From owner-freebsd-vuxml@FreeBSD.ORG  Sun Sep 19 12:38:35 2004
Return-Path: <owner-freebsd-vuxml@FreeBSD.ORG>
Delivered-To: freebsd-vuxml@freebsd.org
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id F3E8016A4CE
	for <freebsd-vuxml@freebsd.org>; Sun, 19 Sep 2004 12:38:34 +0000 (GMT)
Received: from bast.unixathome.org (bast.unixathome.org [66.11.174.150])
	by mx1.FreeBSD.org (Postfix) with ESMTP id C5B0D43D3F
	for <freebsd-vuxml@freebsd.org>; Sun, 19 Sep 2004 12:38:34 +0000 (GMT)
	(envelope-from dan@langille.org)
Received: from wocker (wocker.unixathome.org [192.168.0.99])
	by bast.unixathome.org (Postfix) with ESMTP
	id F12803D3D; Sun, 19 Sep 2004 08:38:33 -0400 (EDT)
From: "Dan Langille" <dan@langille.org>
To: Mathieu Arnold <mat@mat.cc>
Date: Sun, 19 Sep 2004 08:38:33 -0400
MIME-Version: 1.0
Message-ID: <414D4589.218.3804EA89@localhost>
Priority: normal
In-reply-to: <4433CFB17394B75789799BD9@nescarba.in.t-online.fr>
References: <414C6EA1.25173.34BD6CDE@localhost>
X-mailer: Pegasus Mail for Windows (v4.12a)
Content-type: text/plain; charset=ISO-8859-1
Content-transfer-encoding: Quoted-printable
Content-description: Mail message body
cc: freebsd-vuxml@freebsd.org
Subject: Re: confused by ranges
X-BeenThere: freebsd-vuxml@freebsd.org
X-Mailman-Version: 2.1.1
Precedence: list
List-Id: Documenting security issues in VuXML <freebsd-vuxml.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-vuxml>,
	<mailto:freebsd-vuxml-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-vuxml>
List-Post: <mailto:freebsd-vuxml@freebsd.org>
List-Help: <mailto:freebsd-vuxml-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-vuxml>,
	<mailto:freebsd-vuxml-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Sun, 19 Sep 2004 12:38:35 -0000

On 19 Sep 2004 at 9:56, Mathieu Arnold wrote:

> +-le 18/09/2004 17:21 -0400, Dan Langille =E9crivait :
> | I'm having a quick look through vuln.xml:
> | 
> |         <range><ge>2.0</ge><lt>2.0.50_3</lt></range>
> | 
> | Intuitively, that means you are vulnerable if you have versions >=3D 
> | 2.0 or < 2.0.50_3.
> 
> This one is an AND : VER > 2.0 AND VER < 2.0.50_3

If there are two operators in a range, it is an AND.  The testing 
values always goes before the supplied operator.  Correct?

> | Is that correct?  Is that how to apply the rules. I found the DTD 
> | confused me more than the examples did.
> | 
> | This is an interesting example:
> | 
> |         <range><lt>1.1.2_1</lt></range>
> |         <range><ge>2.0</ge></range>
> | 
> | Two range statements in the same package... instead of one range with 
> | two operators.  Why?
> 
> This one is an OR, that is VER < 1.1.2_1 or VER > 2.0
> 
> because the version can't be < 1.1.2_1 and > 2.0.

If there are multiple ranges for a package within a vuln, they are 
used to construct an OR.  Actually, they could be applied separately 
to test values separately (i.e. if one was processing this one row at 
a time, you could just test the value and not worry about whether or 
not the next row contained another range entry).

Correct?

Thank you.
-- 
Dan Langille : http://www.langille.org/
BSDCan - The Technical BSD Conference - http://www.bsdcan.org/