From 5a3c4de093dac402cd84916f2ee577406885d7b5 Mon Sep 17 00:00:00 2001 From: Amitesh Gupta Date: Tue, 14 Jul 2026 11:00:36 +0530 Subject: [PATCH] fix: Gentoo GLSA data embeds the package SLOT directly in the version Addresses #1921. --- vulnerabilities/importers/gentoo.py | 14 ++- .../pipelines/v2_importers/gentoo_importer.py | 7 +- .../v2_importers/test_gentoo_importer_v2.py | 1 + .../gentoo/glsa-202511-03-expected.json | 95 +++++++++++++++++++ .../tests/test_data/gentoo/glsa-202511-03.xml | 45 +++++++++ .../gentoo_v2/glsa-202511-03-expected.json | 59 ++++++++++++ .../test_data/gentoo_v2/glsa-202511-03.xml | 45 +++++++++ vulnerabilities/tests/test_gentoo.py | 11 +++ 8 files changed, 272 insertions(+), 5 deletions(-) create mode 100644 vulnerabilities/tests/test_data/gentoo/glsa-202511-03-expected.json create mode 100644 vulnerabilities/tests/test_data/gentoo/glsa-202511-03.xml create mode 100644 vulnerabilities/tests/test_data/gentoo_v2/glsa-202511-03-expected.json create mode 100644 vulnerabilities/tests/test_data/gentoo_v2/glsa-202511-03.xml diff --git a/vulnerabilities/importers/gentoo.py b/vulnerabilities/importers/gentoo.py index f636fbd3f..448503d5a 100644 --- a/vulnerabilities/importers/gentoo.py +++ b/vulnerabilities/importers/gentoo.py @@ -144,6 +144,12 @@ def get_safe_and_affected_versions(pkg): if len(info.attrib.get("range")) > 2: continue + # GLSA data sometimes appends the SLOT to the version using a + # colon, e.g. "6.9.3:6" for a package in SLOT "6". A colon is not + # part of the Gentoo version syntax, so it must be stripped + # before the value can be parsed as a GentooVersion. + version = info.text.partition(":")[0] + if info.tag == "unaffected": # quick hack, to know whether this # version lies in this range, 'e' stands for @@ -153,14 +159,14 @@ def get_safe_and_affected_versions(pkg): # which ('rle', 'rge', 'rgt') are ignored, because they compare # 'release' not the 'version'. if "e" in info.attrib["range"]: - safe_versions.add(info.text) + safe_versions.add(version) else: - affected_versions.add(info.text) + affected_versions.add(version) elif info.tag == "vulnerable": if "e" in info.attrib["range"]: - affected_versions.add(info.text) + affected_versions.add(version) else: - safe_versions.add(info.text) + safe_versions.add(version) return safe_versions, affected_versions diff --git a/vulnerabilities/pipelines/v2_importers/gentoo_importer.py b/vulnerabilities/pipelines/v2_importers/gentoo_importer.py index 91f1d85c3..513d6002e 100644 --- a/vulnerabilities/pipelines/v2_importers/gentoo_importer.py +++ b/vulnerabilities/pipelines/v2_importers/gentoo_importer.py @@ -185,4 +185,9 @@ def get_affected_and_fixed_purls(affected_elem, logger): qualifiers = {"slot": slot_value} if slot_value else {} purl = PackageURL(type="ebuild", name=pkg_name, namespace=pkg_ns, qualifiers=qualifiers) - yield purl, (comparator, info.text), (info.tag == "unaffected") + # GLSA data sometimes appends the SLOT to the version using a + # colon, e.g. "6.9.3:6" for a package in SLOT "6". A colon is not + # part of the Gentoo version syntax, so it must be stripped + # before the value can be parsed as a GentooVersion. + version = info.text.partition(":")[0] + yield purl, (comparator, version), (info.tag == "unaffected") diff --git a/vulnerabilities/tests/pipelines/v2_importers/test_gentoo_importer_v2.py b/vulnerabilities/tests/pipelines/v2_importers/test_gentoo_importer_v2.py index 796a87e1a..3eaba1669 100644 --- a/vulnerabilities/tests/pipelines/v2_importers/test_gentoo_importer_v2.py +++ b/vulnerabilities/tests/pipelines/v2_importers/test_gentoo_importer_v2.py @@ -22,6 +22,7 @@ TEST_DATA / "glsa-201709-09.xml", TEST_DATA / "glsa-202511-02.xml", TEST_DATA / "glsa-202512-01.xml", + TEST_DATA / "glsa-202511-03.xml", ] diff --git a/vulnerabilities/tests/test_data/gentoo/glsa-202511-03-expected.json b/vulnerabilities/tests/test_data/gentoo/glsa-202511-03-expected.json new file mode 100644 index 000000000..19915436a --- /dev/null +++ b/vulnerabilities/tests/test_data/gentoo/glsa-202511-03-expected.json @@ -0,0 +1,95 @@ +[ + { + "aliases": [ + "CVE-2023-45872" + ], + "summary": "Multiple vulnerabilities have been discovered in qtsvg, the worst of which could lead to execution of arbitrary code.", + "affected_packages": [ + { + "package": { + "type": "ebuild", + "namespace": "dev-qt", + "name": "qtsvg", + "version": "", + "qualifiers": "", + "subpath": "" + }, + "affected_version_range": "vers:ebuild/!=6.9.3", + "fixed_version": null + } + ], + "references": [ + { + "reference_id": "GLSA-202511-03", + "reference_type": "", + "url": "https://security.gentoo.org/glsa/202511-03", + "severities": [] + } + ], + "date_published": null, + "weaknesses": [], + "url": "https://security.gentoo.org/glsa/202511-03" + }, + { + "aliases": [ + "CVE-2025-10728" + ], + "summary": "Multiple vulnerabilities have been discovered in qtsvg, the worst of which could lead to execution of arbitrary code.", + "affected_packages": [ + { + "package": { + "type": "ebuild", + "namespace": "dev-qt", + "name": "qtsvg", + "version": "", + "qualifiers": "", + "subpath": "" + }, + "affected_version_range": "vers:ebuild/!=6.9.3", + "fixed_version": null + } + ], + "references": [ + { + "reference_id": "GLSA-202511-03", + "reference_type": "", + "url": "https://security.gentoo.org/glsa/202511-03", + "severities": [] + } + ], + "date_published": null, + "weaknesses": [], + "url": "https://security.gentoo.org/glsa/202511-03" + }, + { + "aliases": [ + "CVE-2025-10729" + ], + "summary": "Multiple vulnerabilities have been discovered in qtsvg, the worst of which could lead to execution of arbitrary code.", + "affected_packages": [ + { + "package": { + "type": "ebuild", + "namespace": "dev-qt", + "name": "qtsvg", + "version": "", + "qualifiers": "", + "subpath": "" + }, + "affected_version_range": "vers:ebuild/!=6.9.3", + "fixed_version": null + } + ], + "references": [ + { + "reference_id": "GLSA-202511-03", + "reference_type": "", + "url": "https://security.gentoo.org/glsa/202511-03", + "severities": [] + } + ], + "date_published": null, + "weaknesses": [], + "url": "https://security.gentoo.org/glsa/202511-03" + } +] \ No newline at end of file diff --git a/vulnerabilities/tests/test_data/gentoo/glsa-202511-03.xml b/vulnerabilities/tests/test_data/gentoo/glsa-202511-03.xml new file mode 100644 index 000000000..0ee9d44d5 --- /dev/null +++ b/vulnerabilities/tests/test_data/gentoo/glsa-202511-03.xml @@ -0,0 +1,45 @@ + + + + qtsvg: Multiple Vulnerabilities + Multiple vulnerabilities have been discovered in qtsvg, the worst of which could lead to execution of arbitrary code. + qtsvg + 2025-11-24 + 2025-11-24 + 915998 + 963710 + local and remote + + + 6.9.3:6 + 6.9.3:6 + + + +

qtsvg is a SVG rendering library for the Qt framework.

+
+ +

Multiple vulnerabilities have been discovered in qtsvg. Please review the CVE identifiers referenced below for details.

+
+ +

Please review the referenced CVE identifiers for details.

+
+ +

There is no known workaround at this time.

+
+ +

All qtsvg users should upgrade to the latest version:

+ + + # emerge --sync + # emerge --ask --oneshot --verbose ">=dev-qt/qtsvg-6.9.3" + +
+ + CVE-2023-45872 + CVE-2025-10728 + CVE-2025-10729 + + graaff + sam +
diff --git a/vulnerabilities/tests/test_data/gentoo_v2/glsa-202511-03-expected.json b/vulnerabilities/tests/test_data/gentoo_v2/glsa-202511-03-expected.json new file mode 100644 index 000000000..4b65d7b07 --- /dev/null +++ b/vulnerabilities/tests/test_data/gentoo_v2/glsa-202511-03-expected.json @@ -0,0 +1,59 @@ +[ + { + "advisory_id": "GLSA-202511-03", + "aliases": [ + "CVE-2023-45872", + "CVE-2025-10728", + "CVE-2025-10729" + ], + "summary": "Multiple vulnerabilities have been discovered in qtsvg, the worst of which could lead to execution of arbitrary code.", + "affected_packages": [ + { + "package": { + "type": "ebuild", + "namespace": "dev-qt", + "name": "qtsvg", + "version": "", + "qualifiers": "", + "subpath": "" + }, + "affected_version_range": "vers:ebuild/<6.9.3", + "fixed_version_range": null, + "introduced_by_commit_patches": [], + "fixed_by_commit_patches": [] + }, + { + "package": { + "type": "ebuild", + "namespace": "dev-qt", + "name": "qtsvg", + "version": "", + "qualifiers": "", + "subpath": "" + }, + "affected_version_range": null, + "fixed_version_range": "vers:ebuild/>=6.9.3", + "introduced_by_commit_patches": [], + "fixed_by_commit_patches": [] + } + ], + "references": [ + { + "reference_id": "GLSA-202511-03", + "reference_type": "", + "url": "https://security.gentoo.org/glsa/202511-03" + } + ], + "patches": [], + "severities": [ + { + "system": "generic_textual", + "value": "high", + "scoring_elements": "" + } + ], + "date_published": null, + "weaknesses": [], + "url": "https://security.gentoo.org/glsa/202511-03" + } +] \ No newline at end of file diff --git a/vulnerabilities/tests/test_data/gentoo_v2/glsa-202511-03.xml b/vulnerabilities/tests/test_data/gentoo_v2/glsa-202511-03.xml new file mode 100644 index 000000000..0ee9d44d5 --- /dev/null +++ b/vulnerabilities/tests/test_data/gentoo_v2/glsa-202511-03.xml @@ -0,0 +1,45 @@ + + + + qtsvg: Multiple Vulnerabilities + Multiple vulnerabilities have been discovered in qtsvg, the worst of which could lead to execution of arbitrary code. + qtsvg + 2025-11-24 + 2025-11-24 + 915998 + 963710 + local and remote + + + 6.9.3:6 + 6.9.3:6 + + + +

qtsvg is a SVG rendering library for the Qt framework.

+
+ +

Multiple vulnerabilities have been discovered in qtsvg. Please review the CVE identifiers referenced below for details.

+
+ +

Please review the referenced CVE identifiers for details.

+
+ +

There is no known workaround at this time.

+
+ +

All qtsvg users should upgrade to the latest version:

+ + + # emerge --sync + # emerge --ask --oneshot --verbose ">=dev-qt/qtsvg-6.9.3" + +
+ + CVE-2023-45872 + CVE-2025-10728 + CVE-2025-10729 + + graaff + sam +
diff --git a/vulnerabilities/tests/test_gentoo.py b/vulnerabilities/tests/test_gentoo.py index 74bbaedd8..3401792ec 100644 --- a/vulnerabilities/tests/test_gentoo.py +++ b/vulnerabilities/tests/test_gentoo.py @@ -32,3 +32,14 @@ def test_gentoo_import(): result = [adv.to_dict() for adv in advisories] expected_file = os.path.join(TEST_DIR, "gentoo-expected.json") util_tests.check_results_against_json(result, expected_file) + + +def test_gentoo_import_version_with_slot(): + # See https://github.com/aboutcode-org/vulnerablecode/issues/1921 + # GLSA data can append the SLOT to a version using a colon, e.g. + # "6.9.3:6", which is not valid Gentoo version syntax on its own. + file = os.path.join(TEST_DIR, "glsa-202511-03.xml") + advisories = GentooImporter().process_file(file) + result = [adv.to_dict() for adv in advisories] + expected_file = os.path.join(TEST_DIR, "glsa-202511-03-expected.json") + util_tests.check_results_against_json(result, expected_file)