org/
Description: Portable Network Graphics library


So if I emerge as instructed in both GLSA it successfully updates to 1.6. But if I check again with glsa-check nothing has changed.

#equery d libpng |wgetpaste
Your paste can be seen here: https://bpaste.net/show/846c4d2461c4

If I understand the output correctly a number of packages are calling on 1.2, the vulnerable version, but they all indicate
Quote:
>=
so why don't they use the 1.6 allowing the 1.2 to be removed???

Am I doing something incorrectly? I am a security freak so would like to resolve this even if my risk is minimal. Thanks.


Last edited by Budoka on Wed Jan 14, 2015 4:03 am; edited 1 time in total
Back to top
View user's profile Send private message
Hu
Moderator
Moderator


Joined: 06 Mar 2007
Posts: 14373

PostPosted: Fri Jan 09, 2015 11:45 pm    Post subject: Reply with quote

What is the output of emerge --pretend --verbose --depclean media-libs/libpng:1.2?
Back to top
View user's profile Send private message
Budoka
l33t
l33t


Joined: 03 Jun 2012
Posts: 693
Location: Tokyo, Japan

PostPosted: Sat Jan 10, 2015 1:42 am    Post subject: Reply with quote

Hu wrote:
What is the output of emerge --pretend --verbose --depclean media-libs/libpng:1.2?


Quote:
$ emerge --pretend --verbose --depclean media-libs/libpng:1.2

Calculating dependencies... done!
media-libs/libpng-1.2.52 pulled in by:
net-misc/dropbox-2.10.2 requires media-libs/libpng:1.2

>>> No packages selected for removal by depclean
Packages installed: 1260
Packages in world: 261
Packages in system: 44
Required packages: 1260
Number to remove: 0


So I need to do something with dropbox? Shouldn't it use the most recent version?
Back to top
View user's profile Send private message
Ant P.
Watchman
Watchman


Joined: 18 Apr 2009
Posts: 6015

PostPosted: Sat Jan 10, 2015 1:55 am    Post subject: Reply with quote

It should, and if dropbox's developers were competent it would!

That's a binary package, you can't do anything about it besides disable USE=X entirely.
Back to top
View user's profile Send private message
Budoka
l33t
l33t


Joined: 03 Jun 2012
Posts: 693
Location: Tokyo, Japan

PostPosted: Sat Jan 10, 2015 2:40 am    Post subject: Reply with quote

Ant P. wrote:
It should, and if dropbox's developers were competent it would!

That's a binary package, you can't do anything about it besides disable USE=X entirely.


So does that mean I either lose dropbox or keep the vulnerability? I'll see if there is a way to contact the developers for the Linux and let them know this is an issue.

However, the one thing I am confused about is what makes you think this is a binary package? It is in portage and I assume as such compiled upon emerge. Or am I confused?

Quote:
[I] net-misc/dropbox
Available versions: 2.4.10^ms 2.6.33^ms ~2.8.4^ms 2.10.2^ms ~2.10.41^ms {X +librsync-bundled}
Installed versions: 2.10.2^ms(02:33:06 AM 09/03/2014)(X librsync-bundled)
Homepage: http://dropbox.com/
Description: Dropbox daemon (pretends to be GUI-less)
Back to top
View user's profile Send private message
jburns
Veteran
Veteran


Joined: 18 Jan 2007
Posts: 1065
Location: Massachusetts USA

PostPosted: Sat Jan 10, 2015 3:23 am    Post subject: Reply with quote

From glsa-check -d 201010-01 201206-15
Quote:
GLSA 201010-01
Unaffected: >=1.4.3, >=~1.2.46, >=~1.2.47, >=~1.2.49, >=~1.2.50, >=~1.2.51
GLSA 201206-15
Unaffected: >=1.5.10, >=~1.2.49, >=~1.2.50, >=~1.2.51


Your version is media-libs/libpng-1.2.52 which should be unaffected.
Back to top
View user's profile Send private message
Ant P.
Watchman
Watchman


Joined: 18 Apr 2009
Posts: 6015

PostPosted: Sat Jan 10, 2015 3:43 am    Post subject: Reply with quote

Budoka wrote:
However, the one thing I am confused about is what makes you think this is a binary package? It is in portage and I assume as such compiled upon emerge. Or am I confused?

The proprietary "dropbox" license the package requires you to accept, plus the fact it's only available on amd64/x86.
Back to top
View user's profile Send private message
Budoka
l33t
l33t


Joined: 03 Jun 2012
Posts: 693
Location: Tokyo, Japan

PostPosted: Wed Jan 14, 2015 4:03 am    Post subject: Reply with quote

jburns wrote:
From glsa-check -d 201010-01 201206-15
Quote:
GLSA 201010-01
Unaffected: >=1.4.3, >=~1.2.46, >=~1.2.47, >=~1.2.49, >=~1.2.50, >=~1.2.51
GLSA 201206-15
Unaffected: >=1.5.10, >=~1.2.49, >=~1.2.50, >=~1.2.51


Your version is media-libs/libpng-1.2.52 which should be unaffected.


Thanks. I guess I will start using the "-d" when checking GLSA's in the future. I would have never caught that in the regular output of gsla-check -l.

I do find the output a little confusing regardless though. Because it it indicates:
Quote:
Vulnerable: <1.4.3
which libpng-1.2.52 clearly is then...

Quote:
Unaffected: >=1.4.3, >=~1.2.46, >=~1.2.47, >=~1.2.49, >=~1.2.50, >=~1.2.51


Indicating I am not affected. Would be nice if gsla-check -l didn't kick the gsla's out in the ouput of an unaffected system.

Anyway thanks.
Back to top
View user's profile Send private message
Display posts from previous:   
Reply to topic    Gentoo Forums Forum Index Networking & Security All times are GMT
Page 1 of 1

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum