camille ~ # glsa-check -t all
This system is affected by the following GLSAs:
200801-19
camille ~ # glsa-check -d 200801-19
GLSA 200801-19:
GOffice: Multiple vulnerabilities
================================================== ==========================
Synopsis: Multiple vulnerabilities in GOffice could result in
the
execution of arbitrary code.
Announced on: January 30, 2008
Last revised on: January 30, 2008: 01

Affected package: x11-libs/goffice
Affected archs: All
Vulnerable: <0.6.1
Unaffected: >=0.6.1 >=~0.4.3


Related bugs: 198385

Background: GOffice is a library of document-centric objects and
utilities based on GTK.

Description: GOffice includes a copy of PCRE which is vulnerable
to
multiple buffer overflows and memory corruptions
vulnerabilities (GLSA 200711-30).

Impact: An attacker could entice a user to open specially
crafted
documents with GOffice, which could possibly lead to
the
execution of arbitrary code, a Denial of Service or
the
disclosure of sensitive information.

Workaround: There is no known workaround at this time.

Resolution: All GOffice 0.4.x users should upgrade to the latest
version:

# emerge --sync
# emerge --ask --oneshot --verbose
">=x11-libs/goffice-0.4.3"
All GOffice 0.6.x users should upgrade to the latest
version:

# emerge --sync
# emerge --ask --oneshot --verbose
">=x11-libs/goffice-0.6.1"

References:
GLSA-200711-30:
http://www.gentoo.org/security/en/glsa/glsa-200711-30.xml


camille ~ # emerge -pv ">=x11-libs/goffice-0.6.1"

These are the packages that would be merged, in order:

Calculating dependencies... done!
[ebuild R ] x11-libs/goffice-0.6.1 USE="gnome -debug" 0 kB

Total: 1 package (1 reinstall), Size of downloads: 0 kB

I've emerged this several times and glsa-check still claims it needs to
be fixed. Why?

--
gentoo-user@lists.gentoo.org mailing list

On Mon, Feb 11, 2008 at 09:24:41AM -0600, Michael Sullivan wrote:
> camille ~ # glsa-check -t all
> This system is affected by the following GLSAs:
> 200801-19
> camille ~ # glsa-check -d 200801-19
> GLSA 200801-19:
> GOffice: Multiple vulnerabilities
> ================================================== ==========================
> Synopsis: Multiple vulnerabilities in GOffice could result in
> the
> execution of arbitrary code.
> Announced on: January 30, 2008
> Last revised on: January 30, 2008: 01
>
> Affected package: x11-libs/goffice
> Affected archs: All
> Vulnerable: <0.6.1
> Unaffected: >=0.6.1 >=~0.4.3



> camille ~ # emerge -pv ">=x11-libs/goffice-0.6.1"
>
> These are the packages that would be merged, in order:
>
> Calculating dependencies... done!
> [ebuild R ] x11-libs/goffice-0.6.1 USE="gnome -debug" 0 kB
>
> Total: 1 package (1 reinstall), Size of downloads: 0 kB
>
> I've emerged this several times and glsa-check still claims it needs to
> be fixed. Why?


I have had a similar issue with a Python GLSA. Have you checked to see
if you have multiple versions installed (in slots)?

Try 'emerge --unmerge --pretend goffice' and see if it offers to unmerge
multiple versions. You may simply need to unmerge the vulnerable version
to sort things out.


--
Reverend Paul Colquhoun, ULC. http://andor.dropbear.id.au/~paulcol
Asking for technical help in newsgroups? Read this first:
http://catb.org/~esr/faqs/smart-questions.html#intro
--
gentoo-user@lists.gentoo.org mailing list