140038 – [PATCH] security/vuxml correct opera and linux-opera entry

linux-opera is marked falsely vulnerable due to different versioning
scheme between www/opera and www/linux-opera.
broken by miwi at 1.2021.
Responsible Changed
From-To: freebsd-ports-bugs->secteam

Over to maintainer (via the GNATS Auto Assign Tool)
patch is here.

--- /usr/ports/security/vuxml/vuln.xml	2009-10-25 23:53:33.000000000 +0900
+++ vuln.xml	2009-10-28 14:05:30.000000000 +0900
@@ -751,9 +751,12 @@
      <affects>
        <package>
          <name>opera</name>
-         <name>linux-opera</name>
          <range><lt>10.00.20090830</lt></range>
        </package>
+       <package>
+         <name>linux-opera</name>
+         <range><lt>10.00</lt></range>
+       </package>
      </affects>
      <description>
        <body xmlns="http://www.w3.org/1999/xhtml">
@@ -779,7 +782,7 @@
      <dates>
        <discovery>2009-09-01</discovery>
        <entry>2009-09-04</entry>
-       <modified>2009-09-04</modified>
+       <modified>2009-10-28</modified>
      </dates>
    </vuln>
On Wed, 28 Oct 2009 05:30:03 GMT
poyopoyo@puripuri.plala.or.jp mentioned:
>  --- /usr/ports/security/vuxml/vuln.xml	2009-10-25 23:53:33.000000000 +0900
>  +++ vuln.xml	2009-10-28 14:05:30.000000000 +0900
>  @@ -751,9 +751,12 @@
>        <affects>
>          <package>
>            <name>opera</name>
>  -         <name>linux-opera</name>
>            <range><lt>10.00.20090830</lt></range>
>          </package>
>  +       <package>
>  +         <name>linux-opera</name>
>  +         <range><lt>10.00</lt></range>
>  +       </package>
>        </affects>
>        <description>
>          <body xmlns="http://www.w3.org/1999/xhtml">
>  @@ -779,7 +782,7 @@
>        <dates>
>          <discovery>2009-09-01</discovery>
>          <entry>2009-09-04</entry>
>  -       <modified>2009-09-04</modified>
>  +       <modified>2009-10-28</modified>
>        </dates>
>      </vuln>
>   

Actually, we never had any linux opera versions between 9.64 and 10.00
in ports collection, so this change is noop.  What is the rationale of
this change?  Was linux version of opera 10.00.20090830 vulnerable? 

-- 
Stanislav Sedov
ST4096-RIPE
At Wed, 28 Oct 2009 09:44:48 +0300,
Stanislav Sedov wrote:
> Actually, we never had any linux opera versions between 9.64 and 10.00
> in ports collection, so this change is noop.  What is the rationale of
> this change?  Was linux version of opera 10.00.20090830 vulnerable? 

in short: 10.00 < 10.00.20090830


long version:
You'd be better to install linux-opera and run portaudit and everythig
you want to know is there.

==
$ pkg_info -I linux-opera\*
linux-opera-10.00_1 A blazingly fast, full-featured, standards-compliant browse
$ portaudit
Affected package: linux-opera-10.00_1
Type of problem: opera -- multiple vulnerabilities.
Reference: <http://portaudit.FreeBSD.org/4582948a-9716-11de-83a5-001999392805.html>
==

There is no such a thing as linux-opera-10.00.20090830. The latest
linux-opera is 10.00_1. This means vuxml is stating every version of
linux-opera is vulnerable. portaudit has been sending this false alert
every day for about two months now.

I wrote in this PR that www/opera and www/linux-opera uses different
versioning scheme, figures:

==
www/opera: PORTVERSION=    ${OPERA_VER}.${OPERA_DATE}
www/opera: OPERA_VER=      10.00
www/opera: OPERA_DATE=     20090830

www/linux-opera: PORTVERSION=    ${OPERA_VER}
www/linux-opera: OPERA_VER=      10.00
==

www/linux-opera does not have $OPERA_DATE suffix and cannot be covered
with PORTVERSION for www/opera. I hope I could explain what this PR
intend to fix.
stas        2009-10-28 23:04:35 UTC

  FreeBSD ports repository

  Modified files:
    security/vuxml       vuln.xml 
  Log:
  - Fix linux-opera vuxml entry (it uses different version numbering scheme) [1]
  - Add entry for opera-devel as well.
  
  PR:             ports/140038 [1]
  Submitted by:   Sato Kuro <poyopoyo@puripuri.plala.or.jp> [1]
  
  Revision  Changes    Path
  1.2054    +10 -3     ports/security/vuxml/vuln.xml
_______________________________________________
cvs-all@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/cvs-all
To unsubscribe, send any mail to "cvs-all-unsubscribe@freebsd.org"
State Changed
From-To: open->closed

Committed. Thanks!
On Wed, 28 Oct 2009 16:00:04 GMT
poyopoyo@puripuri.plala.or.jp mentioned:

> The following reply was made to PR ports/140038; it has been noted by GNATS.
> 
> From: poyopoyo@puripuri.plala.or.jp
> To: Stanislav Sedov <stas@deglitch.com>
> Cc: bug-followup@FreeBSD.org
> Subject: Re: ports/140038: [PATCH] security/vuxml correct opera and  linux-opera entry
> Date: Thu, 29 Oct 2009 00:55:49 +0900
> 
>  At Wed, 28 Oct 2009 09:44:48 +0300,
>  Stanislav Sedov wrote:
>  > Actually, we never had any linux opera versions between 9.64 and 10.00
>  > in ports collection, so this change is noop.  What is the rationale of
>  > this change?  Was linux version of opera 10.00.20090830 vulnerable? 
>  
>  in short: 10.00 < 10.00.20090830
>  


Oh, I didn't thought about this.  Thanks for explanations!
I added entry for opera-devel as well, while here, as it
appears to be missed.

-- 
Stanislav Sedov
ST4096-RIPE