From owner-freebsd-vuxml@FreeBSD.ORG Sun Sep 19 15:24:45 2004 Return-Path: Delivered-To: freebsd-vuxml@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 40EB716A4CE for ; Sun, 19 Sep 2004 15:24:45 +0000 (GMT) Received: from gw.celabo.org (gw.celabo.org [208.42.49.153]) by mx1.FreeBSD.org (Postfix) with ESMTP id A68E843D55 for ; Sun, 19 Sep 2004 15:24:44 +0000 (GMT) (envelope-from nectar@celabo.org) Received: from localhost (localhost [127.0.0.1]) by gw.celabo.org (Postfix) with ESMTP id 37E595488D; Sun, 19 Sep 2004 10:24:44 -0500 (CDT) Received: from gw.celabo.org ([127.0.0.1]) by localhost (hellblazer.celabo.org [127.0.0.1]) (amavisd-new, port 10024) with SMTP id 04984-08; Sun, 19 Sep 2004 10:24:33 -0500 (CDT) Received: from lum.celabo.org (lum.celabo.org [10.0.1.107]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (Client CN "lum.celabo.org", Issuer "celabo.org CA" (verified OK)) by gw.celabo.org (Postfix) with ESMTP id 5D1D75487E; Sun, 19 Sep 2004 10:24:33 -0500 (CDT) Received: by lum.celabo.org (Postfix, from userid 1001) id 17EF8431F1E; Sun, 19 Sep 2004 10:24:24 -0500 (CDT) Date: Sun, 19 Sep 2004 10:24:24 -0500 From: "Jacques A. Vidrine" To: Dan Langille Message-ID: <20040919152424.GA16616@lum.celabo.org> Mail-Followup-To: "Jacques A. Vidrine" , Dan Langille , freebsd-vuxml@freebsd.org References: <414C6EA1.25173.34BD6CDE@localhost> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <414C6EA1.25173.34BD6CDE@localhost> X-Url: http://www.celabo.org/ User-Agent: Mutt/1.5.6i cc: freebsd-vuxml@freebsd.org Subject: Re: confused by ranges X-BeenThere: freebsd-vuxml@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Documenting security issues in VuXML List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 19 Sep 2004 15:24:45 -0000 On Sat, Sep 18, 2004 at 05:21:37PM -0400, Dan Langille wrote: > I'm having a quick look through vuln.xml: > > 2.02.0.50_3 > > Intuitively, that means you are vulnerable if you have versions >= > 2.0 or < 2.0.50_3. Not quite. elements specify version ranges (intervals). The snip above specifies x >= 2.0 AND x < 2.0.50_3 2.0 <= x < 2.0.50_3 [2.0, 2.0.50_3) All of these are acceptable means of expressing the same idea. I tend to visualize the middle one... and in fact that is how I render the ranges on vuxml.org (e.g. "2.0 <= apache < 2.0.50_3"). > Is that correct? Is that how to apply the rules. I found the DTD > confused me more than the examples did. Then perhaps I should add some more examples and work on the text description :-) > This is an interesting example: > > 1.1.2_1 > 2.0 > > Two range statements in the same package... instead of one range with > two operators. Why? Because they are two non-contiguous ranges and cannot be expressed by a single interval. The two are: x < 1.1.2_1 2.0 >= x or equivalently [0, 1.1.2_1) and [2.0, infinity). Hmm, re-reading what you wrote, it seems you want to think of it algorithmically. In that case, you could interpret each element as containing expressions that should be ANDed (although the number and form of the expressions are constrained by the DTD), while multiple elements in one should be ORed. Hope this helps! Cheers, -- Jacques A Vidrine / NTT/Verio nectar@celabo.org / jvidrine@verio.net / nectar@FreeBSD.org