confused by ranges
dan at langille.org
Sun Sep 19 05:38:35 PDT 2004
On 19 Sep 2004 at 9:56, Mathieu Arnold wrote:
> +-le 18/09/2004 17:21 -0400, Dan Langille écrivait :
> | I'm having a quick look through vuln.xml:
> | <range><ge>2.0</ge><lt>2.0.50_3</lt></range>
> | Intuitively, that means you are vulnerable if you have versions >=
> | 2.0 or < 2.0.50_3.
> This one is an AND : VER > 2.0 AND VER < 2.0.50_3
If there are two operators in a range, it is an AND. The testing
values always goes before the supplied operator. Correct?
> | Is that correct? Is that how to apply the rules. I found the DTD
> | confused me more than the examples did.
> | This is an interesting example:
> | <range><lt>1.1.2_1</lt></range>
> | <range><ge>2.0</ge></range>
> | Two range statements in the same package... instead of one range with
> | two operators. Why?
> This one is an OR, that is VER < 1.1.2_1 or VER > 2.0
> because the version can't be < 1.1.2_1 and > 2.0.
If there are multiple ranges for a package within a vuln, they are
used to construct an OR. Actually, they could be applied separately
to test values separately (i.e. if one was processing this one row at
a time, you could just test the value and not worry about whether or
not the next row contained another range entry).
Dan Langille : http://www.langille.org/
BSDCan - The Technical BSD Conference - http://www.bsdcan.org/
More information about the freebsd-vuxml