confused by ranges

Jacques A. Vidrine nectar at
Sun Sep 19 08:24:45 PDT 2004

On Sat, Sep 18, 2004 at 05:21:37PM -0400, Dan Langille wrote:
> I'm having a quick look through vuln.xml:
>         <range><ge>2.0</ge><lt>2.0.50_3</lt></range>
> Intuitively, that means you are vulnerable if you have versions >= 
> 2.0 or < 2.0.50_3.

Not quite.  <range> elements specify version ranges (intervals).  The
snip above specifies

      x >= 2.0 AND x < 2.0.50_3
      2.0 <= x < 2.0.50_3
      [2.0, 2.0.50_3)

All of these are acceptable means of expressing the same idea.  I tend
to visualize the middle one... and in fact that is how I render the
ranges on (e.g.  "2.0 <= apache < 2.0.50_3").

> Is that correct?  Is that how to apply the rules. I found the DTD 
> confused me more than the examples did.

Then perhaps I should add some more examples and work on the text
description :-)

> This is an interesting example:
>         <range><lt>1.1.2_1</lt></range>
>         <range><ge>2.0</ge></range>
> Two range statements in the same package... instead of one range with 
> two operators.  Why?

Because they are two non-contiguous ranges and cannot be expressed by a
single interval.  The two are:

            x < 1.1.2_1
     2.0 >= x

or equivalently [0, 1.1.2_1) and [2.0, infinity).

Hmm, re-reading what you wrote, it seems you want to think of it
algorithmically.  In that case, you could interpret each <range> element
as containing expressions that should be ANDed (although the number and
form of the expressions are constrained by the DTD), while multiple
<range> elements in one <package> should be ORed.

Hope this helps!

Jacques A Vidrine / NTT/Verio
nectar at / jvidrine at / nectar at

More information about the freebsd-vuxml mailing list