Date: Sun, 19 Sep 2004 19:35:57 -0400 From: "Dan Langille" <dan@langille.org> To: "Jacques A. Vidrine" <nectar@FreeBSD.org> Cc: freebsd-vuxml@freebsd.org Subject: Re: confused by ranges Message-ID: <414DDF9D.23278.3A5EC686@localhost> In-Reply-To: <20040919152424.GA16616@lum.celabo.org> References: <414C6EA1.25173.34BD6CDE@localhost>
next in thread | previous in thread | raw e-mail | index | archive | help
On 19 Sep 2004 at 10:24, Jacques A. Vidrine wrote: > On Sat, Sep 18, 2004 at 05:21:37PM -0400, Dan Langille wrote: > > I'm having a quick look through vuln.xml: > > > > <range><ge>2.0</ge><lt>2.0.50_3</lt></range> > > > > Intuitively, that means you are vulnerable if you have versions >= > > 2.0 or < 2.0.50_3. > > Not quite. <range> elements specify version ranges (intervals). The > snip above specifies > > x >= 2.0 AND x < 2.0.50_3 > 2.0 <= x < 2.0.50_3 > [2.0, 2.0.50_3) > > All of these are acceptable means of expressing the same idea. I tend > to visualize the middle one... and in fact that is how I render the > ranges on vuxml.org (e.g. "2.0 <= apache < 2.0.50_3"). FWIW, the FreshPorts vuxml_ranges is set up with that in mind. It looks something like this: version_start | operator_start | operator_end | version_end And the version being tested goes between the second and third columns. However, I think I will now change this. What I have requires flipping an operator. For now, I'd rather duplicate exactly what is in the vuln.xml file. > > Is that correct? Is that how to apply the rules. I found the DTD > > confused me more than the examples did. > > Then perhaps I should add some more examples and work on the text > description :-) Yep. Practical examples work wonders. > > This is an interesting example: > > > > <range><lt>1.1.2_1</lt></range> > > <range><ge>2.0</ge></range> > > > > Two range statements in the same package... instead of one range with > > two operators. Why? > > Because they are two non-contiguous ranges and cannot be expressed by a > single interval. The two are: > > x < 1.1.2_1 > 2.0 >= x > > or equivalently [0, 1.1.2_1) and [2.0, infinity). > > > Hmm, re-reading what you wrote, it seems you want to think of it > algorithmically. In that case, you could interpret each <range> element > as containing expressions that should be ANDed (although the number and > form of the expressions are constrained by the DTD), while multiple > <range> elements in one <package> should be ORed. > > Hope this helps! It does. Thanks. I know how to complete this part now. cheers -- Dan Langille : http://www.langille.org/ BSDCan - The Technical BSD Conference - http://www.bsdcan.org/
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?414DDF9D.23278.3A5EC686>