aboutsummaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorAvatar David Leverton <levertond@googlemail.com> 2008-11-16 10:16:05 +0000
committerAvatar David Leverton <levertond@googlemail.com> 2008-11-16 10:16:05 +0000
commit114f795d20592b1f0748649a16630a5c305da9d4 (patch)
tree97af2725e8a2ac30285d41642c5c6cd1744f45db
parent0007fc154be85f50a3d0f653cee66632b59e8652 (diff)
downloadpaludis-114f795d20592b1f0748649a16630a5c305da9d4.tar.gz
paludis-114f795d20592b1f0748649a16630a5c305da9d4.tar.xz
Support slot specifications in GLSAs.
-rw-r--r--paludis/repositories/e/e_repository_sets.cc15
-rw-r--r--paludis/repositories/e/e_repository_sets_TEST.cc7
-rwxr-xr-xpaludis/repositories/e/e_repository_sets_TEST_setup.sh68
-rw-r--r--paludis/repositories/e/glsa.sr1
-rw-r--r--paludis/repositories/e/xml_things.cc10
5 files changed, 93 insertions, 8 deletions
diff --git a/paludis/repositories/e/e_repository_sets.cc b/paludis/repositories/e/e_repository_sets.cc
index 8fbb479..134d0cf 100644
--- a/paludis/repositories/e/e_repository_sets.cc
+++ b/paludis/repositories/e/e_repository_sets.cc
@@ -176,6 +176,19 @@ namespace
bool
match_range(const PackageID & e, const GLSARange & r)
{
+ if (r.slot != "*")
+ {
+ try
+ {
+ if (e.slot() != SlotName(r.slot))
+ return false;
+ }
+ catch (const SlotNameError &)
+ {
+ throw GLSAError("Got bad slot '" + r.slot + "'");
+ }
+ }
+
VersionOperatorValue our_op(static_cast<VersionOperatorValue>(-1));
std::string ver(r.version);
if (r.op == "le")
@@ -203,7 +216,7 @@ namespace
if (0 == r.op.compare(0, 1, "r"))
{
return e.version().remove_revision() == VersionSpec(ver).remove_revision() &&
- match_range(e, GLSARange::create().op(r.op.substr(1)).version(r.version));
+ match_range(e, GLSARange::create().op(r.op.substr(1)).version(r.version).slot(r.slot));
}
throw GLSAError("Got bad op '" + r.op + "'");
diff --git a/paludis/repositories/e/e_repository_sets_TEST.cc b/paludis/repositories/e/e_repository_sets_TEST.cc
index ec212e9..d94002d 100644
--- a/paludis/repositories/e/e_repository_sets_TEST.cc
+++ b/paludis/repositories/e/e_repository_sets_TEST.cc
@@ -20,6 +20,7 @@
#include <paludis/repositories/e/e_repository.hh>
#include <paludis/repositories/e/dep_spec_pretty_printer.hh>
#include <paludis/repositories/fake/fake_installed_repository.hh>
+#include <paludis/repositories/fake/fake_package_id.hh>
#include <paludis/util/visitor-impl.hh>
#include <paludis/environments/test/test_environment.hh>
#include <paludis/util/system.hh>
@@ -125,7 +126,7 @@ namespace test_cases
StringifyFormatter ff;
erepository::DepSpecPrettyPrinter pretty(0, std::tr1::shared_ptr<const PackageID>(), ff, 0, false, false);
insecurity->accept(pretty);
- TEST_CHECK_STRINGIFY_EQUAL(pretty, "=cat-one/foo-1::test-repo-1 =cat-two/bar-1.5::test-repo-1 "
+ TEST_CHECK_STRINGIFY_EQUAL(pretty, "=cat-four/xyzzy-2.0.1::test-repo-1 =cat-four/xyzzy-2.0.2::test-repo-1 =cat-one/foo-1::test-repo-1 =cat-two/bar-1.5::test-repo-1 "
"=cat-two/bar-1.5.1::test-repo-1 =cat-three/baz-1.0::test-repo-1 "
"=cat-three/baz-1.1-r2::test-repo-1 =cat-three/baz-1.2::test-repo-1");
}
@@ -157,13 +158,15 @@ namespace test_cases
installed->add_version("cat-one", "foo", "2.1");
installed->add_version("cat-two", "bar", "1.5");
installed->add_version("cat-three", "baz", "1.0");
+ installed->add_version("cat-four", "xyzzy", "1.1.0")->set_slot(SlotName("1"));
+ installed->add_version("cat-four", "xyzzy", "2.0.1")->set_slot(SlotName("2"));
env.package_database()->add_repository(0, installed);
std::tr1::shared_ptr<const SetSpecTree::ConstItem> security(repo->sets_interface()->package_set(SetName("security")));
StringifyFormatter ff;
erepository::DepSpecPrettyPrinter pretty(0, std::tr1::shared_ptr<const PackageID>(), ff, 0, false, false);
security->accept(pretty);
- TEST_CHECK_STRINGIFY_EQUAL(pretty, "=cat-two/bar-2.0::test-repo-1 =cat-three/baz-1.3::test-repo-1");
+ TEST_CHECK_STRINGIFY_EQUAL(pretty, "=cat-four/xyzzy-2.0.3::test-repo-1 =cat-two/bar-2.0::test-repo-1 =cat-three/baz-1.3::test-repo-1");
}
} test_e_repository_sets_security_set;
#endif
diff --git a/paludis/repositories/e/e_repository_sets_TEST_setup.sh b/paludis/repositories/e/e_repository_sets_TEST_setup.sh
index 376dc70..ba04ae7 100755
--- a/paludis/repositories/e/e_repository_sets_TEST_setup.sh
+++ b/paludis/repositories/e/e_repository_sets_TEST_setup.sh
@@ -12,6 +12,7 @@ cat <<END > profiles/categories || exit 1
cat-one
cat-two
cat-three
+cat-four
END
cat <<END > profiles/profile/make.defaults
ARCH=test
@@ -23,7 +24,7 @@ cat <<END > sets/set1.conf
? <cat-three/baz-1.2
END
-mkdir -p cat-one/foo cat-two/bar cat-three/baz
+mkdir -p cat-one/foo cat-two/bar cat-three/baz cat-four/xyzzy
cat <<END > cat-one/foo/foo-1.ebuild
SLOT="0"
KEYWORDS="test"
@@ -44,6 +45,15 @@ cat <<END > cat-three/baz/baz-1.3.1.ebuild
SLOT="0"
KEYWORDS="~test"
END
+cat <<END > cat-four/xyzzy/xyzzy-1.1.0.ebuild
+SLOT="\${PV:0:1}"
+KEYWORDS="test"
+END
+cp cat-four/xyzzy/xyzzy-1.1.0.ebuild cat-four/xyzzy/xyzzy-1.1.1.ebuild
+cp cat-four/xyzzy/xyzzy-1.1.0.ebuild cat-four/xyzzy/xyzzy-2.0.1.ebuild
+cp cat-four/xyzzy/xyzzy-1.1.0.ebuild cat-four/xyzzy/xyzzy-2.0.1-r1.ebuild
+cp cat-four/xyzzy/xyzzy-1.1.0.ebuild cat-four/xyzzy/xyzzy-2.0.2.ebuild
+cp cat-four/xyzzy/xyzzy-1.1.0.ebuild cat-four/xyzzy/xyzzy-2.0.3.ebuild
cat <<END > metadata/glsa/glsa-123456-78.xml
<?xml version="1.0" encoding="utf-8"?>
@@ -210,5 +220,61 @@ cat <<END > metadata/glsa/glsa-987654-32.xml
</glsa>
END
+cat <<END > metadata/glsa/glsa-112358-42.xml
+<?xml version="1.0" encoding="utf-8"?>
+<?xml-stylesheet href="/xsl/glsa.xsl" type="text/xsl"?>
+<?xml-stylesheet href="/xsl/guide.xsl" type="text/xsl"?>
+<!DOCTYPE glsa SYSTEM "http://www.gentoo.org/dtd/glsa.dtd">
+
+<glsa id="112358-42">
+ <title>
+ Xyzzy: SQL injection
+ </title>
+ <synopsis>
+ Xyzzy is vulnerable to SQL injection attacks.
+ </synopsis>
+ <product type="ebuild">xyzzy</product>
+ <announced>Nov 16, 2008</announced>
+ <revised>Nov 16, 2008: 01</revised>
+ <bug>112358</bug>
+ <access>local</access>
+ <affected>
+ <package name="cat-four/xyzzy" auto="yes" arch="*">
+ <unaffected range="ge" slot="2">2.0.3</unaffected>
+ <vulnerable range="lt" slot="2">2.0.3</vulnerable>
+ <unaffected range="eq" slot="*">2.0.1-r1</unaffected>
+ </package>
+ </affected>
+ <background>
+ <p>
+ Xyzzy is a magic word with an SQL backend.
+ </p>
+ </background>
+ <description>
+ <p>
+ Passing magic SQL characters to Xyzzy allows an attacker to
+ execute arbitrary queries.
+ </p>
+ </description>
+ <impact type="high">
+ <p>
+ Arbitrary SQL queries can be executed.
+ </p>
+ </impact>
+ <workaround>
+ <p>
+ There is no known workaround at this time.
+ </p>
+ </workaround>
+ <resolution>
+ <p>
+ All Xyzzy users should upgrade to the latest version.
+ </p>
+ </resolution>
+ <references>
+ </references>
+</glsa>
+END
+
cd ..
diff --git a/paludis/repositories/e/glsa.sr b/paludis/repositories/e/glsa.sr
index e96d6e8..a182651 100644
--- a/paludis/repositories/e/glsa.sr
+++ b/paludis/repositories/e/glsa.sr
@@ -5,6 +5,7 @@ make_class_GLSARange()
key op std::string
# not a version, may be something like 1.3*
key version std::string
+ key slot std::string
allow_named_args
diff --git a/paludis/repositories/e/xml_things.cc b/paludis/repositories/e/xml_things.cc
index 4e2ee3e..8b1dcae 100644
--- a/paludis/repositories/e/xml_things.cc
+++ b/paludis/repositories/e/xml_things.cc
@@ -179,7 +179,7 @@ namespace
}
}
- void handle_range_range(xmlDocPtr doc, xmlAttr * const attr, std::string & op)
+ void handle_range_range(xmlDocPtr doc, xmlAttr * const attr, std::string & op, std::string & slot)
{
for (xmlAttr * a(attr) ; a ; a = a->next)
{
@@ -188,6 +188,8 @@ namespace
std::string name(unstupid_libxml_string(a->name));
if (name == "range")
op = fix_whitespace(unstupid_libxml_string(xmlNodeListGetString(doc, a->xmlChildrenNode, 1)));
+ else if (name == "slot")
+ slot = fix_whitespace(unstupid_libxml_string(xmlNodeListGetString(doc, a->xmlChildrenNode, 1)));
}
}
}
@@ -201,11 +203,11 @@ namespace
std::string name(unstupid_libxml_string(n->name));
if (name == "unaffected" || name == "vulnerable")
{
- std::string op;
- handle_range_range(doc, n->properties, op);
+ std::string op, slot("*");
+ handle_range_range(doc, n->properties, op, slot);
std::string version(fix_whitespace(unstupid_libxml_string(xmlNodeListGetString(doc, n->xmlChildrenNode, 1))));
((*pkg).*(name == "unaffected" ? &GLSAPackage::add_unaffected : &GLSAPackage::add_vulnerable))
- (GLSARange::create().op(op).version(version));
+ (GLSARange::create().op(op).version(version).slot(slot));
}
else
handle_node(doc, n->children);