Skip site navigation (1)Skip section navigation (2) 
Date:      Sun, 19 Sep 2004 10:24:24 -0500
From:      "Jacques A. Vidrine" <nectar@FreeBSD.org>
To:        Dan Langille <dan@langille.org>
Cc:        freebsd-vuxml@freebsd.org
Subject:   Re: confused by ranges
Message-ID:  <20040919152424.GA16616@lum.celabo.org>
In-Reply-To: <414C6EA1.25173.34BD6CDE@localhost>
References:  <414C6EA1.25173.34BD6CDE@localhost>
next in thread | previous in thread | raw e-mail | index | archive | help 
On Sat, Sep 18, 2004 at 05:21:37PM -0400, Dan Langille wrote:
> I'm having a quick look through vuln.xml:
> 
>         <range><ge>2.0</ge><lt>2.0.50_3</lt></range>
> 
> Intuitively, that means you are vulnerable if you have versions >= 
> 2.0 or < 2.0.50_3.

Not quite.  <range> elements specify version ranges (intervals).  The
snip above specifies

      x >= 2.0 AND x < 2.0.50_3
      2.0 <= x < 2.0.50_3
      [2.0, 2.0.50_3)

All of these are acceptable means of expressing the same idea.  I tend
to visualize the middle one... and in fact that is how I render the
ranges on vuxml.org (e.g.  "2.0 <= apache < 2.0.50_3").

> Is that correct?  Is that how to apply the rules. I found the DTD 
> confused me more than the examples did.

Then perhaps I should add some more examples and work on the text
description :-)

> This is an interesting example:
> 
>         <range><lt>1.1.2_1</lt></range>
>         <range><ge>2.0</ge></range>
> 
> Two range statements in the same package... instead of one range with 
> two operators.  Why?

Because they are two non-contiguous ranges and cannot be expressed by a
single interval.  The two are:

            x < 1.1.2_1
     2.0 >= x

or equivalently [0, 1.1.2_1) and [2.0, infinity).


Hmm, re-reading what you wrote, it seems you want to think of it
algorithmically.  In that case, you could interpret each <range> element
as containing expressions that should be ANDed (although the number and
form of the expressions are constrained by the DTD), while multiple
<range> elements in one <package> should be ORed.

Hope this helps!

Cheers,
-- 
Jacques A Vidrine / NTT/Verio
nectar@celabo.org / jvidrine@verio.net / nectar@FreeBSD.org

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20040919152424.GA16616>