Author: nion
Date: 2008-03-28 17:08:08 +0000 (Fri, 28 Mar 2008)
New Revision: 8437
Added:
bin/report-vuln
Modified:
doc/narrative_introduction
Log:
adding report-vuln script
Added: bin/report-vuln
==================================================================---
bin/report-vuln (rev 0)
+++ bin/report-vuln 2008-03-28 17:08:08 UTC (rev 8437)
@@ -0,0 +1,121 @@
+#!/usr/bin/env python
+#
+# generate bug report content for a given package name
+# and a number of CVE ids
+#
+# you could use it for example in combination with the
+# following shell function:
+# report-vuln(){
+# TMPFILE="$HOME/reportbug.tmp"
+# $HOME/debian/svn/secure-testing/bin/report-vuln "$@" >
$TMPFILE
+# mutt -i $TMPFILE submit at bugs.debian.org
+# rm $TMPFILE
+# }
+
+import sys, re, httplib
+
+def gen_index(ids):
+ ret = ''''
+ for cnt, id in enumerate(ids):
+ ret += ''\n['' + str(cnt) + '']
http://cve.mitre.org/cgi-bin/cvename.cgi?name='' + id +
''\n''
+ ret += '' http://security-tracker.debian.net/tracker/'' +
id
+
+ return ret
+
+# this is a hack that parses the cve id description from mitre
+def get_cve(id):
+ desc = False
+ r = re.compile(''.*<th\ colspan=.*>Description<.*'')
+ tag = re.compile(''.*</?tr>.*'')
+ try:
+ conn = httplib.HTTPConnection(''cve.mitre.org'')
+ conn.request(''GET'',
''/cgi-bin/cvename.cgi?name='' + id)
+ resp = conn.getresponse()
+ ret = ''''
+ except Exception, e:
+ error(''on doing HTTP request'' + str(e))
+
+ for line in resp.read().rsplit(''\n''):
+ if r.match(line):
+ desc = True
+ continue
+
+ if tag.match(line) and desc:
+ continue
+
+ if desc and ''<td colspan="2">'' in line:
+ ret += ''| '' + re.sub(''.*<td
colspan="2">'', '''', line)
+ continue
+
+ if desc and ''</td>'' in line:
+ break
+
+ if desc and line != '''':
+ ret = ret + ''\n| '' + line
+
+ return ret + ''\n''
+
+def gen_text(pkg, cveid):
+ vuln_suff = ''y''
+ cve_suff = ''''
+ time_w = ''was''
+
+ if len(cveid) > 1:
+ cve_suff = ''s''
+ vuln_suff = ''ies''
+ time_w = ''were''
+
+ header = ''''''Package: %s
+Version: FILLINAFFECTEDVERSION
+Severity: FILLINSEVERITY
+Tags: security
+
+Hi,
+the following CVE (Common Vulnerabilities & Exposures) id%s %s
+published for %s.
+
+'''''' % (pkg, cve_suff, time_w, pkg)
+
+ footer = ''''''If you fix the vulnerabilit%s please
also make sure to include the
+CVE id%s in your changelog entry.
+
+For further information see:'''''' % (vuln_suff,
cve_suff)
+
+ print header
+ for cnt, cve in enumerate(cveid):
+ print cve + ''['' + str(cnt) + '']:''
+ print get_cve(cve)
+
+ print footer
+ print gen_index(cveid)
+
+def error(msg):
+ print ''error: '' + msg
+ sys.exit(1)
+
+def usage():
+ print sys.argv[0], ''<pkg> <cve id(s)>''
+ sys.exit(0)
+
+def main():
+ if len(sys.argv) < 3:
+ usage()
+
+ pkg = sys.argv[1]
+ cve = sys.argv[2:]
+
+ # check for valid parameters
+ p = re.compile(''^[a-z].*'')
+ c = re.compile(''(CVE|cve)\-[0-9]{4}-[0-9]{4}'')
+
+ if not p.match(pkg):
+ error(pkg + '' does not seem to be a valid source package
name'')
+
+ for arg in cve:
+ if not c.match(arg):
+ error(arg + '' does not seem to be a valid CVE id'')
+
+ gen_text(pkg, cve)
+
+if __name__ == ''__main__'':
+ main()
Property changes on: bin/report-vuln
___________________________________________________________________
Name: svn:executable
+ *
Modified: doc/narrative_introduction
==================================================================---
doc/narrative_introduction 2008-03-28 15:29:29 UTC (rev 8436)
+++ doc/narrative_introduction 2008-03-28 17:08:08 UTC (rev 8437)
@@ -198,6 +198,9 @@
A special exception is made for kernel related issues. The kernel-sec
group will take care of them and file bugs if needed.
+If you wan''t to report a bug, bin/report-vuln might be helpful in
creating
+the bug report.
+
If a vulnerability does not affect Debian, e.g. because the vulnerable
code is not contained, it is marked as <not-affected>: