From owner-freebsd-vuxml@FreeBSD.ORG Sun Sep 19 08:01:54 2004 Return-Path: Delivered-To: freebsd-vuxml@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 965F216A4CE for ; Sun, 19 Sep 2004 08:01:54 +0000 (GMT) Received: from plouf.absolight.net (plouf.absolight.net [212.43.217.12]) by mx1.FreeBSD.org (Postfix) with ESMTP id 5C6ED43D39 for ; Sun, 19 Sep 2004 08:01:54 +0000 (GMT) (envelope-from mat@FreeBSD.org) Received: from nescarba.in.t-online.fr (nescarba.in.t-online.fr [213.44.126.9]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (Client did not present a certificate) by plouf.absolight.net (Postfix) with ESMTP id 86828400B for ; Sun, 19 Sep 2004 10:01:53 +0200 (CEST) Date: Sun, 19 Sep 2004 10:02:37 +0200 From: Mathieu Arnold To: freebsd-vuxml@freebsd.org Message-ID: <5127566408FEC0289696CC7A@nescarba.in.t-online.fr> In-Reply-To: <414C6EA1.25173.34BD6CDE@localhost> References: <414C6EA1.25173.34BD6CDE@localhost> X-Mailer: Mulberry/3.1.6 (Win32) MIME-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="==========0F38DDCE2B6CE880543A==========" Subject: Re: confused by ranges X-BeenThere: freebsd-vuxml@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Documenting security issues in VuXML List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 19 Sep 2004 08:01:54 -0000 --==========0F38DDCE2B6CE880543A========== Content-Type: text/plain; charset=iso-8859-1 Content-Transfer-Encoding: quoted-printable Content-Disposition: inline +-le 18/09/2004 17:21 -0400, Dan Langille =E9crivait : | I'm having a quick look through vuln.xml: |=20 | 2.02.0.50_3 |=20 | Intuitively, that means you are vulnerable if you have versions >=3D=20 | 2.0 or < 2.0.50_3. This one is an AND : VER > 2.0 AND VER < 2.0.50_3 | Is that correct? Is that how to apply the rules. I found the DTD=20 | confused me more than the examples did. |=20 | This is an interesting example: |=20 | 1.1.2_1 | 2.0 |=20 | Two range statements in the same package... instead of one range with=20 | two operators. Why? This one is an OR, that is VER < 1.1.2_1 or VER > 2.0 because the version can't be < 1.1.2_1 and > 2.0. --=20 Mathieu Arnold --==========0F38DDCE2B6CE880543A========== Content-Type: application/pgp-signature Content-Transfer-Encoding: 7bit -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.4 (MingW32) iQEVAwUBQU09I1vROjYJ63c1AQJptQf/bneQ6dFzY9AAbp5EcJog6/fxhvmiMdov AoDMaBmhxpdR0gtadJ/r/ZYwYQLxbGVWtU27Jy4D1l73T9ox/xeUoz0vNpMDuPgi YjQy5Tc9YvsqW2nzCaggwac88eaj1c1HNQyP3SSbXnVZNaYN5Ase2bmcbG+mHq7f wcEHsb3pr96IXT6CdMhWM9TClc+bo2yD6tBs7hE1bpIy4vb3wd8Z2aLZRjn/h53q +cl2ujeSi7zVMcE3M9zHJn38R/1XkRxL3D75n9wRY6Xmyom7x59cVeJBdAx5ZqM+ SGtbcUIw/XMfAMrACq7AvoeQFvfcTBvA876K72abmCQCU51p4hdUUQ== =4vzP -----END PGP SIGNATURE----- --==========0F38DDCE2B6CE880543A==========-- From owner-freebsd-vuxml@FreeBSD.ORG Sun Sep 19 12:38:35 2004 Return-Path: Delivered-To: freebsd-vuxml@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id F3E8016A4CE for ; Sun, 19 Sep 2004 12:38:34 +0000 (GMT) Received: from bast.unixathome.org (bast.unixathome.org [66.11.174.150]) by mx1.FreeBSD.org (Postfix) with ESMTP id C5B0D43D3F for ; Sun, 19 Sep 2004 12:38:34 +0000 (GMT) (envelope-from dan@langille.org) Received: from wocker (wocker.unixathome.org [192.168.0.99]) by bast.unixathome.org (Postfix) with ESMTP id F12803D3D; Sun, 19 Sep 2004 08:38:33 -0400 (EDT) From: "Dan Langille" To: Mathieu Arnold Date: Sun, 19 Sep 2004 08:38:33 -0400 MIME-Version: 1.0 Message-ID: <414D4589.218.3804EA89@localhost> Priority: normal In-reply-to: <4433CFB17394B75789799BD9@nescarba.in.t-online.fr> References: <414C6EA1.25173.34BD6CDE@localhost> X-mailer: Pegasus Mail for Windows (v4.12a) Content-type: text/plain; charset=ISO-8859-1 Content-transfer-encoding: Quoted-printable Content-description: Mail message body cc: freebsd-vuxml@freebsd.org Subject: Re: confused by ranges X-BeenThere: freebsd-vuxml@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Documenting security issues in VuXML List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 19 Sep 2004 12:38:35 -0000 On 19 Sep 2004 at 9:56, Mathieu Arnold wrote: > +-le 18/09/2004 17:21 -0400, Dan Langille =E9crivait : > | I'm having a quick look through vuln.xml: > | > | 2.02.0.50_3 > | > | Intuitively, that means you are vulnerable if you have versions >=3D > | 2.0 or < 2.0.50_3. > > This one is an AND : VER > 2.0 AND VER < 2.0.50_3 If there are two operators in a range, it is an AND. The testing values always goes before the supplied operator. Correct? > | Is that correct? Is that how to apply the rules. I found the DTD > | confused me more than the examples did. > | > | This is an interesting example: > | > | 1.1.2_1 > | 2.0 > | > | Two range statements in the same package... instead of one range with > | two operators. Why? > > This one is an OR, that is VER < 1.1.2_1 or VER > 2.0 > > because the version can't be < 1.1.2_1 and > 2.0. If there are multiple ranges for a package within a vuln, they are used to construct an OR. Actually, they could be applied separately to test values separately (i.e. if one was processing this one row at a time, you could just test the value and not worry about whether or not the next row contained another range entry). Correct? Thank you. -- Dan Langille : http://www.langille.org/ BSDCan - The Technical BSD Conference - http://www.bsdcan.org/ From owner-freebsd-vuxml@FreeBSD.ORG Sun Sep 19 12:47:16 2004 Return-Path: Delivered-To: freebsd-vuxml@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id A953B16A4CE for ; Sun, 19 Sep 2004 12:47:16 +0000 (GMT) Received: from plouf.absolight.net (plouf.absolight.net [212.43.217.12]) by mx1.FreeBSD.org (Postfix) with ESMTP id 6CA9F43D2F for ; Sun, 19 Sep 2004 12:47:16 +0000 (GMT) (envelope-from mat@FreeBSD.org) Received: from nescarba.in.t-online.fr (nescarba.in.t-online.fr [213.44.126.9]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (Client did not present a certificate) by plouf.absolight.net (Postfix) with ESMTP id 6F5EB3FA9; Sun, 19 Sep 2004 14:47:15 +0200 (CEST) Date: Sun, 19 Sep 2004 14:48:02 +0200 From: Mathieu Arnold To: Dan Langille Message-ID: <406631FA4FA5D14563850431@nescarba.in.t-online.fr> In-Reply-To: <414D4589.218.3804EA89@localhost> References: <414C6EA1.25173.34BD6CDE@localhost> <414D4589.218.3804EA89@localhost> X-Mailer: Mulberry/3.1.6 (Win32) MIME-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="==========EFEFC4B06E2C85B6CD71==========" cc: freebsd-vuxml@freebsd.org Subject: Re: confused by ranges X-BeenThere: freebsd-vuxml@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Documenting security issues in VuXML List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 19 Sep 2004 12:47:16 -0000 --==========EFEFC4B06E2C85B6CD71========== Content-Type: text/plain; charset=iso-8859-1 Content-Transfer-Encoding: quoted-printable Content-Disposition: inline +-le 19/09/2004 08:38 -0400, Dan Langille =E9crivait : | On 19 Sep 2004 at 9:56, Mathieu Arnold wrote: |=20 |> +-le 18/09/2004 17:21 -0400, Dan Langille =E9crivait : |> | I'm having a quick look through vuln.xml: |> |=20 |> | 2.02.0.50_3 |> |=20 |> | Intuitively, that means you are vulnerable if you have versions >=3D=20 |> | 2.0 or < 2.0.50_3. |>=20 |> This one is an AND : VER > 2.0 AND VER < 2.0.50_3 |=20 | If there are two operators in a range, it is an AND. The testing=20 | values always goes before the supplied operator. Correct? |=20 |> | Is that correct? Is that how to apply the rules. I found the DTD=20 |> | confused me more than the examples did. |> |=20 |> | This is an interesting example: |> |=20 |> | 1.1.2_1 |> | 2.0 |> |=20 |> | Two range statements in the same package... instead of one range with=20 |> | two operators. Why? |>=20 |> This one is an OR, that is VER < 1.1.2_1 or VER > 2.0 |>=20 |> because the version can't be < 1.1.2_1 and > 2.0. |=20 | If there are multiple ranges for a package within a vuln, they are=20 | used to construct an OR. Actually, they could be applied separately=20 | to test values separately (i.e. if one was processing this one row at=20 | a time, you could just test the value and not worry about whether or=20 | not the next row contained another range entry). |=20 | Correct? Yes, I think this description is a bit too complicated. A ... value defines a range of affected versions, and there can be multiple ranges for a package. But we're saying the same thing :-) --=20 Mathieu Arnold --==========EFEFC4B06E2C85B6CD71========== Content-Type: application/pgp-signature Content-Transfer-Encoding: 7bit -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.4 (MingW32) iQEVAwUBQU2ABlvROjYJ63c1AQK/PAf+KckpPbOVAH2TCqCg9sBQ8Hh3gF+1gS4B 3vCn1Cz38U2+KmpzyVkGFFLriHA/v1e+3l0aQRtPE10BNU7uP39owlOpwmA9gNSW M8G+sQ5k080vgnyv8JKQhrro8oa93scJyfe5tqMc5MfAnK+s4+a7O2gRaHZiS7HZ Xe+aZmLTWqPiLyNZ03pH0S1JQ2Q/Zf7MTHI7nP13i/4WE0fhUOfocNqVyZpr/ujo Co3fh5KZocfkibxRY+vYZkHGCjpws0sjlu5ZVj587ckb967Ae4mKh+uAK6bT0U7F OSDBHYtsGbSQP6MdbjOVNOggviRKqKNMxMFVHNosN2lPhzCUNg+zgQ== =9n+d -----END PGP SIGNATURE----- --==========EFEFC4B06E2C85B6CD71==========-- From owner-freebsd-vuxml@FreeBSD.ORG Sun Sep 19 15:24:45 2004 Return-Path: Delivered-To: freebsd-vuxml@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 40EB716A4CE for ; Sun, 19 Sep 2004 15:24:45 +0000 (GMT) Received: from gw.celabo.org (gw.celabo.org [208.42.49.153]) by mx1.FreeBSD.org (Postfix) with ESMTP id A68E843D55 for ; Sun, 19 Sep 2004 15:24:44 +0000 (GMT) (envelope-from nectar@celabo.org) Received: from localhost (localhost [127.0.0.1]) by gw.celabo.org (Postfix) with ESMTP id 37E595488D; Sun, 19 Sep 2004 10:24:44 -0500 (CDT) Received: from gw.celabo.org ([127.0.0.1]) by localhost (hellblazer.celabo.org [127.0.0.1]) (amavisd-new, port 10024) with SMTP id 04984-08; Sun, 19 Sep 2004 10:24:33 -0500 (CDT) Received: from lum.celabo.org (lum.celabo.org [10.0.1.107]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (Client CN "lum.celabo.org", Issuer "celabo.org CA" (verified OK)) by gw.celabo.org (Postfix) with ESMTP id 5D1D75487E; Sun, 19 Sep 2004 10:24:33 -0500 (CDT) Received: by lum.celabo.org (Postfix, from userid 1001) id 17EF8431F1E; Sun, 19 Sep 2004 10:24:24 -0500 (CDT) Date: Sun, 19 Sep 2004 10:24:24 -0500 From: "Jacques A. Vidrine" To: Dan Langille Message-ID: <20040919152424.GA16616@lum.celabo.org> Mail-Followup-To: "Jacques A. Vidrine" , Dan Langille , freebsd-vuxml@freebsd.org References: <414C6EA1.25173.34BD6CDE@localhost> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <414C6EA1.25173.34BD6CDE@localhost> X-Url: http://www.celabo.org/ User-Agent: Mutt/1.5.6i cc: freebsd-vuxml@freebsd.org Subject: Re: confused by ranges X-BeenThere: freebsd-vuxml@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Documenting security issues in VuXML List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 19 Sep 2004 15:24:45 -0000 On Sat, Sep 18, 2004 at 05:21:37PM -0400, Dan Langille wrote: > I'm having a quick look through vuln.xml: > > 2.02.0.50_3 > > Intuitively, that means you are vulnerable if you have versions >= > 2.0 or < 2.0.50_3. Not quite. elements specify version ranges (intervals). The snip above specifies x >= 2.0 AND x < 2.0.50_3 2.0 <= x < 2.0.50_3 [2.0, 2.0.50_3) All of these are acceptable means of expressing the same idea. I tend to visualize the middle one... and in fact that is how I render the ranges on vuxml.org (e.g. "2.0 <= apache < 2.0.50_3"). > Is that correct? Is that how to apply the rules. I found the DTD > confused me more than the examples did. Then perhaps I should add some more examples and work on the text description :-) > This is an interesting example: > > 1.1.2_1 > 2.0 > > Two range statements in the same package... instead of one range with > two operators. Why? Because they are two non-contiguous ranges and cannot be expressed by a single interval. The two are: x < 1.1.2_1 2.0 >= x or equivalently [0, 1.1.2_1) and [2.0, infinity). Hmm, re-reading what you wrote, it seems you want to think of it algorithmically. In that case, you could interpret each element as containing expressions that should be ANDed (although the number and form of the expressions are constrained by the DTD), while multiple elements in one should be ORed. Hope this helps! Cheers, -- Jacques A Vidrine / NTT/Verio nectar@celabo.org / jvidrine@verio.net / nectar@FreeBSD.org From owner-freebsd-vuxml@FreeBSD.ORG Sun Sep 19 15:33:10 2004 Return-Path: Delivered-To: freebsd-vuxml@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 5FB6E16A4CE for ; Sun, 19 Sep 2004 15:33:10 +0000 (GMT) Received: from gw.celabo.org (gw.celabo.org [208.42.49.153]) by mx1.FreeBSD.org (Postfix) with ESMTP id 245C143D1F for ; Sun, 19 Sep 2004 15:33:10 +0000 (GMT) (envelope-from nectar@celabo.org) Received: from localhost (localhost [127.0.0.1]) by gw.celabo.org (Postfix) with ESMTP id 72AD154889; Sun, 19 Sep 2004 10:33:09 -0500 (CDT) Received: from gw.celabo.org ([127.0.0.1]) by localhost (hellblazer.celabo.org [127.0.0.1]) (amavisd-new, port 10024) with SMTP id 05147-02; Sun, 19 Sep 2004 10:32:58 -0500 (CDT) Received: from lum.celabo.org (lum.celabo.org [10.0.1.107]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (Client CN "lum.celabo.org", Issuer "celabo.org CA" (verified OK)) by gw.celabo.org (Postfix) with ESMTP id D568054888; Sun, 19 Sep 2004 10:32:58 -0500 (CDT) Received: by lum.celabo.org (Postfix, from userid 1001) id DC8FD431F57; Sun, 19 Sep 2004 10:32:45 -0500 (CDT) Date: Sun, 19 Sep 2004 10:32:45 -0500 From: "Jacques A. Vidrine" To: Dan Langille Message-ID: <20040919153245.GB16616@lum.celabo.org> Mail-Followup-To: "Jacques A. Vidrine" , Dan Langille , Mathieu Arnold , freebsd-vuxml@freebsd.org References: <414C6EA1.25173.34BD6CDE@localhost> <414D4589.218.3804EA89@localhost> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <414D4589.218.3804EA89@localhost> X-Url: http://www.celabo.org/ User-Agent: Mutt/1.5.6i cc: freebsd-vuxml@freebsd.org cc: Mathieu Arnold Subject: Re: confused by ranges X-BeenThere: freebsd-vuxml@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Documenting security issues in VuXML List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 19 Sep 2004 15:33:10 -0000 On Sun, Sep 19, 2004 at 08:38:33AM -0400, Dan Langille wrote: > > This one is an AND : VER > 2.0 AND VER < 2.0.50_3 > > If there are two operators in a range, it is an AND. The testing > values always goes before the supplied operator. Correct? [...] > If there are multiple ranges for a package within a vuln, they are > used to construct an OR. When dealing with ranges programatically, one should probably handle them as one would an interval in any application, e.g. struct interval { Version low; bool low_closed; Version high; bool high_closed; }; Then comparison is for (int i = 0; i < interval_count; ++i) if (interval[i].low < x || interval[i].high > x || (interval[i].low_closed && interval[i].low == x) || (interval[i].high_closed && interval[i].high == x)) /* it is affected */ ; Cheers, -- Jacques A Vidrine / NTT/Verio nectar@celabo.org / jvidrine@verio.net / nectar@FreeBSD.org From owner-freebsd-vuxml@FreeBSD.ORG Sun Sep 19 23:35:58 2004 Return-Path: Delivered-To: freebsd-vuxml@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 6A94916A4CE; Sun, 19 Sep 2004 23:35:58 +0000 (GMT) Received: from bast.unixathome.org (bast.unixathome.org [66.11.174.150]) by mx1.FreeBSD.org (Postfix) with ESMTP id 3957943D49; Sun, 19 Sep 2004 23:35:58 +0000 (GMT) (envelope-from dan@langille.org) Received: from wocker (wocker.unixathome.org [192.168.0.99]) by bast.unixathome.org (Postfix) with ESMTP id 4654B3D3D; Sun, 19 Sep 2004 19:35:57 -0400 (EDT) From: "Dan Langille" To: "Jacques A. Vidrine" Date: Sun, 19 Sep 2004 19:35:57 -0400 MIME-Version: 1.0 Message-ID: <414DDF9D.23278.3A5EC686@localhost> Priority: normal In-reply-to: <20040919152424.GA16616@lum.celabo.org> References: <414C6EA1.25173.34BD6CDE@localhost> X-mailer: Pegasus Mail for Windows (v4.12a) Content-type: text/plain; charset=US-ASCII Content-transfer-encoding: 7BIT Content-description: Mail message body cc: freebsd-vuxml@freebsd.org Subject: Re: confused by ranges X-BeenThere: freebsd-vuxml@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Documenting security issues in VuXML List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 19 Sep 2004 23:35:58 -0000 On 19 Sep 2004 at 10:24, Jacques A. Vidrine wrote: > On Sat, Sep 18, 2004 at 05:21:37PM -0400, Dan Langille wrote: > > I'm having a quick look through vuln.xml: > > > > 2.02.0.50_3 > > > > Intuitively, that means you are vulnerable if you have versions >= > > 2.0 or < 2.0.50_3. > > Not quite. elements specify version ranges (intervals). The > snip above specifies > > x >= 2.0 AND x < 2.0.50_3 > 2.0 <= x < 2.0.50_3 > [2.0, 2.0.50_3) > > All of these are acceptable means of expressing the same idea. I tend > to visualize the middle one... and in fact that is how I render the > ranges on vuxml.org (e.g. "2.0 <= apache < 2.0.50_3"). FWIW, the FreshPorts vuxml_ranges is set up with that in mind. It looks something like this: version_start | operator_start | operator_end | version_end And the version being tested goes between the second and third columns. However, I think I will now change this. What I have requires flipping an operator. For now, I'd rather duplicate exactly what is in the vuln.xml file. > > Is that correct? Is that how to apply the rules. I found the DTD > > confused me more than the examples did. > > Then perhaps I should add some more examples and work on the text > description :-) Yep. Practical examples work wonders. > > This is an interesting example: > > > > 1.1.2_1 > > 2.0 > > > > Two range statements in the same package... instead of one range with > > two operators. Why? > > Because they are two non-contiguous ranges and cannot be expressed by a > single interval. The two are: > > x < 1.1.2_1 > 2.0 >= x > > or equivalently [0, 1.1.2_1) and [2.0, infinity). > > > Hmm, re-reading what you wrote, it seems you want to think of it > algorithmically. In that case, you could interpret each element > as containing expressions that should be ANDed (although the number and > form of the expressions are constrained by the DTD), while multiple > elements in one should be ORed. > > Hope this helps! It does. Thanks. I know how to complete this part now. cheers -- Dan Langille : http://www.langille.org/ BSDCan - The Technical BSD Conference - http://www.bsdcan.org/ From owner-freebsd-vuxml@FreeBSD.ORG Mon Sep 20 13:19:55 2004 Return-Path: Delivered-To: freebsd-vuxml@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 9B37116A4CE; Mon, 20 Sep 2004 13:19:55 +0000 (GMT) Received: from bast.unixathome.org (bast.unixathome.org [66.11.174.150]) by mx1.FreeBSD.org (Postfix) with ESMTP id 6ED7743D39; Mon, 20 Sep 2004 13:19:55 +0000 (GMT) (envelope-from dan@langille.org) Received: from wocker (wocker.unixathome.org [192.168.0.99]) by bast.unixathome.org (Postfix) with ESMTP id 906CA3D3D; Mon, 20 Sep 2004 09:19:54 -0400 (EDT) From: "Dan Langille" To: "Jacques A. Vidrine" Date: Mon, 20 Sep 2004 09:19:54 -0400 MIME-Version: 1.0 Message-ID: <414EA0BA.11003.3D512193@localhost> Priority: normal In-reply-to: <20040919152424.GA16616@lum.celabo.org> References: <414C6EA1.25173.34BD6CDE@localhost> X-mailer: Pegasus Mail for Windows (v4.12a) Content-type: text/plain; charset=US-ASCII Content-transfer-encoding: 7BIT Content-description: Mail message body cc: freebsd-vuxml@freebsd.org Subject: Re: confused by ranges X-BeenThere: freebsd-vuxml@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Documenting security issues in VuXML List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 20 Sep 2004 13:19:55 -0000 On 19 Sep 2004 at 10:24, Jacques A. Vidrine wrote: > > This is an interesting example: > > > > 1.1.2_1 > > 2.0 > > > > Two range statements in the same package... instead of one range with > > two operators. Why? > > Because they are two non-contiguous ranges and cannot be expressed by a > single interval. The two are: > > x < 1.1.2_1 > 2.0 >= x > > or equivalently [0, 1.1.2_1) and [2.0, infinity). > > > Hmm, re-reading what you wrote, it seems you want to think of it > algorithmically. In that case, you could interpret each element > as containing expressions that should be ANDed (although the number and > form of the expressions are constrained by the DTD), while multiple > elements in one should be ORed. I found an error in my tables. I was relating a range to a name. That is incorrect. A package may have many names. The ranges in a package relate to all the names. I've just changed my scipts and modified my DDL. -- Dan Langille : http://www.langille.org/ BSDCan - The Technical BSD Conference - http://www.bsdcan.org/ From owner-freebsd-vuxml@FreeBSD.ORG Wed Sep 22 01:46:37 2004 Return-Path: Delivered-To: freebsd-vuxml@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id B2AE916A4CE for ; Wed, 22 Sep 2004 01:46:37 +0000 (GMT) Received: from bast.unixathome.org (bast.unixathome.org [66.11.174.150]) by mx1.FreeBSD.org (Postfix) with ESMTP id 764DC43D4C for ; Wed, 22 Sep 2004 01:46:37 +0000 (GMT) (envelope-from dan@langille.org) Received: by bast.unixathome.org (Postfix, from userid 1003) id 672A83D91; Tue, 21 Sep 2004 19:35:20 -0400 (EDT) Received: from xeon (xeon.unixathome.org [192.168.0.18]) by bast.unixathome.org (Postfix) with ESMTP id B610F3DFC for ; Tue, 21 Sep 2004 19:35:20 -0400 (EDT) Date: Tue, 21 Sep 2004 19:35:20 -0400 (EDT) From: Dan Langille X-X-Sender: dan@xeon.unixathome.org To: freebsd-vuxml@freebsd.org Message-ID: <20040921192821.K69630@xeon.unixathome.org> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Subject: FreshPorts beta now displays VuXML data X-BeenThere: freebsd-vuxml@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Documenting security issues in VuXML List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 22 Sep 2004 01:46:37 -0000 Hi, I just finished the first cut of the code that marks commits as affected by VuXML data. Have a look at your favourite VuXML entry and see if the associated package is affected. e.g. http://beta.freshports.org/?package=pine This type of linking will be available in production once FreshPorts::VuXML is migrated from beta to production. I have not reviewed the output, however I do know that the display does not yet handle multiple VuXML entries affecting a given package version. However, the database does handle this type of relationship and I've verified that it is being recorded. The HTML is lagging behind the data. If you see any errors etc, please let me know. -- Dan Langille - http://www.langille.org/ BSDCan - The Technical BSD Conference: http://www.bsdcan.org/ From owner-freebsd-vuxml@FreeBSD.ORG Wed Sep 22 16:13:39 2004 Return-Path: Delivered-To: freebsd-vuxml@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id A9B6716A4CE for ; Wed, 22 Sep 2004 16:13:39 +0000 (GMT) Received: from bast.unixathome.org (bast.unixathome.org [66.11.174.150]) by mx1.FreeBSD.org (Postfix) with ESMTP id 6E49D43D39 for ; Wed, 22 Sep 2004 16:13:39 +0000 (GMT) (envelope-from dan@langille.org) Received: from wocker (wocker.unixathome.org [192.168.0.99]) by bast.unixathome.org (Postfix) with ESMTP id B7E403D37 for ; Wed, 22 Sep 2004 12:13:38 -0400 (EDT) From: "Dan Langille" To: freebsd-vuxml@freebsd.org Date: Wed, 22 Sep 2004 12:13:38 -0400 MIME-Version: 1.0 Message-ID: <41516C72.24016.483CEA47@localhost> Priority: normal In-reply-to: <20040921192821.K69630@xeon.unixathome.org> X-mailer: Pegasus Mail for Windows (v4.12a) Content-type: text/plain; charset=US-ASCII Content-transfer-encoding: 7BIT Content-description: Mail message body Subject: Re: FreshPorts beta now displays VuXML data X-BeenThere: freebsd-vuxml@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Documenting security issues in VuXML List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 22 Sep 2004 16:13:39 -0000 On 21 Sep 2004 at 19:35, Dan Langille wrote: > I just finished the first cut of the code that marks commits as affected > by VuXML data. Have a look at your favourite VuXML entry and see if the > associated package is affected. > > e.g. http://beta.freshports.org/?package=pine > > This type of linking will be available in production once > FreshPorts::VuXML is migrated from beta to production. > > I have not reviewed the output, however I do know that the display does > not yet handle multiple VuXML entries affecting a given package version. > However, the database does handle this type of relationship and > I've verified that it is being recorded. The HTML is lagging > behind the data. > > If you see any errors etc, please let me know. We have the first issue. FreshPorts beta is handling PORTEPOCH, but that value is not set correctly for existing commits. Hence, 'pkg_version -t' does not get the correct values for testing commit versions against vuln entries. mat@ has provided this which gives me a list of ports which contain an EPOCH: awk -F\| '$1 ~ /,/ {print $1 "\t\t" $2}' /usr/ports/INDEX-5 That's a good starting point. From there, I need to determine the date[s] on which the PORTEPOCH came into effect. With that, I can do something like this: update commit_log_ports set port_epoch='1' where port_id = 7366 and commit_log_id >= 57525; Ideas and suggestions are welcome. -- Dan Langille : http://www.langille.org/ BSDCan - The Technical BSD Conference - http://www.bsdcan.org/ From owner-freebsd-vuxml@FreeBSD.ORG Wed Sep 22 20:16:01 2004 Return-Path: Delivered-To: freebsd-vuxml@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 7F7A116A4CF for ; Wed, 22 Sep 2004 20:16:01 +0000 (GMT) Received: from gw.celabo.org (gw.celabo.org [208.42.49.153]) by mx1.FreeBSD.org (Postfix) with ESMTP id 2EEC543D41 for ; Wed, 22 Sep 2004 20:16:01 +0000 (GMT) (envelope-from nectar@celabo.org) Received: from localhost (localhost [127.0.0.1]) by gw.celabo.org (Postfix) with ESMTP id 91F6E54861; Wed, 22 Sep 2004 15:16:00 -0500 (CDT) Received: from gw.celabo.org ([127.0.0.1]) by localhost (hellblazer.celabo.org [127.0.0.1]) (amavisd-new, port 10024) with SMTP id 56328-08; Wed, 22 Sep 2004 15:15:50 -0500 (CDT) Received: from madman.celabo.org (madman.celabo.org [10.0.1.111]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (Client CN "madman.celabo.org", Issuer "celabo.org CA" (not verified)) by gw.celabo.org (Postfix) with ESMTP id 081B95488F; Wed, 22 Sep 2004 15:15:50 -0500 (CDT) Received: by madman.celabo.org (Postfix, from userid 1001) id 4C9776D468; Wed, 22 Sep 2004 15:15:38 -0500 (CDT) Date: Wed, 22 Sep 2004 15:15:38 -0500 From: "Jacques A. Vidrine" To: Dan Langille Message-ID: <20040922201538.GC57256@madman.celabo.org> Mail-Followup-To: "Jacques A. Vidrine" , Dan Langille , freebsd-vuxml@freebsd.org References: <20040921192821.K69630@xeon.unixathome.org> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20040921192821.K69630@xeon.unixathome.org> X-Url: http://www.celabo.org/ User-Agent: Mutt/1.5.6i cc: freebsd-vuxml@freebsd.org Subject: Re: FreshPorts beta now displays VuXML data X-BeenThere: freebsd-vuxml@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Documenting security issues in VuXML List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 22 Sep 2004 20:16:01 -0000 On Tue, Sep 21, 2004 at 07:35:20PM -0400, Dan Langille wrote: > Hi, > > I just finished the first cut of the code that marks commits as affected > by VuXML data. Have a look at your favourite VuXML entry and see if the > associated package is affected. > > e.g. http://beta.freshports.org/?package=pine Thanks, Dan! I've experimentally added links on VuXML.org pages to FreshPorts URLs like the one above. Thus, if you click on a package name at say http://vuxml.freebsd.org/e9f9d232-0cb2-11d9-8a8a-000c41e2cdad.html it will probably have you looking at the right FreshPorts entry. (Since it is *beta*.freshports.org, for now at least there is no indication that the package names are links unless you mouse over them.) Cheers, -- Jacques A Vidrine / NTT/Verio nectar@celabo.org / jvidrine@verio.net / nectar@FreeBSD.org From owner-freebsd-vuxml@FreeBSD.ORG Thu Sep 23 23:46:40 2004 Return-Path: Delivered-To: freebsd-vuxml@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 3AF9316A4CE; Thu, 23 Sep 2004 23:46:40 +0000 (GMT) Received: from bast.unixathome.org (bast.unixathome.org [66.11.174.150]) by mx1.FreeBSD.org (Postfix) with ESMTP id 0445C43D4C; Thu, 23 Sep 2004 23:46:40 +0000 (GMT) (envelope-from dan@langille.org) Received: from wocker (wocker.unixathome.org [192.168.0.99]) by bast.unixathome.org (Postfix) with ESMTP id 2F8D13D37; Thu, 23 Sep 2004 19:46:31 -0400 (EDT) From: "Dan Langille" To: "Jacques A. Vidrine" Date: Thu, 23 Sep 2004 19:46:31 -0400 MIME-Version: 1.0 Message-ID: <41532817.15157.4F01E691@localhost> Priority: normal In-reply-to: <20040922201538.GC57256@madman.celabo.org> References: <20040921192821.K69630@xeon.unixathome.org> X-mailer: Pegasus Mail for Windows (v4.12a) Content-type: text/plain; charset=US-ASCII Content-transfer-encoding: 7BIT Content-description: Mail message body cc: freebsd-vuxml@freebsd.org Subject: Re: FreshPorts beta now displays VuXML data X-BeenThere: freebsd-vuxml@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Documenting security issues in VuXML List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 23 Sep 2004 23:46:40 -0000 On 22 Sep 2004 at 15:15, Jacques A. Vidrine wrote: > On Tue, Sep 21, 2004 at 07:35:20PM -0400, Dan Langille wrote: > > Hi, > > > > I just finished the first cut of the code that marks commits as affected > > by VuXML data. Have a look at your favourite VuXML entry and see if the > > associated package is affected. > > > > e.g. http://beta.freshports.org/?package=pine > > Thanks, Dan! I've experimentally added links on VuXML.org pages to > FreshPorts URLs like the one above. Thus, if you click on a package > name at say > http://vuxml.freebsd.org/e9f9d232-0cb2-11d9-8a8a-000c41e2cdad.html > it will probably have you looking at the right FreshPorts entry. That looks good. I hope that type of linking makes it easier for others to link. FWIW, I am making progress on the VuXML issues. I have found that I need to set historical PORTEPOCH for all ports that have a PORTEPOCH [1]. By historical, I mean for each commit in FreshPorts. That's the only way I can then get a proper test result from 'pkg_version - t. I'm almost there. This page http://beta.freshports.org/tmp/epoch-fetching-slave.txt (500KB) lists the ports that have a PORTEPOCH, the commits for that port, and the historical value of the PORTEPOCH value for that commit. I do this by literally fetching each revision of the Makefile. FreshPorts knows that revision is associated with each commit (that information is in the cvs-all email0. Obtaining the PORTEPOCH values is not a simple grep command. You must do a "make -V PORTVERSION". There are 27 ports containing an EPOCH value that are also slave ports. Of these 27, two set their own EPOCH value, the other 25 get it from the MASTERPORT. It is thoese 25 ports which are going to be tougher. There are 15 distinct master ports involved (fortunately, none of them have their own MASTERPORTs). I'm not yet sure how I'm going to cope with these master ports. The others should be straight forward. [1] FWIW, there are 246 ports with a PORTEPOCH value. This differs from the result of this command, perhaps because not all such ports are in the INDEX I'm using (e.g. archivers/bsdtar) awk -F\| '$1 ~ /,/ {print $2 "/Makefile"}' /usr/ports/INDEX- -- Dan Langille : http://www.langille.org/ BSDCan - The Technical BSD Conference - http://www.bsdcan.org/ From owner-freebsd-vuxml@FreeBSD.ORG Fri Sep 24 16:04:55 2004 Return-Path: Delivered-To: freebsd-vuxml@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 0DB1316A4CE for ; Fri, 24 Sep 2004 16:04:55 +0000 (GMT) Received: from bast.unixathome.org (bast.unixathome.org [66.11.174.150]) by mx1.FreeBSD.org (Postfix) with ESMTP id D772F43D2D for ; Fri, 24 Sep 2004 16:04:54 +0000 (GMT) (envelope-from dan@langille.org) Received: from wocker (wocker.unixathome.org [192.168.0.99]) by bast.unixathome.org (Postfix) with ESMTP id 4029E3D37 for ; Fri, 24 Sep 2004 12:04:53 -0400 (EDT) From: "Dan Langille" To: freebsd-vuxml@freebsd.org Date: Fri, 24 Sep 2004 12:04:53 -0400 MIME-Version: 1.0 Message-ID: <41540D65.1435.5281A20F@localhost> Priority: normal X-mailer: Pegasus Mail for Windows (v4.12a) Content-type: text/plain; charset=US-ASCII Content-transfer-encoding: 7BIT Content-description: Mail message body Subject: Are the mozilla ranges correct for 7c188c55-0cb0-11d9-8a8a-000c41e2cdad? X-BeenThere: freebsd-vuxml@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Documenting security issues in VuXML List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 24 Sep 2004 16:04:55 -0000 Hi folks. I'm looking at vuln 7c188c55-0cb0-11d9-8a8a-000c41e2cdad which affects mozilla with these ranges: 1.7.2,2 1.8.a Should that ge range include an EPOCH of 2 (i.e. 1.8.a,2)? $ pkg_version -t 1.7.2_1,2 1.8.a > $ pkg_version -t 1.7.2_1,2 1.8.a,2 < Once a PORTEPOCH, always a PORTEPOCH? FWIW, www/mozilla is still on 1.7 -- Dan Langille : http://www.langille.org/ BSDCan - The Technical BSD Conference - http://www.bsdcan.org/ From owner-freebsd-vuxml@FreeBSD.ORG Sat Sep 25 00:56:42 2004 Return-Path: Delivered-To: freebsd-vuxml@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id EB81A16A4CE for ; Sat, 25 Sep 2004 00:56:42 +0000 (GMT) Received: from gw.celabo.org (gw.celabo.org [208.42.49.153]) by mx1.FreeBSD.org (Postfix) with ESMTP id 966ED43D49 for ; Sat, 25 Sep 2004 00:56:42 +0000 (GMT) (envelope-from nectar@celabo.org) Received: from localhost (localhost [127.0.0.1]) by gw.celabo.org (Postfix) with ESMTP id 2B90A54887; Fri, 24 Sep 2004 19:56:42 -0500 (CDT) Received: from gw.celabo.org ([127.0.0.1]) by localhost (hellblazer.celabo.org [127.0.0.1]) (amavisd-new, port 10024) with SMTP id 82293-04; Fri, 24 Sep 2004 19:56:31 -0500 (CDT) Received: from madman.celabo.org (madman.celabo.org [10.0.1.111]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (Client CN "madman.celabo.org", Issuer "celabo.org CA" (not verified)) by gw.celabo.org (Postfix) with ESMTP id 3FC5E54883; Fri, 24 Sep 2004 19:56:29 -0500 (CDT) Received: by madman.celabo.org (Postfix, from userid 1001) id 50EBF6D468; Fri, 24 Sep 2004 19:56:17 -0500 (CDT) Date: Fri, 24 Sep 2004 19:56:17 -0500 From: "Jacques A. Vidrine" To: Dan Langille Message-ID: <20040925005617.GA50478@madman.celabo.org> Mail-Followup-To: "Jacques A. Vidrine" , Dan Langille , freebsd-vuxml@freebsd.org References: <41540D65.1435.5281A20F@localhost> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <41540D65.1435.5281A20F@localhost> X-Url: http://www.celabo.org/ User-Agent: Mutt/1.5.6i cc: freebsd-vuxml@freebsd.org Subject: Re: Are the mozilla ranges correct for 7c188c55-0cb0-11d9-8a8a-000c41e2cdad? X-BeenThere: freebsd-vuxml@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Documenting security issues in VuXML List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 25 Sep 2004 00:56:43 -0000 On Fri, Sep 24, 2004 at 12:04:53PM -0400, Dan Langille wrote: > Hi folks. > > I'm looking at vuln 7c188c55-0cb0-11d9-8a8a-000c41e2cdad which > affects mozilla with these ranges: > > 1.7.2,2 > 1.8.a > > Should that ge range include an EPOCH of 2 (i.e. 1.8.a,2)? Yes, thanks for catching! Cheers, -- Jacques A Vidrine / NTT/Verio nectar@celabo.org / jvidrine@verio.net / nectar@FreeBSD.org From owner-freebsd-vuxml@FreeBSD.ORG Sat Sep 25 21:15:29 2004 Return-Path: Delivered-To: freebsd-vuxml@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 004B316A4CE for ; Sat, 25 Sep 2004 21:15:29 +0000 (GMT) Received: from bast.unixathome.org (bast.unixathome.org [66.11.174.150]) by mx1.FreeBSD.org (Postfix) with ESMTP id 44A3343D2F for ; Sat, 25 Sep 2004 21:15:27 +0000 (GMT) (envelope-from dan@langille.org) Received: from wocker (wocker.unixathome.org [192.168.0.99]) by bast.unixathome.org (Postfix) with ESMTP id C3E323D37 for ; Sat, 25 Sep 2004 17:15:14 -0400 (EDT) From: "Dan Langille" To: freebsd-vuxml@freebsd.org Date: Sat, 25 Sep 2004 17:15:14 -0400 MIME-Version: 1.0 Message-ID: <4155A7A2.15775.198F30A@localhost> Priority: normal X-mailer: Pegasus Mail for Windows (v4.12a) Content-type: text/plain; charset=US-ASCII Content-transfer-encoding: 7BIT Content-description: Mail message body Subject: FreshPorts :: VuXML - 6e740881-0cae-11d9-8a8a-000c41e2cdad X-BeenThere: freebsd-vuxml@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Documenting security issues in VuXML List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 25 Sep 2004 21:15:29 -0000 Hi folks, I'm looking for additional pairs of eyes to verify that FreshPorts has marked the correct commits for: 6e740881-0cae-11d9-8a8a-000c41e2cdad The FreshPorts pages to view are: Nothing affect by this vuln. It seems the affecte versions where never put into our tree. Ranges are: 1.7.a,21.7 1.8.a,21.8.a2,2 Should that top one be 1.7,2 not 1.7? There are two packages with the name mozilla. In addition to the URL listed above, see also: Nothing affecte there. We have only 1.4b-1.6a in the tree. Looks good. The ranges are: 1.7.a1.7 Nothing marked at that URL either. Is this looking good or bad? -- Dan Langille : http://www.langille.org/ BSDCan - The Technical BSD Conference - http://www.bsdcan.org/