1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
|
namespace a = "http://relaxng.org/ns/compatibility/annotations/1.0"
glsa =
element glsa {
attlist.glsa,
title,
synopsis,
product,
announced,
revised,
bug*,
access?,
affected,
background?,
description,
impact,
workaround,
resolution,
references,
license?,
metadata*
}
attlist.glsa &= attribute id { text }
# Element: title
# Description: Provides a 4-5 word description about the advisory
# Example: <title>Buffer overflow vulnerability found in openssl-0.9.5</title>
title = element title { attlist.title, text }
attlist.title &= empty
# Element: synopsis
# Description: Small, to-the-point description about the GLSA
#
# Example: <synopsis>
# rsync has an exploitable buffer overflow that can lead to
# remote compromise
# </synopsis>
synopsis = element synopsis { attlist.synopsis, text }
attlist.synopsis &= empty
# Element: product
# Description: Defines what type of security announcement this is.
#
# Valid types are:
# - ebuild A Portage-provided ebuild has a security
# issue
# - informational This GLSA is purely informational, no Gentoo
# system is affected
# - infrastructure The security issue involves the Gentoo
# infrastructure
#
# The text contains one keyword that defines the issue.
# Note: All type values but 'ebuild' are considered deprecated.
#
# Example: <product type="ebuild">openssl</product>
# Example: <product type="infrastructure">rsync mirror</product>
product = element product { attlist.product, text }
attlist.product &=
attribute type { "ebuild" | "infrastructure" | "informational" }
# Element: announced
# Description: Date when the advisory is publicised
# The format must be "YYYY-mm-dd"
#
# Example: <announced>2003-11-20</announced>
announced = element announced { attlist.announced, text }
attlist.announced &= empty
# Element: revised
# Description: Last revision date of the GLSA
# Attribute: @count: number of revisions
#
# Example: <revised count="02">2003-11-20</revised>
revised = element revised { attlist.revised, text }
attlist.revised &= [ a:defaultValue = "01" ] attribute count { text }?
# Element: bug
# Description: Number of the bug on bugs.gentoo.org, if any
# Occurrence: The bug element can occur 0, 1 or more times
#
# Example: <bug>34200</bug>
bug = element bug { attlist.bug, text }
attlist.bug &= empty
# Element: access
# Description: Type of access necessary to exploit the security issue
# This element should only be used when product@type = 'ebuild'
# Occurrence: The access element can occur 0 or 1 time
#
# Example: <access>Remote</access>
access = element access { attlist.access, text }
attlist.access &= empty
# Element: affected
# Description: Describe what the affected subjects are.
#
# If product@type = 'ebuild', the child elements are 'package'
# If product@type = 'portage', the child elements are 'package'
# If product@type = 'infrastructure', the child elements are
# 'service'
#
affected = element affected { attlist.affected, (package* | service*) }
attlist.affected &= empty
# Element: package
# Description: Provide all necessary information regarded the affected
# packages. It also contains information about the affected
# architectures, if automatic updates can be done and the update
#
# The "update" attribute contains the path to the non-vulnerable
# version of the package
#
# The "auto" attribute contains either "yes" or "no" and tells
# Portage that the package can be updated automatically (to be
# implemented) without further user interaction
#
# The "arch" attribute contains either the architecture (as used
# by ACCEPT_KEYWORDS) or the "*" value (in case all
# architectures are affected)
#
# Occurrence: The package element can occur 0, 1 or more times
# Example: <package name="dev-libs/openssl" auto="yes" arch="*">
# <vulnerable range="lt">0.9.6k</vulnerable>
# <unaffected range="gt">0.9.6k</unaffected>
# </package>
package =
element package { attlist.package, (vulnerable | unaffected)* }
attlist.package &=
attribute name { text },
attribute auto { "yes" | "no" },
attribute arch { text }
# Element: vulnerable
# Description: Version of the vulnerable package. Can be a range too
vulnerable = element vulnerable { attlist.vulnerable, text }
attlist.vulnerable &=
attribute range {
"le" | "lt" | "eq" | "gt" | "ge" | "rlt" | "rle" | "rgt" | "rge"
},
[ a:defaultValue = "*" ] attribute slot { text }?
# Element: unaffected
# Description: Version of the fixed (or unaffected) package. In case the
# package is superseded by another package, you need to
# define that package using the "name" attribute.
#
# The r* range information is revision-specific. For instance,
# rge foo-1.2.3-r4 == >=foo-1.2.3-r4 && <foo-1.2.4
#
# Example:
# <unaffected range="gt" name="foobar">2.0.0</unaffected>
unaffected = element unaffected { attlist.unaffected, text }
attlist.unaffected &=
attribute range {
"le" | "lt" | "eq" | "gt" | "ge" | "rlt" | "rle" | "rgt" | "rge"
},
[ a:defaultValue = "*" ] attribute slot { text }?,
attribute name { text }?
# Element: service
# Description: Provide information about the Gentoo services that are
# affected by the security advisory. Portage must be able
# to parse this information to make decisions (for instance,
# ignore an rsync server or a certain distfiles mirror).
#
# The type attribute can be one of "rsync", "web", "mirror".
#
# The fixed attribute (denoting if the problem has been solved)
# can be one of "yes" or "no". If not used, the default value is
# "no".
#
# Occurrence: The service element can occur 0, 1 or more times
# Example: <service type="rsync">rsync://rsync.someserver.tld/gentoo-portage</service>
service = element service { attlist.service, text }
attlist.service &=
attribute type { "rsync" | "web" | "mirror" },
attribute fixed { "yes" | "no" }?
# Element: uri
# Description: Link to the organisation involved in releasing the advisory
# Occurrence: The uri element can occur 0, 1 or more times
#
# Example: <uri link="http://www.cert.org">CERT</uri>
uri = element uri { attlist.uri, text }
attlist.uri &= attribute link { text }?
# Element: mail
# Description: Mail address of the people involved in releasing the advisory
# Occurrence: The mail element can occur 0, 1 or more times
#
# Example: <mail link="some@person.com">Some Person</mail>
mail = element mail { attlist.mail, text }
attlist.mail &= attribute link { text }
# Element: p
# Description: Plain text
# Occurrence: The "p" element can occur 0, 1 or more times and can contain
# links or addresses
#
# Example: <p>Please update your system</p>
p = element p { attlist.p, (text | mail | uri | b | i | br)* }
attlist.p &= empty
# Element: code
# Description: The code element contains text that should preserve whitespace
# and is therefore useful for code listings or commands
#
# Example: <code>emerge sync</code>
code = element code { attlist.code, text }
attlist.code &= empty
# Element: background
# Description: Provides a background of the affected package(s)/service(s)
# The background element contains only "<p>"s in which the text
# is placed
#
background = element background { attlist.background, (p | ul | ol)* }
attlist.background &= empty
# Element: description
# Description: Provides a description about the security issue
# The description element contains only "<p>"s.
description =
element description { attlist.description, (p | ul | ol | code)* }
attlist.description &= empty
# Element: impact
# Description: Provides information about the impact that the security issue
# can have
#
# The "impact" element contains only "<p>"s.
#
# The type element gives a short term, such as
# "Denial of Service", "Buffer Overflow", ...
#
impact = element impact { attlist.impact, (p | ul | ol)* }
attlist.impact &= attribute type { text }
# Element: workaround
# Description: Provides information about how the security issue can be
# (temporarily) resolved through a work-around
#
# The "workaround" element contains only "<p>"s and "<code>"s.
workaround =
element workaround { attlist.workaround, (p | code | ul | ol)* }
attlist.workaround &= empty
# Element: resolution
# Description: Provides information about how the security issue can be
# resolved.
#
# The "resolution" element contains only "<p>"s and "<code>"s.
resolution =
element resolution { attlist.resolution, (p | code | ul | ol)* }
attlist.resolution &= empty
# Element: references
# Description: Provides links to resources / references available online.
#
# The "reference" element contains only "<uri>"s.
references = element references { attlist.references, uri* }
attlist.references &= empty
# Element: ul
# Description: Add an unnumbered listing; can only contain <li>'s
ul = element ul { attlist.ul, li* }
attlist.ul &= empty
# Element: ol
# Description: Add a numbered listing; can only contain <li>'s
ol = element ol { attlist.ol, li* }
attlist.ol &= empty
# Element: li
# Description: Element of a listing
#
# Example: <ul>
# <li>This is element one</li>
# <li>This is a second element</li>
# </ul>
li = element li { attlist.li, text }
attlist.li &= empty
# Element: b
# Description: Bold text
#
# Example: <b>this is bold</b>
b = element b { attlist.b, text }
attlist.b &= empty
# Element: i
# Description: Input text (blue)
#
# Example: The user has to type in <i>ls</i> to see.
i = element i { attlist.i, text }
attlist.i &= empty
# Element: br
# Description: hard line break
#
# Example: And then: <br/>
# KABLAM!
br = element br { attlist.br, text }
attlist.br &= empty
# Element: license
# Description: Add license information
#
# Example: <license/>
license = element license { attlist.license, EMPTY }
attlist.license &= empty
# Element: metadata
# Description: Metadata information for GLSAMaker
#
# Example: <metadata tag="approved">Level 1</metadata>
#
# On request of plasmaroo, metadata can contain all elements again.
metadata = element metadata { attlist.metadata, (text | metadata)* }
attlist.metadata &=
attribute tag { text },
attribute revision { text }?,
attribute author { text }?,
attribute timestamp { text }?
EMPTY |= notAllowed
start = glsa
|