Failure to recognize a valid Debian version

aboutcode-org / univers

Parse and compare all the package versions and all the ranges. From debian, npm, pypi, ruby and more. Process all the version range specs and expressions. This project is sponsored by an NLnet project https://nlnet.nl/project/vulnerabilitydatabase/ , the Google Summer of Code, nexB and others generous sponsors!

32 stars 10 forks source link

Failure to recognize a valid Debian version #6

Open pombredanne opened 3 years ago

pombredanne commented 3 years ago

>>> from univers.debian import Version
>>> v = Version.from_string("1:1.12_1.12.6-1+deb9u1build0.18.04.1" )
Traceback (most recent call last):
  File "<stdin>", line 1, in <module>
  File "/home/pombreda/w421/vulnerablecode/venv/lib/python3.8/site-packages/univers/debian.py", line 130, in from_string
    raise ValueError('Invalid version string: "{}"'.format(version))
ValueError: Invalid version string: "1:1.12_1.12.6-1+deb9u1build0.18.04.1"
>>>

This was found in https://ubuntu.com/security/CVE-2018-1999023 for https://tracker.debian.org/pkg/wesnoth-1.12

pombredanne commented 3 years ago

See some external implementations and pointers:

https://github.com/cfs-pure/debian_version_compare who kindly added an Apache license https://github.com/cfs-pure/debian_version_compare/issues/1
https://github.com/hyperledger/indy-node/blob/ccbd47d411e8678e624d81aed179965a3c982054/indy_node/utils/node_control_utils.py#L56
https://github.com/gopythongo/gopythongo/tree/c3b576931c29488b6df1578c840b458ca9c6ff06/src/py/gopythongo/versioners/parsers which has a bunch of other versions implemented
https://github.com/a4pizza/raptly/blob/master/src/main/python/raptly/debian_version.py
https://github.com/xolox/python-deb-pkg-tools/tree/master/deb_pkg_tools/version
https://github.com/sdumetz/node-deb-version-compare
https://github.com/josch/debversioncomp : "check all the available debian version comparison algorithms for correctness "
https://github.com/mwanner/rust-debian/blob/master/src/version.rs