Support slot specifications in GLSAs.

author: David Leverton <levertond@googlemail.com> 2008-11-16 10:16:05 +0000
committer: David Leverton <levertond@googlemail.com> 2008-11-16 10:16:05 +0000
commit: 114f795d20592b1f0748649a16630a5c305da9d4 (patch)
tree: 97af2725e8a2ac30285d41642c5c6cd1744f45db
parent: 0007fc154be85f50a3d0f653cee66632b59e8652 (diff)
download: paludis-114f795d20592b1f0748649a16630a5c305da9d4.tar.gz
paludis-114f795d20592b1f0748649a16630a5c305da9d4.tar.xz
5 files changed, 93 insertions, 8 deletions
diff --git a/paludis/repositories/e/e_repository_sets.cc b/paludis/repositories/e/e_repository_sets.cc
index 8fbb479..134d0cf 100644
--- a/paludis/repositories/e/e_repository_sets.cc
+++ b/paludis/repositories/e/e_repository_sets.cc
@@ -176,6 +176,19 @@ namespace
     bool
     match_range(const PackageID & e, const GLSARange & r)
     {
+        if (r.slot != "*")
+        {
+            try
+            {
+                if (e.slot() != SlotName(r.slot))
+                    return false;
+            }
+            catch (const SlotNameError &)
+            {
+                throw GLSAError("Got bad slot '" + r.slot + "'");
+            }
+        }
+
         VersionOperatorValue our_op(static_cast<VersionOperatorValue>(-1));
         std::string ver(r.version);
         if (r.op == "le")
@@ -203,7 +216,7 @@ namespace
         if (0 == r.op.compare(0, 1, "r"))
         {
             return e.version().remove_revision() == VersionSpec(ver).remove_revision() &&
-                match_range(e, GLSARange::create().op(r.op.substr(1)).version(r.version));
+                match_range(e, GLSARange::create().op(r.op.substr(1)).version(r.version).slot(r.slot));
         }
 
         throw GLSAError("Got bad op '" + r.op + "'");
diff --git a/paludis/repositories/e/e_repository_sets_TEST.cc b/paludis/repositories/e/e_repository_sets_TEST.cc
index ec212e9..d94002d 100644
--- a/paludis/repositories/e/e_repository_sets_TEST.cc
+++ b/paludis/repositories/e/e_repository_sets_TEST.cc
@@ -20,6 +20,7 @@
 #include <paludis/repositories/e/e_repository.hh>
 #include <paludis/repositories/e/dep_spec_pretty_printer.hh>
 #include <paludis/repositories/fake/fake_installed_repository.hh>
+#include <paludis/repositories/fake/fake_package_id.hh>
 #include <paludis/util/visitor-impl.hh>
 #include <paludis/environments/test/test_environment.hh>
 #include <paludis/util/system.hh>
@@ -125,7 +126,7 @@ namespace test_cases
             StringifyFormatter ff;
             erepository::DepSpecPrettyPrinter pretty(0, std::tr1::shared_ptr<const PackageID>(), ff, 0, false, false);
             insecurity->accept(pretty);
-            TEST_CHECK_STRINGIFY_EQUAL(pretty, "=cat-one/foo-1::test-repo-1 =cat-two/bar-1.5::test-repo-1 "
+            TEST_CHECK_STRINGIFY_EQUAL(pretty, "=cat-four/xyzzy-2.0.1::test-repo-1 =cat-four/xyzzy-2.0.2::test-repo-1 =cat-one/foo-1::test-repo-1 =cat-two/bar-1.5::test-repo-1 "
                                        "=cat-two/bar-1.5.1::test-repo-1 =cat-three/baz-1.0::test-repo-1 "
                                        "=cat-three/baz-1.1-r2::test-repo-1 =cat-three/baz-1.2::test-repo-1");
         }
@@ -157,13 +158,15 @@ namespace test_cases
             installed->add_version("cat-one", "foo", "2.1");
             installed->add_version("cat-two", "bar", "1.5");
             installed->add_version("cat-three", "baz", "1.0");
+            installed->add_version("cat-four", "xyzzy", "1.1.0")->set_slot(SlotName("1"));
+            installed->add_version("cat-four", "xyzzy", "2.0.1")->set_slot(SlotName("2"));
             env.package_database()->add_repository(0, installed);
 
             std::tr1::shared_ptr<const SetSpecTree::ConstItem> security(repo->sets_interface()->package_set(SetName("security")));
             StringifyFormatter ff;
             erepository::DepSpecPrettyPrinter pretty(0, std::tr1::shared_ptr<const PackageID>(), ff, 0, false, false);
             security->accept(pretty);
-            TEST_CHECK_STRINGIFY_EQUAL(pretty, "=cat-two/bar-2.0::test-repo-1 =cat-three/baz-1.3::test-repo-1");
+            TEST_CHECK_STRINGIFY_EQUAL(pretty, "=cat-four/xyzzy-2.0.3::test-repo-1 =cat-two/bar-2.0::test-repo-1 =cat-three/baz-1.3::test-repo-1");
         }
     } test_e_repository_sets_security_set;
 #endif
diff --git a/paludis/repositories/e/e_repository_sets_TEST_setup.sh b/paludis/repositories/e/e_repository_sets_TEST_setup.sh
index 376dc70..ba04ae7 100755
--- a/paludis/repositories/e/e_repository_sets_TEST_setup.sh
+++ b/paludis/repositories/e/e_repository_sets_TEST_setup.sh
@@ -12,6 +12,7 @@ cat <<END > profiles/categories || exit 1
 cat-one
 cat-two
 cat-three
+cat-four
 END
 cat <<END > profiles/profile/make.defaults
 ARCH=test
@@ -23,7 +24,7 @@ cat <<END > sets/set1.conf
 ? <cat-three/baz-1.2
 END
 
-mkdir -p cat-one/foo cat-two/bar cat-three/baz
+mkdir -p cat-one/foo cat-two/bar cat-three/baz cat-four/xyzzy
 cat <<END > cat-one/foo/foo-1.ebuild
 SLOT="0"
 KEYWORDS="test"
@@ -44,6 +45,15 @@ cat <<END > cat-three/baz/baz-1.3.1.ebuild
 SLOT="0"
 KEYWORDS="~test"
 END
+cat <<END > cat-four/xyzzy/xyzzy-1.1.0.ebuild
+SLOT="\${PV:0:1}"
+KEYWORDS="test"
+END
+cp cat-four/xyzzy/xyzzy-1.1.0.ebuild cat-four/xyzzy/xyzzy-1.1.1.ebuild
+cp cat-four/xyzzy/xyzzy-1.1.0.ebuild cat-four/xyzzy/xyzzy-2.0.1.ebuild
+cp cat-four/xyzzy/xyzzy-1.1.0.ebuild cat-four/xyzzy/xyzzy-2.0.1-r1.ebuild
+cp cat-four/xyzzy/xyzzy-1.1.0.ebuild cat-four/xyzzy/xyzzy-2.0.2.ebuild
+cp cat-four/xyzzy/xyzzy-1.1.0.ebuild cat-four/xyzzy/xyzzy-2.0.3.ebuild
 
 cat <<END > metadata/glsa/glsa-123456-78.xml
 <?xml version="1.0" encoding="utf-8"?>
@@ -210,5 +220,61 @@ cat <<END > metadata/glsa/glsa-987654-32.xml
 </glsa>
 END
 
+cat <<END > metadata/glsa/glsa-112358-42.xml
+<?xml version="1.0" encoding="utf-8"?>
+<?xml-stylesheet href="/xsl/glsa.xsl" type="text/xsl"?>
+<?xml-stylesheet href="/xsl/guide.xsl" type="text/xsl"?>
+<!DOCTYPE glsa SYSTEM "http://www.gentoo.org/dtd/glsa.dtd">
+
+<glsa id="112358-42">
+  <title>
+   Xyzzy: SQL injection
+  </title>
+  <synopsis>
+    Xyzzy is vulnerable to SQL injection attacks.
+  </synopsis>
+  <product type="ebuild">xyzzy</product>
+  <announced>Nov 16, 2008</announced>
+  <revised>Nov 16, 2008: 01</revised>
+  <bug>112358</bug>
+  <access>local</access>
+  <affected>
+    <package name="cat-four/xyzzy" auto="yes" arch="*">
+      <unaffected range="ge" slot="2">2.0.3</unaffected>
+      <vulnerable range="lt" slot="2">2.0.3</vulnerable>
+      <unaffected range="eq" slot="*">2.0.1-r1</unaffected>
+    </package>
+  </affected>
+  <background>
+    <p>
+    Xyzzy is a magic word with an SQL backend.
+    </p>
+  </background>
+  <description>
+    <p>
+    Passing magic SQL characters to Xyzzy allows an attacker to
+    execute arbitrary queries.
+    </p>
+  </description>
+  <impact type="high">
+    <p>
+    Arbitrary SQL queries can be executed.
+    </p>
+  </impact>
+  <workaround>
+    <p>
+    There is no known workaround at this time.
+    </p>
+  </workaround>
+  <resolution>
+    <p>
+    All Xyzzy users should upgrade to the latest version.
+    </p>
+  </resolution>
+  <references>
+  </references>
+</glsa>
+END
+
 cd ..
 
diff --git a/paludis/repositories/e/glsa.sr b/paludis/repositories/e/glsa.sr
index e96d6e8..a182651 100644
--- a/paludis/repositories/e/glsa.sr
+++ b/paludis/repositories/e/glsa.sr
@@ -5,6 +5,7 @@ make_class_GLSARange()
     key op std::string
     # not a version, may be something like 1.3*
     key version std::string
+    key slot std::string
 
     allow_named_args
 
diff --git a/paludis/repositories/e/xml_things.cc b/paludis/repositories/e/xml_things.cc
index 4e2ee3e..8b1dcae 100644
--- a/paludis/repositories/e/xml_things.cc
+++ b/paludis/repositories/e/xml_things.cc
@@ -179,7 +179,7 @@ namespace
                 }
             }
 
-            void handle_range_range(xmlDocPtr doc, xmlAttr * const attr, std::string & op)
+            void handle_range_range(xmlDocPtr doc, xmlAttr * const attr, std::string & op, std::string & slot)
             {
                 for (xmlAttr * a(attr) ; a ; a = a->next)
                 {
@@ -188,6 +188,8 @@ namespace
                         std::string name(unstupid_libxml_string(a->name));
                         if (name == "range")
                             op = fix_whitespace(unstupid_libxml_string(xmlNodeListGetString(doc, a->xmlChildrenNode, 1)));
+                        else if (name == "slot")
+                            slot = fix_whitespace(unstupid_libxml_string(xmlNodeListGetString(doc, a->xmlChildrenNode, 1)));
                     }
                 }
             }
@@ -201,11 +203,11 @@ namespace
                         std::string name(unstupid_libxml_string(n->name));
                         if (name == "unaffected" || name == "vulnerable")
                         {
-                            std::string op;
-                            handle_range_range(doc, n->properties, op);
+                            std::string op, slot("*");
+                            handle_range_range(doc, n->properties, op, slot);
                             std::string version(fix_whitespace(unstupid_libxml_string(xmlNodeListGetString(doc, n->xmlChildrenNode, 1))));
                             ((*pkg).*(name == "unaffected" ? &GLSAPackage::add_unaffected : &GLSAPackage::add_vulnerable))
-                                (GLSARange::create().op(op).version(version));
+                                (GLSARange::create().op(op).version(version).slot(slot));
                         }
                         else
                             handle_node(doc, n->children);
author	David Leverton <levertond@googlemail.com>	2008-11-16 10:16:05 +0000
committer	David Leverton <levertond@googlemail.com>	2008-11-16 10:16:05 +0000
commit	114f795d20592b1f0748649a16630a5c305da9d4 (patch)
tree	97af2725e8a2ac30285d41642c5c6cd1744f45db
parent	0007fc154be85f50a3d0f653cee66632b59e8652 (diff)
download	paludis-114f795d20592b1f0748649a16630a5c305da9d4.tar.gz paludis-114f795d20592b1f0748649a16630a5c305da9d4.tar.xz