diff options
author | 2008-11-16 10:16:05 +0000 | |
---|---|---|
committer | 2008-11-16 10:16:05 +0000 | |
commit | 114f795d20592b1f0748649a16630a5c305da9d4 (patch) | |
tree | 97af2725e8a2ac30285d41642c5c6cd1744f45db | |
parent | 0007fc154be85f50a3d0f653cee66632b59e8652 (diff) | |
download | paludis-114f795d20592b1f0748649a16630a5c305da9d4.tar.gz paludis-114f795d20592b1f0748649a16630a5c305da9d4.tar.xz |
Support slot specifications in GLSAs.
-rw-r--r-- | paludis/repositories/e/e_repository_sets.cc | 15 | ||||
-rw-r--r-- | paludis/repositories/e/e_repository_sets_TEST.cc | 7 | ||||
-rwxr-xr-x | paludis/repositories/e/e_repository_sets_TEST_setup.sh | 68 | ||||
-rw-r--r-- | paludis/repositories/e/glsa.sr | 1 | ||||
-rw-r--r-- | paludis/repositories/e/xml_things.cc | 10 |
5 files changed, 93 insertions, 8 deletions
diff --git a/paludis/repositories/e/e_repository_sets.cc b/paludis/repositories/e/e_repository_sets.cc index 8fbb479..134d0cf 100644 --- a/paludis/repositories/e/e_repository_sets.cc +++ b/paludis/repositories/e/e_repository_sets.cc @@ -176,6 +176,19 @@ namespace bool match_range(const PackageID & e, const GLSARange & r) { + if (r.slot != "*") + { + try + { + if (e.slot() != SlotName(r.slot)) + return false; + } + catch (const SlotNameError &) + { + throw GLSAError("Got bad slot '" + r.slot + "'"); + } + } + VersionOperatorValue our_op(static_cast<VersionOperatorValue>(-1)); std::string ver(r.version); if (r.op == "le") @@ -203,7 +216,7 @@ namespace if (0 == r.op.compare(0, 1, "r")) { return e.version().remove_revision() == VersionSpec(ver).remove_revision() && - match_range(e, GLSARange::create().op(r.op.substr(1)).version(r.version)); + match_range(e, GLSARange::create().op(r.op.substr(1)).version(r.version).slot(r.slot)); } throw GLSAError("Got bad op '" + r.op + "'"); diff --git a/paludis/repositories/e/e_repository_sets_TEST.cc b/paludis/repositories/e/e_repository_sets_TEST.cc index ec212e9..d94002d 100644 --- a/paludis/repositories/e/e_repository_sets_TEST.cc +++ b/paludis/repositories/e/e_repository_sets_TEST.cc @@ -20,6 +20,7 @@ #include <paludis/repositories/e/e_repository.hh> #include <paludis/repositories/e/dep_spec_pretty_printer.hh> #include <paludis/repositories/fake/fake_installed_repository.hh> +#include <paludis/repositories/fake/fake_package_id.hh> #include <paludis/util/visitor-impl.hh> #include <paludis/environments/test/test_environment.hh> #include <paludis/util/system.hh> @@ -125,7 +126,7 @@ namespace test_cases StringifyFormatter ff; erepository::DepSpecPrettyPrinter pretty(0, std::tr1::shared_ptr<const PackageID>(), ff, 0, false, false); insecurity->accept(pretty); - TEST_CHECK_STRINGIFY_EQUAL(pretty, "=cat-one/foo-1::test-repo-1 =cat-two/bar-1.5::test-repo-1 " + TEST_CHECK_STRINGIFY_EQUAL(pretty, "=cat-four/xyzzy-2.0.1::test-repo-1 =cat-four/xyzzy-2.0.2::test-repo-1 =cat-one/foo-1::test-repo-1 =cat-two/bar-1.5::test-repo-1 " "=cat-two/bar-1.5.1::test-repo-1 =cat-three/baz-1.0::test-repo-1 " "=cat-three/baz-1.1-r2::test-repo-1 =cat-three/baz-1.2::test-repo-1"); } @@ -157,13 +158,15 @@ namespace test_cases installed->add_version("cat-one", "foo", "2.1"); installed->add_version("cat-two", "bar", "1.5"); installed->add_version("cat-three", "baz", "1.0"); + installed->add_version("cat-four", "xyzzy", "1.1.0")->set_slot(SlotName("1")); + installed->add_version("cat-four", "xyzzy", "2.0.1")->set_slot(SlotName("2")); env.package_database()->add_repository(0, installed); std::tr1::shared_ptr<const SetSpecTree::ConstItem> security(repo->sets_interface()->package_set(SetName("security"))); StringifyFormatter ff; erepository::DepSpecPrettyPrinter pretty(0, std::tr1::shared_ptr<const PackageID>(), ff, 0, false, false); security->accept(pretty); - TEST_CHECK_STRINGIFY_EQUAL(pretty, "=cat-two/bar-2.0::test-repo-1 =cat-three/baz-1.3::test-repo-1"); + TEST_CHECK_STRINGIFY_EQUAL(pretty, "=cat-four/xyzzy-2.0.3::test-repo-1 =cat-two/bar-2.0::test-repo-1 =cat-three/baz-1.3::test-repo-1"); } } test_e_repository_sets_security_set; #endif diff --git a/paludis/repositories/e/e_repository_sets_TEST_setup.sh b/paludis/repositories/e/e_repository_sets_TEST_setup.sh index 376dc70..ba04ae7 100755 --- a/paludis/repositories/e/e_repository_sets_TEST_setup.sh +++ b/paludis/repositories/e/e_repository_sets_TEST_setup.sh @@ -12,6 +12,7 @@ cat <<END > profiles/categories || exit 1 cat-one cat-two cat-three +cat-four END cat <<END > profiles/profile/make.defaults ARCH=test @@ -23,7 +24,7 @@ cat <<END > sets/set1.conf ? <cat-three/baz-1.2 END -mkdir -p cat-one/foo cat-two/bar cat-three/baz +mkdir -p cat-one/foo cat-two/bar cat-three/baz cat-four/xyzzy cat <<END > cat-one/foo/foo-1.ebuild SLOT="0" KEYWORDS="test" @@ -44,6 +45,15 @@ cat <<END > cat-three/baz/baz-1.3.1.ebuild SLOT="0" KEYWORDS="~test" END +cat <<END > cat-four/xyzzy/xyzzy-1.1.0.ebuild +SLOT="\${PV:0:1}" +KEYWORDS="test" +END +cp cat-four/xyzzy/xyzzy-1.1.0.ebuild cat-four/xyzzy/xyzzy-1.1.1.ebuild +cp cat-four/xyzzy/xyzzy-1.1.0.ebuild cat-four/xyzzy/xyzzy-2.0.1.ebuild +cp cat-four/xyzzy/xyzzy-1.1.0.ebuild cat-four/xyzzy/xyzzy-2.0.1-r1.ebuild +cp cat-four/xyzzy/xyzzy-1.1.0.ebuild cat-four/xyzzy/xyzzy-2.0.2.ebuild +cp cat-four/xyzzy/xyzzy-1.1.0.ebuild cat-four/xyzzy/xyzzy-2.0.3.ebuild cat <<END > metadata/glsa/glsa-123456-78.xml <?xml version="1.0" encoding="utf-8"?> @@ -210,5 +220,61 @@ cat <<END > metadata/glsa/glsa-987654-32.xml </glsa> END +cat <<END > metadata/glsa/glsa-112358-42.xml +<?xml version="1.0" encoding="utf-8"?> +<?xml-stylesheet href="/xsl/glsa.xsl" type="text/xsl"?> +<?xml-stylesheet href="/xsl/guide.xsl" type="text/xsl"?> +<!DOCTYPE glsa SYSTEM "http://www.gentoo.org/dtd/glsa.dtd"> + +<glsa id="112358-42"> + <title> + Xyzzy: SQL injection + </title> + <synopsis> + Xyzzy is vulnerable to SQL injection attacks. + </synopsis> + <product type="ebuild">xyzzy</product> + <announced>Nov 16, 2008</announced> + <revised>Nov 16, 2008: 01</revised> + <bug>112358</bug> + <access>local</access> + <affected> + <package name="cat-four/xyzzy" auto="yes" arch="*"> + <unaffected range="ge" slot="2">2.0.3</unaffected> + <vulnerable range="lt" slot="2">2.0.3</vulnerable> + <unaffected range="eq" slot="*">2.0.1-r1</unaffected> + </package> + </affected> + <background> + <p> + Xyzzy is a magic word with an SQL backend. + </p> + </background> + <description> + <p> + Passing magic SQL characters to Xyzzy allows an attacker to + execute arbitrary queries. + </p> + </description> + <impact type="high"> + <p> + Arbitrary SQL queries can be executed. + </p> + </impact> + <workaround> + <p> + There is no known workaround at this time. + </p> + </workaround> + <resolution> + <p> + All Xyzzy users should upgrade to the latest version. + </p> + </resolution> + <references> + </references> +</glsa> +END + cd .. diff --git a/paludis/repositories/e/glsa.sr b/paludis/repositories/e/glsa.sr index e96d6e8..a182651 100644 --- a/paludis/repositories/e/glsa.sr +++ b/paludis/repositories/e/glsa.sr @@ -5,6 +5,7 @@ make_class_GLSARange() key op std::string # not a version, may be something like 1.3* key version std::string + key slot std::string allow_named_args diff --git a/paludis/repositories/e/xml_things.cc b/paludis/repositories/e/xml_things.cc index 4e2ee3e..8b1dcae 100644 --- a/paludis/repositories/e/xml_things.cc +++ b/paludis/repositories/e/xml_things.cc @@ -179,7 +179,7 @@ namespace } } - void handle_range_range(xmlDocPtr doc, xmlAttr * const attr, std::string & op) + void handle_range_range(xmlDocPtr doc, xmlAttr * const attr, std::string & op, std::string & slot) { for (xmlAttr * a(attr) ; a ; a = a->next) { @@ -188,6 +188,8 @@ namespace std::string name(unstupid_libxml_string(a->name)); if (name == "range") op = fix_whitespace(unstupid_libxml_string(xmlNodeListGetString(doc, a->xmlChildrenNode, 1))); + else if (name == "slot") + slot = fix_whitespace(unstupid_libxml_string(xmlNodeListGetString(doc, a->xmlChildrenNode, 1))); } } } @@ -201,11 +203,11 @@ namespace std::string name(unstupid_libxml_string(n->name)); if (name == "unaffected" || name == "vulnerable") { - std::string op; - handle_range_range(doc, n->properties, op); + std::string op, slot("*"); + handle_range_range(doc, n->properties, op, slot); std::string version(fix_whitespace(unstupid_libxml_string(xmlNodeListGetString(doc, n->xmlChildrenNode, 1)))); ((*pkg).*(name == "unaffected" ? &GLSAPackage::add_unaffected : &GLSAPackage::add_vulnerable)) - (GLSARange::create().op(op).version(version)); + (GLSARange::create().op(op).version(version).slot(slot)); } else handle_node(doc, n->children); |