View previous topic :: View next topic |
Author |
Message |
Budoka l33t
Joined: 03 Jun 2012 Posts: 777 Location: Tokyo, Japan
|
Posted: Fri Jan 09, 2015 8:38 pm Post subject: Can't fix GSLA's.[SOLVED] |
|
|
I have been struggling to fix these to GLSA's for a while now and am stuck.
Quote: | # glsa-check -l
[A] means this GLSA was marked as applied (injected),
[U] means the system is not affected and
[N] indicates that the system might be affected.
201010-01 [N] Libpng: Multiple vulnerabilities ( media-libs/libpng )
201206-15 [N] libpng: Multiple vulnerabilities ( media-libs/libpng )
|
Quote: | # glsa-check --fix 201010-01
Fixing GLSA 201010-01
>>> cannot fix GLSA, no unaffected packages available
# glsa-check --fix 201206-15
Fixing GLSA 201206-15
>>> cannot fix GLSA, no unaffected packages available |
So I know that is experimental so it doesn't bother me so much it can't apply them but if I try to do it manually as instructed in the GLSA it still doesn't work.
GLSA 201010-01 http://www.gentoo.org/security/en/glsa/glsa-201010-01.xml
GLSA 201206-15http://www.gentoo.org/security/en/glsa/glsa-201206-15.xml
Quote: | # eix -I libpng
[I] media-libs/libpng
Available versions:
(1.2) 1.2.51 1.2.52
(1.5) 1.5.20 1.5.21
(0) 1.6.10(0/16) 1.6.12(0/16) 1.6.15(0/16) 1.6.16(0/16)
{apng neon static-libs ABI_MIPS="n32 n64 o32" ABI_PPC="32 64" ABI_S390="32 64" ABI_X86="32 64 x32"}
Installed versions: 1.2.52(1.2)(12:24:07 AM 12/16/2014)(ABI_MIPS="-n32 -n64 -o32" ABI_PPC="-32 -64" ABI_S390="-32 -64" ABI_X86="64 -32 -x32") 1.6.16(11:00:41 AM 12/27/2014)(apng -neon -static-libs ABI_MIPS="-n32 -n64 -o32" ABI_PPC="-32 -64" ABI_S390="-32 -64" ABI_X86="64 -32 -x32")
Homepage: http://www.libpng.org/
Description: Portable Network Graphics library
|
So if I emerge as instructed in both GLSA it successfully updates to 1.6. But if I check again with glsa-check nothing has changed.
#equery d libpng |wgetpaste
Your paste can be seen here: https://bpaste.net/show/846c4d2461c4
If I understand the output correctly a number of packages are calling on 1.2, the vulnerable version, but they all indicate so why don't they use the 1.6 allowing the 1.2 to be removed???
Am I doing something incorrectly? I am a security freak so would like to resolve this even if my risk is minimal. Thanks.
Last edited by Budoka on Wed Jan 14, 2015 4:03 am; edited 1 time in total |
|
Back to top |
|
|
Hu Moderator
Joined: 06 Mar 2007 Posts: 21490
|
Posted: Fri Jan 09, 2015 11:45 pm Post subject: |
|
|
What is the output of emerge --pretend --verbose --depclean media-libs/libpng:1.2? |
|
Back to top |
|
|
Budoka l33t
Joined: 03 Jun 2012 Posts: 777 Location: Tokyo, Japan
|
Posted: Sat Jan 10, 2015 1:42 am Post subject: |
|
|
Hu wrote: | What is the output of emerge --pretend --verbose --depclean media-libs/libpng:1.2? |
Quote: | $ emerge --pretend --verbose --depclean media-libs/libpng:1.2
Calculating dependencies... done!
media-libs/libpng-1.2.52 pulled in by:
net-misc/dropbox-2.10.2 requires media-libs/libpng:1.2
>>> No packages selected for removal by depclean
Packages installed: 1260
Packages in world: 261
Packages in system: 44
Required packages: 1260
Number to remove: 0
|
So I need to do something with dropbox? Shouldn't it use the most recent version? |
|
Back to top |
|
|
Ant P. Watchman
Joined: 18 Apr 2009 Posts: 6920
|
Posted: Sat Jan 10, 2015 1:55 am Post subject: |
|
|
It should, and if dropbox's developers were competent it would!
That's a binary package, you can't do anything about it besides disable USE=X entirely. |
|
Back to top |
|
|
Budoka l33t
Joined: 03 Jun 2012 Posts: 777 Location: Tokyo, Japan
|
Posted: Sat Jan 10, 2015 2:40 am Post subject: |
|
|
Ant P. wrote: | It should, and if dropbox's developers were competent it would!
That's a binary package, you can't do anything about it besides disable USE=X entirely. |
So does that mean I either lose dropbox or keep the vulnerability? I'll see if there is a way to contact the developers for the Linux and let them know this is an issue.
However, the one thing I am confused about is what makes you think this is a binary package? It is in portage and I assume as such compiled upon emerge. Or am I confused?
Quote: | [I] net-misc/dropbox
Available versions: 2.4.10^ms 2.6.33^ms ~2.8.4^ms 2.10.2^ms ~2.10.41^ms {X +librsync-bundled}
Installed versions: 2.10.2^ms(02:33:06 AM 09/03/2014)(X librsync-bundled)
Homepage: http://dropbox.com/
Description: Dropbox daemon (pretends to be GUI-less)
|
|
|
Back to top |
|
|
jburns Veteran
Joined: 18 Jan 2007 Posts: 1213 Location: Massachusetts USA
|
Posted: Sat Jan 10, 2015 3:23 am Post subject: |
|
|
From glsa-check -d 201010-01 201206-15
Quote: | GLSA 201010-01
Unaffected: >=1.4.3, >=~1.2.46, >=~1.2.47, >=~1.2.49, >=~1.2.50, >=~1.2.51
GLSA 201206-15
Unaffected: >=1.5.10, >=~1.2.49, >=~1.2.50, >=~1.2.51 |
Your version is media-libs/libpng-1.2.52 which should be unaffected. |
|
Back to top |
|
|
Ant P. Watchman
Joined: 18 Apr 2009 Posts: 6920
|
Posted: Sat Jan 10, 2015 3:43 am Post subject: |
|
|
Budoka wrote: | However, the one thing I am confused about is what makes you think this is a binary package? It is in portage and I assume as such compiled upon emerge. Or am I confused? |
The proprietary "dropbox" license the package requires you to accept, plus the fact it's only available on amd64/x86. |
|
Back to top |
|
|
Budoka l33t
Joined: 03 Jun 2012 Posts: 777 Location: Tokyo, Japan
|
Posted: Wed Jan 14, 2015 4:03 am Post subject: |
|
|
jburns wrote: | From glsa-check -d 201010-01 201206-15
Quote: | GLSA 201010-01
Unaffected: >=1.4.3, >=~1.2.46, >=~1.2.47, >=~1.2.49, >=~1.2.50, >=~1.2.51
GLSA 201206-15
Unaffected: >=1.5.10, >=~1.2.49, >=~1.2.50, >=~1.2.51 |
Your version is media-libs/libpng-1.2.52 which should be unaffected. |
Thanks. I guess I will start using the "-d" when checking GLSA's in the future. I would have never caught that in the regular output of gsla-check -l.
I do find the output a little confusing regardless though. Because it it indicates:
Quote: | Vulnerable: <1.4.3 | which libpng-1.2.52 clearly is then...
Quote: | Unaffected: >=1.4.3, >=~1.2.46, >=~1.2.47, >=~1.2.49, >=~1.2.50, >=~1.2.51 |
Indicating I am not affected. Would be nice if gsla-check -l didn't kick the gsla's out in the ouput of an unaffected system.
Anyway thanks. |
|
Back to top |
|
|
|