confused by ranges
dan at langille.org
Sun Sep 19 16:35:58 PDT 2004
On 19 Sep 2004 at 10:24, Jacques A. Vidrine wrote:
> On Sat, Sep 18, 2004 at 05:21:37PM -0400, Dan Langille wrote:
> > I'm having a quick look through vuln.xml:
> > <range><ge>2.0</ge><lt>2.0.50_3</lt></range>
> > Intuitively, that means you are vulnerable if you have versions >=
> > 2.0 or < 2.0.50_3.
> Not quite. <range> elements specify version ranges (intervals). The
> snip above specifies
> x >= 2.0 AND x < 2.0.50_3
> 2.0 <= x < 2.0.50_3
> [2.0, 2.0.50_3)
> All of these are acceptable means of expressing the same idea. I tend
> to visualize the middle one... and in fact that is how I render the
> ranges on vuxml.org (e.g. "2.0 <= apache < 2.0.50_3").
FWIW, the FreshPorts vuxml_ranges is set up with that in mind. It
looks something like this:
version_start | operator_start | operator_end | version_end
And the version being tested goes between the second and third
columns. However, I think I will now change this. What I have
requires flipping an operator. For now, I'd rather duplicate exactly
what is in the vuln.xml file.
> > Is that correct? Is that how to apply the rules. I found the DTD
> > confused me more than the examples did.
> Then perhaps I should add some more examples and work on the text
> description :-)
Yep. Practical examples work wonders.
> > This is an interesting example:
> > <range><lt>1.1.2_1</lt></range>
> > <range><ge>2.0</ge></range>
> > Two range statements in the same package... instead of one range with
> > two operators. Why?
> Because they are two non-contiguous ranges and cannot be expressed by a
> single interval. The two are:
> x < 1.1.2_1
> 2.0 >= x
> or equivalently [0, 1.1.2_1) and [2.0, infinity).
> Hmm, re-reading what you wrote, it seems you want to think of it
> algorithmically. In that case, you could interpret each <range> element
> as containing expressions that should be ANDed (although the number and
> form of the expressions are constrained by the DTD), while multiple
> <range> elements in one <package> should be ORed.
> Hope this helps!
It does. Thanks. I know how to complete this part now.
Dan Langille : http://www.langille.org/
BSDCan - The Technical BSD Conference - http://www.bsdcan.org/
More information about the freebsd-vuxml