# Can't fix GSLA's.[SOLVED]

## Budoka

I have been struggling to fix these to GLSA's for a while now and am stuck.

 *Quote:*   

> # glsa-check -l
> 
> [A] means this GLSA was marked as applied (injected),
> 
> [U] means the system is not affected and
> ...

 

 *Quote:*   

> # glsa-check --fix 201010-01
> 
> Fixing GLSA 201010-01
> 
> >>> cannot fix GLSA, no unaffected packages available
> ...

 

So I know that 

```
glsa-check --fix 
```

 is experimental so it doesn't bother me so much it can't apply them but if I try to do it manually as instructed in the GLSA it still doesn't work.

GLSA 201010-01 http://www.gentoo.org/security/en/glsa/glsa-201010-01.xml

GLSA 201206-15http://www.gentoo.org/security/en/glsa/glsa-201206-15.xml

 *Quote:*   

> # eix -I libpng
> 
> [I] media-libs/libpng
> 
>      Available versions:  
> ...

 

So if I emerge as instructed in both GLSA it successfully updates to 1.6. But  if I check again with glsa-check nothing has changed.

#equery d libpng |wgetpaste

Your paste can be seen here: https://bpaste.net/show/846c4d2461c4

If I understand the output correctly a number of packages are calling on 1.2, the vulnerable version, but they all indicate  *Quote:*   

> >=

  so why don't they use the 1.6 allowing the 1.2 to be removed???

Am I doing something incorrectly? I am a security freak so would like to resolve this even if my risk is minimal. Thanks.Last edited by Budoka on Wed Jan 14, 2015 4:03 am; edited 1 time in total

----------

## Hu

What is the output of emerge --pretend --verbose --depclean media-libs/libpng:1.2?

----------

## Budoka

 *Hu wrote:*   

> What is the output of emerge --pretend --verbose --depclean media-libs/libpng:1.2?

 

 *Quote:*   

> $ emerge --pretend --verbose --depclean media-libs/libpng:1.2
> 
> Calculating dependencies... done!
> 
>   media-libs/libpng-1.2.52 pulled in by:
> ...

 

So I need to do something with dropbox? Shouldn't it use the most recent version?

----------

## Ant P.

It should, and if dropbox's developers were competent it would!

That's a binary package, you can't do anything about it besides disable USE=X entirely.

----------

## Budoka

 *Ant P. wrote:*   

> It should, and if dropbox's developers were competent it would!
> 
> That's a binary package, you can't do anything about it besides disable USE=X entirely.

 

So does that mean I either lose dropbox or keep the vulnerability? I'll see if there is a way to contact the developers for the Linux and let them know this is an issue.

However, the one thing I am confused about is what makes you think this is a binary package? It is in portage and I assume as such compiled upon emerge. Or am I confused?

 *Quote:*   

> [I] net-misc/dropbox
> 
>      Available versions:  2.4.10^ms 2.6.33^ms ~2.8.4^ms 2.10.2^ms ~2.10.41^ms {X +librsync-bundled}
> 
>      Installed versions:  2.10.2^ms(02:33:06 AM 09/03/2014)(X librsync-bundled)
> ...

 

----------

## jburns

From glsa-check -d 201010-01 201206-15

 *Quote:*   

> GLSA 201010-01
> 
> Unaffected:        >=1.4.3, >=~1.2.46, >=~1.2.47, >=~1.2.49, >=~1.2.50, >=~1.2.51
> 
> GLSA 201206-15
> ...

 

Your version is media-libs/libpng-1.2.52 which should be unaffected.

----------

## Ant P.

 *Budoka wrote:*   

> However, the one thing I am confused about is what makes you think this is a binary package? It is in portage and I assume as such compiled upon emerge. Or am I confused?

 

The proprietary "dropbox" license the package requires you to accept, plus the fact it's only available on amd64/x86.

----------

## Budoka

 *jburns wrote:*   

> From glsa-check -d 201010-01 201206-15
> 
>  *Quote:*   GLSA 201010-01
> 
> Unaffected:        >=1.4.3, >=~1.2.46, >=~1.2.47, >=~1.2.49, >=~1.2.50, >=~1.2.51
> ...

 

Thanks. I guess I will start using the "-d" when checking GLSA's in the future. I would have never caught that in the regular output of gsla-check -l.

I do find the output a little confusing regardless though. Because it it indicates:

 *Quote:*   

> Vulnerable:        <1.4.3

  which libpng-1.2.52 clearly is then...

 *Quote:*   

> Unaffected:        >=1.4.3, >=~1.2.46, >=~1.2.47, >=~1.2.49, >=~1.2.50, >=~1.2.51

 

Indicating I am not affected. Would be nice if gsla-check -l didn't kick  the gsla's out in the ouput of an unaffected system.

Anyway thanks.

----------

