Skip to content

Commit 5a3c4de

Browse files
committed
fix: Gentoo GLSA data embeds the package SLOT directly in the version
Addresses #1921.
1 parent 7cdf304 commit 5a3c4de

8 files changed

Lines changed: 272 additions & 5 deletions

File tree

vulnerabilities/importers/gentoo.py

Lines changed: 10 additions & 4 deletions
Original file line numberDiff line numberDiff line change
@@ -144,6 +144,12 @@ def get_safe_and_affected_versions(pkg):
144144
if len(info.attrib.get("range")) > 2:
145145
continue
146146

147+
# GLSA data sometimes appends the SLOT to the version using a
148+
# colon, e.g. "6.9.3:6" for a package in SLOT "6". A colon is not
149+
# part of the Gentoo version syntax, so it must be stripped
150+
# before the value can be parsed as a GentooVersion.
151+
version = info.text.partition(":")[0]
152+
147153
if info.tag == "unaffected":
148154
# quick hack, to know whether this
149155
# version lies in this range, 'e' stands for
@@ -153,14 +159,14 @@ def get_safe_and_affected_versions(pkg):
153159
# which ('rle', 'rge', 'rgt') are ignored, because they compare
154160
# 'release' not the 'version'.
155161
if "e" in info.attrib["range"]:
156-
safe_versions.add(info.text)
162+
safe_versions.add(version)
157163
else:
158-
affected_versions.add(info.text)
164+
affected_versions.add(version)
159165

160166
elif info.tag == "vulnerable":
161167
if "e" in info.attrib["range"]:
162-
affected_versions.add(info.text)
168+
affected_versions.add(version)
163169
else:
164-
safe_versions.add(info.text)
170+
safe_versions.add(version)
165171

166172
return safe_versions, affected_versions

vulnerabilities/pipelines/v2_importers/gentoo_importer.py

Lines changed: 6 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -185,4 +185,9 @@ def get_affected_and_fixed_purls(affected_elem, logger):
185185

186186
qualifiers = {"slot": slot_value} if slot_value else {}
187187
purl = PackageURL(type="ebuild", name=pkg_name, namespace=pkg_ns, qualifiers=qualifiers)
188-
yield purl, (comparator, info.text), (info.tag == "unaffected")
188+
# GLSA data sometimes appends the SLOT to the version using a
189+
# colon, e.g. "6.9.3:6" for a package in SLOT "6". A colon is not
190+
# part of the Gentoo version syntax, so it must be stripped
191+
# before the value can be parsed as a GentooVersion.
192+
version = info.text.partition(":")[0]
193+
yield purl, (comparator, version), (info.tag == "unaffected")

vulnerabilities/tests/pipelines/v2_importers/test_gentoo_importer_v2.py

Lines changed: 1 addition & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -22,6 +22,7 @@
2222
TEST_DATA / "glsa-201709-09.xml",
2323
TEST_DATA / "glsa-202511-02.xml",
2424
TEST_DATA / "glsa-202512-01.xml",
25+
TEST_DATA / "glsa-202511-03.xml",
2526
]
2627

2728

Lines changed: 95 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,95 @@
1+
[
2+
{
3+
"aliases": [
4+
"CVE-2023-45872"
5+
],
6+
"summary": "Multiple vulnerabilities have been discovered in qtsvg, the worst of which could lead to execution of arbitrary code.",
7+
"affected_packages": [
8+
{
9+
"package": {
10+
"type": "ebuild",
11+
"namespace": "dev-qt",
12+
"name": "qtsvg",
13+
"version": "",
14+
"qualifiers": "",
15+
"subpath": ""
16+
},
17+
"affected_version_range": "vers:ebuild/!=6.9.3",
18+
"fixed_version": null
19+
}
20+
],
21+
"references": [
22+
{
23+
"reference_id": "GLSA-202511-03",
24+
"reference_type": "",
25+
"url": "https://security.gentoo.org/glsa/202511-03",
26+
"severities": []
27+
}
28+
],
29+
"date_published": null,
30+
"weaknesses": [],
31+
"url": "https://security.gentoo.org/glsa/202511-03"
32+
},
33+
{
34+
"aliases": [
35+
"CVE-2025-10728"
36+
],
37+
"summary": "Multiple vulnerabilities have been discovered in qtsvg, the worst of which could lead to execution of arbitrary code.",
38+
"affected_packages": [
39+
{
40+
"package": {
41+
"type": "ebuild",
42+
"namespace": "dev-qt",
43+
"name": "qtsvg",
44+
"version": "",
45+
"qualifiers": "",
46+
"subpath": ""
47+
},
48+
"affected_version_range": "vers:ebuild/!=6.9.3",
49+
"fixed_version": null
50+
}
51+
],
52+
"references": [
53+
{
54+
"reference_id": "GLSA-202511-03",
55+
"reference_type": "",
56+
"url": "https://security.gentoo.org/glsa/202511-03",
57+
"severities": []
58+
}
59+
],
60+
"date_published": null,
61+
"weaknesses": [],
62+
"url": "https://security.gentoo.org/glsa/202511-03"
63+
},
64+
{
65+
"aliases": [
66+
"CVE-2025-10729"
67+
],
68+
"summary": "Multiple vulnerabilities have been discovered in qtsvg, the worst of which could lead to execution of arbitrary code.",
69+
"affected_packages": [
70+
{
71+
"package": {
72+
"type": "ebuild",
73+
"namespace": "dev-qt",
74+
"name": "qtsvg",
75+
"version": "",
76+
"qualifiers": "",
77+
"subpath": ""
78+
},
79+
"affected_version_range": "vers:ebuild/!=6.9.3",
80+
"fixed_version": null
81+
}
82+
],
83+
"references": [
84+
{
85+
"reference_id": "GLSA-202511-03",
86+
"reference_type": "",
87+
"url": "https://security.gentoo.org/glsa/202511-03",
88+
"severities": []
89+
}
90+
],
91+
"date_published": null,
92+
"weaknesses": [],
93+
"url": "https://security.gentoo.org/glsa/202511-03"
94+
}
95+
]
Lines changed: 45 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,45 @@
1+
<?xml version="1.0" encoding="UTF-8"?>
2+
<!DOCTYPE glsa SYSTEM "http://www.gentoo.org/dtd/glsa.dtd">
3+
<glsa id="202511-03">
4+
<title>qtsvg: Multiple Vulnerabilities</title>
5+
<synopsis>Multiple vulnerabilities have been discovered in qtsvg, the worst of which could lead to execution of arbitrary code.</synopsis>
6+
<product type="ebuild">qtsvg</product>
7+
<announced>2025-11-24</announced>
8+
<revised count="1">2025-11-24</revised>
9+
<bug>915998</bug>
10+
<bug>963710</bug>
11+
<access>local and remote</access>
12+
<affected>
13+
<package name="dev-qt/qtsvg" auto="yes" arch="*">
14+
<unaffected range="ge">6.9.3:6</unaffected>
15+
<vulnerable range="lt">6.9.3:6</vulnerable>
16+
</package>
17+
</affected>
18+
<background>
19+
<p>qtsvg is a SVG rendering library for the Qt framework.</p>
20+
</background>
21+
<description>
22+
<p>Multiple vulnerabilities have been discovered in qtsvg. Please review the CVE identifiers referenced below for details.</p>
23+
</description>
24+
<impact type="high">
25+
<p>Please review the referenced CVE identifiers for details.</p>
26+
</impact>
27+
<workaround>
28+
<p>There is no known workaround at this time.</p>
29+
</workaround>
30+
<resolution>
31+
<p>All qtsvg users should upgrade to the latest version:</p>
32+
33+
<code>
34+
# emerge --sync
35+
# emerge --ask --oneshot --verbose ">=dev-qt/qtsvg-6.9.3"
36+
</code>
37+
</resolution>
38+
<references>
39+
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2023-45872">CVE-2023-45872</uri>
40+
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2025-10728">CVE-2025-10728</uri>
41+
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2025-10729">CVE-2025-10729</uri>
42+
</references>
43+
<metadata tag="requester" timestamp="2025-11-24T23:58:02.219156Z">graaff</metadata>
44+
<metadata tag="submitter" timestamp="2025-11-24T23:58:02.221875Z">sam</metadata>
45+
</glsa>
Lines changed: 59 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,59 @@
1+
[
2+
{
3+
"advisory_id": "GLSA-202511-03",
4+
"aliases": [
5+
"CVE-2023-45872",
6+
"CVE-2025-10728",
7+
"CVE-2025-10729"
8+
],
9+
"summary": "Multiple vulnerabilities have been discovered in qtsvg, the worst of which could lead to execution of arbitrary code.",
10+
"affected_packages": [
11+
{
12+
"package": {
13+
"type": "ebuild",
14+
"namespace": "dev-qt",
15+
"name": "qtsvg",
16+
"version": "",
17+
"qualifiers": "",
18+
"subpath": ""
19+
},
20+
"affected_version_range": "vers:ebuild/<6.9.3",
21+
"fixed_version_range": null,
22+
"introduced_by_commit_patches": [],
23+
"fixed_by_commit_patches": []
24+
},
25+
{
26+
"package": {
27+
"type": "ebuild",
28+
"namespace": "dev-qt",
29+
"name": "qtsvg",
30+
"version": "",
31+
"qualifiers": "",
32+
"subpath": ""
33+
},
34+
"affected_version_range": null,
35+
"fixed_version_range": "vers:ebuild/>=6.9.3",
36+
"introduced_by_commit_patches": [],
37+
"fixed_by_commit_patches": []
38+
}
39+
],
40+
"references": [
41+
{
42+
"reference_id": "GLSA-202511-03",
43+
"reference_type": "",
44+
"url": "https://security.gentoo.org/glsa/202511-03"
45+
}
46+
],
47+
"patches": [],
48+
"severities": [
49+
{
50+
"system": "generic_textual",
51+
"value": "high",
52+
"scoring_elements": ""
53+
}
54+
],
55+
"date_published": null,
56+
"weaknesses": [],
57+
"url": "https://security.gentoo.org/glsa/202511-03"
58+
}
59+
]
Lines changed: 45 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,45 @@
1+
<?xml version="1.0" encoding="UTF-8"?>
2+
<!DOCTYPE glsa SYSTEM "http://www.gentoo.org/dtd/glsa.dtd">
3+
<glsa id="202511-03">
4+
<title>qtsvg: Multiple Vulnerabilities</title>
5+
<synopsis>Multiple vulnerabilities have been discovered in qtsvg, the worst of which could lead to execution of arbitrary code.</synopsis>
6+
<product type="ebuild">qtsvg</product>
7+
<announced>2025-11-24</announced>
8+
<revised count="1">2025-11-24</revised>
9+
<bug>915998</bug>
10+
<bug>963710</bug>
11+
<access>local and remote</access>
12+
<affected>
13+
<package name="dev-qt/qtsvg" auto="yes" arch="*">
14+
<unaffected range="ge">6.9.3:6</unaffected>
15+
<vulnerable range="lt">6.9.3:6</vulnerable>
16+
</package>
17+
</affected>
18+
<background>
19+
<p>qtsvg is a SVG rendering library for the Qt framework.</p>
20+
</background>
21+
<description>
22+
<p>Multiple vulnerabilities have been discovered in qtsvg. Please review the CVE identifiers referenced below for details.</p>
23+
</description>
24+
<impact type="high">
25+
<p>Please review the referenced CVE identifiers for details.</p>
26+
</impact>
27+
<workaround>
28+
<p>There is no known workaround at this time.</p>
29+
</workaround>
30+
<resolution>
31+
<p>All qtsvg users should upgrade to the latest version:</p>
32+
33+
<code>
34+
# emerge --sync
35+
# emerge --ask --oneshot --verbose ">=dev-qt/qtsvg-6.9.3"
36+
</code>
37+
</resolution>
38+
<references>
39+
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2023-45872">CVE-2023-45872</uri>
40+
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2025-10728">CVE-2025-10728</uri>
41+
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2025-10729">CVE-2025-10729</uri>
42+
</references>
43+
<metadata tag="requester" timestamp="2025-11-24T23:58:02.219156Z">graaff</metadata>
44+
<metadata tag="submitter" timestamp="2025-11-24T23:58:02.221875Z">sam</metadata>
45+
</glsa>

vulnerabilities/tests/test_gentoo.py

Lines changed: 11 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -32,3 +32,14 @@ def test_gentoo_import():
3232
result = [adv.to_dict() for adv in advisories]
3333
expected_file = os.path.join(TEST_DIR, "gentoo-expected.json")
3434
util_tests.check_results_against_json(result, expected_file)
35+
36+
37+
def test_gentoo_import_version_with_slot():
38+
# See https://github.com/aboutcode-org/vulnerablecode/issues/1921
39+
# GLSA data can append the SLOT to a version using a colon, e.g.
40+
# "6.9.3:6", which is not valid Gentoo version syntax on its own.
41+
file = os.path.join(TEST_DIR, "glsa-202511-03.xml")
42+
advisories = GentooImporter().process_file(file)
43+
result = [adv.to_dict() for adv in advisories]
44+
expected_file = os.path.join(TEST_DIR, "glsa-202511-03-expected.json")
45+
util_tests.check_results_against_json(result, expected_file)

0 commit comments

Comments
 (0)