Jump to content
funtoo forums
  • 0
mointrigue

Is there a glsa-check equivalent for funtoo

Question

Is there an equivalent function in funtoo for glsa-check? I'm still getting the hang of kits vs the portage tree, but as far as I can tell glsa-check always returns nothing since the meta-repo doesn't include the glsa notices. 

Share this post


Link to post
Share on other sites

6 answers to this question

Recommended Posts

  • 0

glsa-check doesn't provide an up-to-date information for Funtoo. Funtoo also backports lots of security fixes for the forked packages, so the information that you get with --list affected could be inaccurate or wrong.

There is a open bug for glsa-check tool for funtoo

in BFO https://bugs.funtoo.org/browse/FL-3832?jql=text ~ "glsa"

so you can subscribe to the bug and get update once such a tool is ready for funtoo. Until then you will have to check gentoo's GLSA list and check the README.rst in the kit of the package for example here:

https://github.com/funtoo/core-kit/blob/1.0-prime/README.rst

Funtoo also tries to audit forked ebuilds every 30 days. You can see all stale packages on this webpage:

http://ports.funtoo.org/stale/

If you want to help and use any of the packages that are listed as "stale" you can check if they are affected by any know vulnerabilities and report those on https://bugs.funtoo.org where they will be squashed as fast as possible.

Thank you in advance.

Share this post


Link to post
Share on other sites
  • 0

Thanks @znavko but I don't think that is what @mointrigue is looking for.

nagios-check_glsa2 is a plugin for the Nagios Infrastructure Monitoring System, while glsa-check is a python script which is part of gentoolkit and portage.

Installing a complete monitoring system just to have the same functionality as a script that is already on the system should not be necessary.

I am not sure what is currently missing for the glsa-check script to work but I think it should be easy to fix.

Share this post


Link to post
Share on other sites
  • 0

OK, that's weird. It seems like for days even if I ran 

sudo glsa-check --list all

I'd get nothing. I mean, I'd expect to see that if I used "affected". But today if I run the same command I get output, but nothing after April 2017, which does not match with GLSA announcements . This snippet was captured right after today's ego sync.

 

<snip...>
  201702-29 [U] PHP: Multiple vulnerabilities ( dev-lang/php )
201702-30 [U] tcpdump: Multiple vulnerabilities ( net-analyzer/tcpdump )
201702-31 [U] GPL Ghostscript: Multiple vulnerabilities ( app-text/ghostscript-gpl )
201702-32 [U] Ruby Archive::Tar::Minitar: Directory traversal ( dev-ruby/archive-tar-minitar )
201703-01 [U] OpenOffice: User-assisted execution of arbitrary code ( app-office/openoffice-bin )
201703-02 [U] Adobe Flash Player: Multiple vulnerabilities ( www-plugins/adobe-flash )
201703-03 [U] PuTTY: Buffer overflow ( net-misc/putty )
201703-04 [U] cURL: Certificate validation error ( net-misc/curl )
[A] means this GLSA was marked as applied (injected),
[U] means the system is not affected and
[N] indicates that the system might be affected.

201703-05 [U] GNU Libtasn1: Denial of Service ( dev-libs/libtasn1 )
201703-06 [U] Deluge: Remote execution of arbitrary code ( net-p2p/deluge )
201703-07 [U] Xen: Privilege Escalation ( app-emulation/xen-tools )
201704-01 [U] QEMU: Multiple vulnerabilities ( app-emulation/qemu )
201704-02 [U] Chromium: Multiple vulnerabilities ( www-client/chromium )
201704-03 [U] X.Org: Multiple vulnerabilities ( x11-base/xorg-server  x11-libs/libICE  x11-libs/libXdmcp ... )

 

 

Share this post


Link to post
Share on other sites
  • 0
4 hours ago, palica said:

glsa-check doesn't provide an up-to-date information for Funtoo. Funtoo also backports lots of security fixes for the forked packages, so the information that you get with --list affected could be inaccurate or wrong.

There is a open bug for glsa-check tool for funtoo

in BFO https://bugs.funtoo.org/browse/FL-3832?jql=text ~ "glsa"

so you can subscribe to the bug and get update once such a tool is ready for funtoo. Until then you will have to check gentoo's GLSA list and check the README.rst in the kit of the package for example here:

https://github.com/funtoo/core-kit/blob/1.0-prime/README.rst

Funtoo also tries to audit forked ebuilds every 30 days. You can see all stale packages on this webpage:

http://ports.funtoo.org/stale/

If you want to help and use any of the packages that are listed as "stale" you can check if they are affected by any know vulnerabilities and report those on https://bugs.funtoo.org where they will be squashed as fast as possible.

Thank you in advance.

Thanks!

Share this post


Link to post
Share on other sites
  • 0

there is no native GLSA-like tool in Funtoo but it's being working on. GLSA tool will work with Funtoo but it will produce some false positives. In Gentoo, security fixes are normally performed by bump to a certain upstream version which is acceptable policy but not ideal. In Funtoo, for the ebuiilds that are known of giving problems, security fixes are backported in very much Debian or Red hat manner. Real example:

https://glsa.gentoo.org/glsa/201801-17

states on updating to version 0.57.0-r1. In Funtoo, all mentioned problems are fixed in version 0.52.0-r1. poppler is known of having unstable ABI and it's often an intrusive update on users boxes (not always).

Share this post


Link to post
Share on other sites
  • -1
# eix glsa
* net-analyzer/nagios-check_glsa2 [1]
     Доступные версии:      20120930-r1
     Домашняя страница:     https://github.com/craig/check_glsa2
     Описание:              Nagios check script for GLSAs (Gentoo Linux Security Advisories)

[1] "net-kit" /var/git/meta-repo/kits/net-kit

# emerge --searchdesc glsa
  
[ Results for search key : glsa ]
Searching...

*  net-analyzer/nagios-check_glsa2
      Latest version available: 20120930-r1
      Latest version installed: [ Not Installed ]
      Repository:    net-kit
      Size of files: 2 KiB
      Homepage:      https://github.com/craig/check_glsa2
      Description:   Nagios check script for GLSAs (Gentoo Linux Security Advisories)
      License:       GPL-2 BSD-2

*  security
      Description:   Package set that includes all packages affected by an unapplied GLSA

[ Applications found : 2 ]

https://github.com/funtoo/net-kit/tree/master/net-analyzer/nagios-check_glsa2

 

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now

×