confused by ranges
Jacques A. Vidrine
nectar at FreeBSD.org
Sun Sep 19 08:24:45 PDT 2004
On Sat, Sep 18, 2004 at 05:21:37PM -0400, Dan Langille wrote:
> I'm having a quick look through vuln.xml:
>
> <range><ge>2.0</ge><lt>2.0.50_3</lt></range>
>
> Intuitively, that means you are vulnerable if you have versions >=
> 2.0 or < 2.0.50_3.
Not quite. <range> elements specify version ranges (intervals). The
snip above specifies
x >= 2.0 AND x < 2.0.50_3
2.0 <= x < 2.0.50_3
[2.0, 2.0.50_3)
All of these are acceptable means of expressing the same idea. I tend
to visualize the middle one... and in fact that is how I render the
ranges on vuxml.org (e.g. "2.0 <= apache < 2.0.50_3").
> Is that correct? Is that how to apply the rules. I found the DTD
> confused me more than the examples did.
Then perhaps I should add some more examples and work on the text
description :-)
> This is an interesting example:
>
> <range><lt>1.1.2_1</lt></range>
> <range><ge>2.0</ge></range>
>
> Two range statements in the same package... instead of one range with
> two operators. Why?
Because they are two non-contiguous ranges and cannot be expressed by a
single interval. The two are:
x < 1.1.2_1
2.0 >= x
or equivalently [0, 1.1.2_1) and [2.0, infinity).
Hmm, re-reading what you wrote, it seems you want to think of it
algorithmically. In that case, you could interpret each <range> element
as containing expressions that should be ANDed (although the number and
form of the expressions are constrained by the DTD), while multiple
<range> elements in one <package> should be ORed.
Hope this helps!
Cheers,
--
Jacques A Vidrine / NTT/Verio
nectar at celabo.org / jvidrine at verio.net / nectar at FreeBSD.org
More information about the freebsd-vuxml
mailing list