View previous topic :: View next topic |
Author |
Message |
quat Guru
Joined: 18 Sep 2004 Posts: 316
|
Posted: Tue Jan 18, 2005 1:28 am Post subject: |
|
|
same here. a2ps and violation.
did you manage to solve it gentree? _________________ a mind is like a parachute, it's better when it's open |
|
Back to top |
|
|
Gentree Watchman
Joined: 01 Jul 2003 Posts: 5350 Location: France, Old Europe
|
Posted: Tue Jan 18, 2005 1:47 am Post subject: |
|
|
quat wrote: | same here. a2ps and violation.
did you manage to solve it gentree? |
No I just skipped it . Its so rare that I use it , its not a real security risk - a bit of a theoretical risk.
I've got bigger issues than that to worry about on Gentoo right now. _________________ Linux, because I'd rather own a free OS than steal one that's not worth paying for.
Gentoo because I'm a masochist
AthlonXP-M on A7N8X. Portage ~x86 |
|
Back to top |
|
|
Gentree Watchman
Joined: 01 Jul 2003 Posts: 5350 Location: France, Old Europe
|
Posted: Fri Jan 21, 2005 11:50 pm Post subject: |
|
|
xfce4 depands xfprint depends a2ps : all versions broken
anyone with xfce4 will not be able to rebuild world.
Bug posted.
all -4.13c* version sandbox all -4.13b fail with malloc error. Borked. _________________ Linux, because I'd rather own a free OS than steal one that's not worth paying for.
Gentoo because I'm a masochist
AthlonXP-M on A7N8X. Portage ~x86 |
|
Back to top |
|
|
Gentree Watchman
Joined: 01 Jul 2003 Posts: 5350 Location: France, Old Europe
|
Posted: Sat Jan 22, 2005 9:41 am Post subject: |
|
|
Code: | make[1]: Leaving directory `/var/tmp/portage/a2ps-4.13c-r1/work/a2ps-4.13'
--------------------------- ACCESS VIOLATION SUMMARY ---------------------------
LOG FILE = "/tmp/sandbox-app-text_-_a2ps-4.13c-r1-13966.log"
open_wr: /usr/qt/3/etc/settings/.qtrc.lock
open_wr: /usr/qt/3/etc/settings/.qtrc.lock
--------------------------------------------------------------------------------
|
what is going on here? a2ps is nothing to do with qt anyway , why is it trying to set a lock?
Thankfully we have the sandbox to trap this kind of buggy behaviour.
Problem is that this is an indirect dependancy of xfce4 so even if I dont use a2ps this bug prevents me from emerging world.
How can I get round this "security update"?
Thx for ideas. _________________ Linux, because I'd rather own a free OS than steal one that's not worth paying for.
Gentoo because I'm a masochist
AthlonXP-M on A7N8X. Portage ~x86 |
|
Back to top |
|
|
Gentree Watchman
Joined: 01 Jul 2003 Posts: 5350 Location: France, Old Europe
|
Posted: Tue Jan 25, 2005 1:37 am Post subject: |
|
|
Solved it : https://bugs.gentoo.org/show_bug.cgi?id=79012
Basically a bad ebuild that gets messed up if root locale is set.
HTH _________________ Linux, because I'd rather own a free OS than steal one that's not worth paying for.
Gentoo because I'm a masochist
AthlonXP-M on A7N8X. Portage ~x86 |
|
Back to top |
|
|
Matteo Azzali Retired Dev
Joined: 23 Sep 2004 Posts: 1133
|
Posted: Thu Jan 27, 2005 7:09 pm Post subject: |
|
|
tested now, it report only one vulnerability, and really strange:
200404-08 ask to update my automake..... to the 1.8.5-r1
(I'm using 1.9.x ...... )
I think is some sort of bug, but I can't be sure. _________________ Every day a new distro comes to birth. Every day a distro "eats" another.
If you're born distro, no matter what, start to run.
---- http://www.linuxprinting.org/ ---- http://tuxmobil.org/ |
|
Back to top |
|
|
kallamej Administrator
Joined: 27 Jun 2003 Posts: 4975 Location: Gothenburg, Sweden
|
Posted: Thu Jan 27, 2005 9:50 pm Post subject: |
|
|
Matteo Azzali wrote: | tested now, it report only one vulnerability, and really strange:
200404-08 ask to update my automake..... to the 1.8.5-r1
(I'm using 1.9.x ...... )
I think is some sort of bug, but I can't be sure. |
Probably related to https://forums.gentoo.org/viewtopic.php?t=285010 _________________ Please read our FAQ Forum, it answers many of your questions.
irc: #gentoo-forums on irc.libera.chat |
|
Back to top |
|
|
Matteo Azzali Retired Dev
Joined: 23 Sep 2004 Posts: 1133
|
Posted: Fri Jan 28, 2005 12:33 pm Post subject: |
|
|
I don't think so. (IMHO) cause
1)emerge -puDt world shows:
none to upgrade.
2) I sync about 1 time every 2-3 days.
3) porthole report of automake:
Installed versions:
Slot 1.8: 1.8.5-r2
Slot 1.5: 1.5
Slot 1.4: 1.4_p6
Slot 1.6: 1.6.3
Slot 1.7: 1.7.9
Slot 1.9: 1.9.4
it lacks 1.8.5-r1 cause there is 1.8.5-r2 that should be compatible and
more updated (but I may be wrong)
EDIT: Thinking on that... couldn't be that the glsa check only for 1.8.5-r1
(precise) and not for 1.8.5* ? And if that, is a wrong "definition" or is
wanted? _________________ Every day a new distro comes to birth. Every day a distro "eats" another.
If you're born distro, no matter what, start to run.
---- http://www.linuxprinting.org/ ---- http://tuxmobil.org/ |
|
Back to top |
|
|
kallamej Administrator
Joined: 27 Jun 2003 Posts: 4975 Location: Gothenburg, Sweden
|
Posted: Fri Jan 28, 2005 4:48 pm Post subject: |
|
|
Well, it is a very old one, from before the slotting of automake, and for some reason, 1.8.5-r1 is slotted 1.5. It's probably trying to pull in that one instead of 1.5. _________________ Please read our FAQ Forum, it answers many of your questions.
irc: #gentoo-forums on irc.libera.chat |
|
Back to top |
|
|
Matteo Azzali Retired Dev
Joined: 23 Sep 2004 Posts: 1133
|
Posted: Sun Jan 30, 2005 2:11 pm Post subject: |
|
|
Thanks, it did. (1.5 -> 1.8.5-r1).
The only problem is now
shows it wants to downgrade it to 1.5 _________________ Every day a new distro comes to birth. Every day a distro "eats" another.
If you're born distro, no matter what, start to run.
---- http://www.linuxprinting.org/ ---- http://tuxmobil.org/ |
|
Back to top |
|
|
kallamej Administrator
Joined: 27 Jun 2003 Posts: 4975 Location: Gothenburg, Sweden
|
Posted: Sun Jan 30, 2005 6:24 pm Post subject: |
|
|
Yes, because the automake-wrapper depends on 1.5. The glsa was written for a portage tree that was fundamentally different regarding automake. _________________ Please read our FAQ Forum, it answers many of your questions.
irc: #gentoo-forums on irc.libera.chat |
|
Back to top |
|
|
acasto Apprentice
Joined: 06 Feb 2004 Posts: 236 Location: Durka-Durka-Stan
|
Posted: Sun Jan 30, 2005 10:29 pm Post subject: |
|
|
How does glsa-check handle dependencies different from portage? If I run a glsa-check -p new is will show a couple packages that needs to be updated. However if I then go and plug the affected package into emerge -up it give a different list. Is it better to use glsa-check to gather the list, then use emerge to do the work? or once it's in portage will they work semlessly?
Right now I'm just using:
Code: |
glsa-check -l new 2>/dev/null |awk '/\[N\]/&&!/indicates that the system/{print $0}'
|
To pull me a list of GLSAs that affect my systme, from there I can use awk to process and run them through an emerge -up, then cycle them through an etcat -c, then email a report showing what GLSAs need attention, how I should go about updating it, and what the changes are in the changelog.
- Adam |
|
Back to top |
|
|
jpc82 Guru
Joined: 09 Mar 2003 Posts: 326
|
Posted: Wed Feb 23, 2005 4:10 pm Post subject: |
|
|
I'm confused about what to do to stop glsa-check from reporting automake.
I'm having the same problem as the user above, but I don't understand what he did to solve it, could some one explain it better to me? |
|
Back to top |
|
|
anz Apprentice
Joined: 05 Feb 2003 Posts: 279 Location: Vienna
|
Posted: Thu Apr 14, 2005 9:20 am Post subject: |
|
|
Dear jpc82
Quote: | I'm having the same problem as the user above, but I don't understand what he did to solve it, could some one explain it better to me? |
Try:
Code: | FEATURES="-sandbox" emerge app-text/a2ps |
But I get another problem with a2ps: when trying to print out longer documents, a2ps uses most %CPU and does not print out anything ...
... any hints? _________________ Greetings from Vienna |
|
Back to top |
|
|
anz Apprentice
Joined: 05 Feb 2003 Posts: 279 Location: Vienna
|
Posted: Mon Apr 18, 2005 12:26 pm Post subject: |
|
|
Quote: | But I get another problem with a2ps: when trying to print out longer documents, a2ps uses most %CPU and does not print out anything ... |
I 've got it working now:
it seems to be a problem caused by ghostcript - after the following steps, everything is working again
(1) emerge fonts
Code: | emerge gnu-gs-fonts-std
emerge gnu-gs-fonts-other |
(2) emerge ghostscript (without asian fonts)
Code: | USE="-cjk" emerge ghostscript |
(3) emerge a2ps:
Code: | FEATURES="-sandbox" USE="-cjk" emerge a2ps |
I found the hints at https://forums.gentoo.org/viewtopic-t-182084-highlight-error+invalidfont.html - thanks alot!!! _________________ Greetings from Vienna |
|
Back to top |
|
|
iKiddo Guru
Joined: 27 Jun 2002 Posts: 341 Location: Europe?
|
Posted: Thu May 19, 2005 1:54 pm Post subject: |
|
|
I'm getting an error when using glsa-check. It works for a while, but then fails:
Code: |
...
200402-06 [A] Updated kernel packages fix the AMD64 ptrace vulnerability ( sys-kernel/gentoo-test-sources sys-kernel/gs-sources sys-kernel/gentoo-sources ... )
200402-07 [A] Clam Antivirus DoS vulnerability ( net-mail/clamav )
200403-01 [A] Libxml2 URI Parsing Buffer Overflow Vulnerabilities ( dev-libs/libxml2 )
Traceback (most recent call last):
File "/usr/bin/glsa-check", line 131, in ?
myglsa = Glsa(myid, glsaconfig)
File "/usr/lib/gentoolkit/pym/glsa.py", line 326, in __init__
self.read()
File "/usr/lib/gentoolkit/pym/glsa.py", line 341, in read
self.parse(urllib.urlopen(myurl))
File "/usr/lib/gentoolkit/pym/glsa.py", line 400, in parse
self.packages[name]["unaff_vers"] = [makeVersion(v) for v in p.getElementsB$
File "/usr/lib/gentoolkit/pym/glsa.py", line 263, in makeVersion
return opMapping[versionNode.getAttribute("range")] \
KeyError: u'rge'
|
I'm guessing the GLSA after 200403-01 has some form of a syntax error. |
|
Back to top |
|
|
iKiddo Guru
Joined: 27 Jun 2002 Posts: 341 Location: Europe?
|
Posted: Thu May 19, 2005 2:02 pm Post subject: |
|
|
I think I found the problem in /usr/portage/metadata/glsa/glsa-200403-02.xml:
Code: | <package name="sys-kernel/usermode-sources" auto="yes" arch="*">
<unaffected range="rge">2.4.24-r1</unaffected>
<unaffected range="rge">2.4.26</unaffected>
<unaffected range="ge">2.6.3-r1</unaffected>
<vulnerable range="lt">2.6.3-r1</vulnerable>
</package>
|
The two instances of range="rge" seem incorrect. All the others seem to use only range="ge", range="lt" and range="le"
*EDIT*
And there's also a typo in glsa-200404-08.xml:
Code: | <package name="sys-devel/automake" auto="yes" arch="*">
<unaffected range="ge">1.8.5-r3</unaffected>
<unaffected range="rge">1.7.9-r1</unaffected>
<unaffected range="lt">1.7</unaffected>
<vulnerable range="le">1.8.5-r2</vulnerable>
</package> |
Again 'rge' is being rejected:
Code: | 200404-07 [U] ClamAV RAR Archive Remote Denial Of Service Vulnerability ( net-mail/clamav )
Traceback (most recent call last):
File "/usr/bin/glsa-check", line 131, in ?
myglsa = Glsa(myid, glsaconfig)
File "/usr/lib/gentoolkit/pym/glsa.py", line 326, in __init__
self.read()
File "/usr/lib/gentoolkit/pym/glsa.py", line 341, in read
self.parse(urllib.urlopen(myurl))
File "/usr/lib/gentoolkit/pym/glsa.py", line 400, in parse
self.packages[name]["unaff_vers"] = [makeVersion(v) for v in p.getElementsByTagName("unaffected")]
File "/usr/lib/gentoolkit/pym/glsa.py", line 263, in makeVersion
return opMapping[versionNode.getAttribute("range")] \
KeyError: u'rge' |
*EDIT2*
Now I'm starting to wonder whether it might not be a typo after all, but some bug in glsa-check.
In glsa-200407-02.xml:
Code: | <package name="sys-kernel/gentoo-sources" auto="yes" arch="*">
<unaffected range="rge">2.4.19-r17</unaffected>
<unaffected range="rge">2.4.20-r20</unaffected>
<unaffected range="rge">2.4.22-r12</unaffected>
<unaffected range="rge">2.4.25-r5</unaffected>
<unaffected range="ge">2.4.26-r3</unaffected>
<vulnerable range="lt">2.4.26-r3</vulnerable>
</package>
[...]
<package name="sys-kernel/usermode-sources" auto="yes" arch="*">
<unaffected range="ge">2.4.24-r5</unaffected>
<unaffected range="ge">2.4.26-r2</unaffected>
<vulnerable range="lt">2.4.26-r2</vulnerable>
</package>
[...]
<package name="sys-kernel/wolk-sources" auto="yes" arch="*">
<unaffected range="rge">4.9-r9</unaffected>
<unaffected range="rge">4.11-r6</unaffected>
<unaffected range="ge">4.14-r3</unaffected>
<vulnerable range="lt">4.14-r3</vulnerable>
</package>
|
In glsa-200407-16.xml:
Code: | <package name="sys-kernel/aa-sources" auto="no" arch="*">
<unaffected range="rge">2.4.23-r2</unaffected>
<unaffected range="ge">2.6.5-r5</unaffected>
<vulnerable range="lt">2.6.5-r5</vulnerable>
</package>
[...]
<package name="sys-kernel/ck-sources" auto="no" arch="*">
<unaffected range="rge">2.4.26-r1</unaffected>
<unaffected range="ge">2.6.7-r5</unaffected>
<vulnerable range="lt">2.6.7-r5</vulnerable>
</package>
[...] |
And many, many more. |
|
Back to top |
|
|
chashab n00b
Joined: 16 Jun 2004 Posts: 71 Location: Republic of Alumbia
|
Posted: Thu Jun 02, 2005 6:13 am Post subject: |
|
|
that's a lot of syntax errors. i commend you, i don't have the patience to wade through xml files. however it is slightly alarming that such errors would exist in such abundance. my understanding of glsa is not complete; when such errors are fixed by someone, will my glsa*xml be updated by an emerge --sync or similar?
i'm dropping in my 3rd production server soon and would love for glsa emerge integration to be mature and stable. what's the danger in running glsacheck -f? i haven't been using it on either desktops or servers because of the rather scary warning it emits. |
|
Back to top |
|
|
Genone Retired Dev
Joined: 14 Mar 2003 Posts: 9526 Location: beyond the rim
|
Posted: Thu Jun 02, 2005 2:49 pm Post subject: |
|
|
iKiddo wrote: | I think I found the problem in /usr/portage/metadata/glsa/glsa-200403-02.xml:
Code: | <package name="sys-kernel/usermode-sources" auto="yes" arch="*">
<unaffected range="rge">2.4.24-r1</unaffected>
<unaffected range="rge">2.4.26</unaffected>
<unaffected range="ge">2.6.3-r1</unaffected>
<vulnerable range="lt">2.6.3-r1</vulnerable>
</package>
|
The two instances of range="rge" seem incorrect. All the others seem to use only range="ge", range="lt" and range="le"
|
No, "rge" is correct. Seems like another unicode problem |
|
Back to top |
|
|
jpc82 Guru
Joined: 09 Mar 2003 Posts: 326
|
Posted: Thu Jun 23, 2005 1:05 pm Post subject: |
|
|
I noticed that glsa-check does not follow the ARCH that is set.
My system is set to x86, however perl which has a glsa wants to merge a version which is still in ~x86. Is this expected? |
|
Back to top |
|
|
zeveck Apprentice
Joined: 17 Mar 2005 Posts: 173 Location: Boston, MA
|
Posted: Sat Jun 25, 2005 4:02 pm Post subject: |
|
|
I love glsa-check. Whenever I run emerge -upDv world and I see a list of things to update I really want to find out what the changes are so that I can evaluate whether it is worth updating...but this can take awhile to do and it would be nice to have SECURITY updates flagged in some way.
I take it that eventually glsa will do things like this once it is integrated into portage?
How can I help?
Is there any way to get glsa-check to do something spiffy like e-mail me whenever it detects a new vulnerability for my system? |
|
Back to top |
|
|
Genone Retired Dev
Joined: 14 Mar 2003 Posts: 9526 Location: beyond the rim
|
Posted: Sun Jun 26, 2005 12:30 pm Post subject: |
|
|
zeveck wrote: | I love glsa-check. Whenever I run emerge -upDv world and I see a list of things to update I really want to find out what the changes are so that I can evaluate whether it is worth updating...but this can take awhile to do and it would be nice to have SECURITY updates flagged in some way.
I take it that eventually glsa will do things like this once it is integrated into portage?
|
Well, as the topic says, there will be a new target in emerge. Not sure if flagging security things in a world update is realistic though.
[quote[How can I help?[/quote]
Well, unless you want to rewrite the dependency engine in emerge (and I'm pretty sure you don't want to do that) you can't really help with the integration, sorry.
Quote: | Is there any way to get glsa-check to do something spiffy like e-mail me whenever it detects a new vulnerability for my system? |
What's wrong with cron? |
|
Back to top |
|
|
zeveck Apprentice
Joined: 17 Mar 2005 Posts: 173 Location: Boston, MA
|
Posted: Sun Jun 26, 2005 5:13 pm Post subject: |
|
|
My impression is that cron will just e-mail me the output of the cron jobs??
So, for instance, if I put glsa-check -l in cron I'd receive an e-mail every day listing the entire output and have to scour that to see if there was anything new.
What I'd like to do is make it so that I only receive e-mails WHEN there is something new. |
|
Back to top |
|
|
Genone Retired Dev
Joined: 14 Mar 2003 Posts: 9526 Location: beyond the rim
|
Posted: Sun Jun 26, 2005 7:44 pm Post subject: |
|
|
Well, you can just make a small wrapper script and use that in cron, something like
Code: | l="$(glsa-check -t new 2> /dev/null | grep '^[0-9]')"
[ -n "$l" ] && glsa-check -p $l |
should do the job. |
|
Back to top |
|
|
zeveck Apprentice
Joined: 17 Mar 2005 Posts: 173 Location: Boston, MA
|
Posted: Sun Jun 26, 2005 10:10 pm Post subject: |
|
|
Hmmm....so I wrote this:
Code: | #!/usr/bin/perl -w
# glsa-notify.pl
# Zeveck
# E-mails vulnerabilites detected by glsa-check to root.
# requires: glsa-check, mailx
# 20050626
$detailDivider = '\*{70}?';
# make sure glsa-check is installed
if (!(-e '/usr/bin/glsa-check')) {
die 'glsa-check not found where expected!\n';
}
# get glsa-check output discarding errors
$glsaScan = `glsa-check -ln 2>/dev/null`;
@glsaEntries = split('\n',$glsaScan);
# catch entries describing vulnerabilities that this system is affected by
foreach (@glsaEntries) {
if ($_ =~ /\s*(\d{6}?-\d\d)\s*\[N\]/) {
push @glsaAffected, $1
}
}
# output vulnerability details
if ($#glsaAffected > 0) {
# get details on vulnerabilites
$fetchDetails = 'glsa-check 2>/dev/null -dn '.join(' ',@glsaAffected);
$vulnDetails = `$fetchDetails`;
# send each GLSA entry as an individual e-mail
@vulnDetails = split($detailDivider,$vulnDetails);
foreach (@vulnDetails) {
$_ =~ /(GLSA \d{6}?-\d\d):\s*(.*)?\s*=/;
$subject = "$1: $2";
`echo '$_' | mailx -s "$subject" root`;
}
} |
But it doesn't quite work because:
* it seems that bash is trying to execute stuff that shows up in the echo...how can I stop that from happening?
* mailx isn't working yet (which I am working on)
It seems to be this does basically what yours does...my problem being I know Perl/PHP but haven't written many shell scripts. Can you recommend a good reference for doing so? |
|
Back to top |
|
|
|