Joey Hess
2005-Aug-27 17:07 UTC
[Secure-testing-commits] r1672 - / bin data data/CAN data/CVE
Author: joeyh
Date: 2005-08-27 17:07:18 +0000 (Sat, 27 Aug 2005)
New Revision: 1672
Added:
bin/
bin/checklist
bin/update
bin/updatelist
Removed:
data/CAN/Makefile
data/CVE/Makefile
data/Makefile
data/checklist
data/updatelist
Log:
Moved programs into bin directory so data can be auto-updated w/o opening
any potential holes for committers who lack access to the machine running
the update. AKA my paranioa finally caught up to me.
Didn''t move DTSA still since it will be rewritten anyway.
Copied: bin/checklist (from rev 1666, data/checklist)
Added: bin/update
==================================================================--- bin/update
2005-08-27 17:03:52 UTC (rev 1671)
+++ bin/update 2005-08-27 17:07:18 UTC (rev 1672)
@@ -0,0 +1,20 @@
+#!/bin/sh
+set -e
+
+if [ ! -d CVE ] || [ ! -d CAN ]; then
+ echo "run in data subdirectory" >&2
+ exit 1
+fi
+
+cd CVE
+rm -f full-cve.html
+wget --quiet http://www.cve.mitre.org/cve/downloads/full-cve.html
+../../bin/updatelist full-cve.html ../DSA/list ../DTSA/list list > list.new
+mv -f list.new list
+cd ..
+
+cd CAN
+rm -f full-can.html
+wget --quiet http://www.cve.mitre.org/cve/candidates/downloads/full-can.html
+../../bin/updatelist full-can.html ../DSA/list ../DTSA/list list > list.new
+mv -f list.new list
Property changes on: bin/update
___________________________________________________________________
Name: svn:executable
+ *
Copied: bin/updatelist (from rev 1666, data/updatelist)
Deleted: data/CAN/Makefile
==================================================================---
data/CAN/Makefile 2005-08-27 17:03:52 UTC (rev 1671)
+++ data/CAN/Makefile 2005-08-27 17:07:18 UTC (rev 1672)
@@ -1,5 +0,0 @@
-update:
- rm -f full-can.html
- wget --quiet http://www.cve.mitre.org/cve/candidates/downloads/full-can.html
- ../updatelist full-can.html ../DSA/list ../DTSA/list list > list.new
- mv -f list.new list
Deleted: data/CVE/Makefile
==================================================================---
data/CVE/Makefile 2005-08-27 17:03:52 UTC (rev 1671)
+++ data/CVE/Makefile 2005-08-27 17:07:18 UTC (rev 1672)
@@ -1,5 +0,0 @@
-update:
- rm -f full-cve.html
- wget --quiet http://www.cve.mitre.org/cve/downloads/full-cve.html
- ../updatelist full-cve.html ../DSA/list ../DTSA/list list > list.new
- mv -f list.new list
Deleted: data/Makefile
==================================================================---
data/Makefile 2005-08-27 17:03:52 UTC (rev 1671)
+++ data/Makefile 2005-08-27 17:07:18 UTC (rev 1672)
@@ -1,3 +0,0 @@
-update:
- $(MAKE) -C CVE update
- $(MAKE) -C CAN update
Deleted: data/checklist
==================================================================---
data/checklist 2005-08-27 17:03:52 UTC (rev 1671)
+++ data/checklist 2005-08-27 17:07:18 UTC (rev 1672)
@@ -1,270 +0,0 @@
-#!/usr/bin/perl
-# Must run on a machine with madison.
-#
-# To check for un-updated binary kernel packages, also needs grep-dctrl
-# and a Sources file for the distribution. Set the location of the Sources
-# file in SOURCES_FILE in the environment.
-use URI::Escape;
-use Getopt::Long;
-
-my $html=0;
-my $debug=0;
-my $suite="testing";
-my $output;
-if (! GetOptions(
- "html" => \$html,
- "debug" => \$debug,
- "suite=s" => \$suite,
- "output=s", \$output)
- || ! @ARGV) {
- die "usage: $0 [--suite suite] [--html] [--output=file] [--debug] list
...\n";
-}
-
-if (defined $output) {
- open (OUT, ">$output.tmp.$$") || die "output.tmp.$$:
$!";
-}
-else {
- open (OUT, ">&STDOUT");
-}
-
-if ($html) {
- print OUT "<html><title>$suite security
issues</title>\n";
- if ($suite ne ''testing'' && $suite ne
''unstable'') {
- print OUT <<"EOF";
-<p>
-<em>Warning:</em> This page is the result of running the testing
security
-check script against the $suite distribution. As data is only gathered for
-the testing distribution, results may be innacurate if a package has
-changed its name, if a vulnerability affects $suite and not testing, or if a
-vulnerability has been fixed in $suite by the $suite security team.
-</p>
-EOF
- }
- print OUT "<ul>\n";
-}
-
-
-my %data;
-my %needkernel=qw/2.4.27 0 2.6.11 0/;
-my $list_unknown=1; #set to 1 to display kernel images with unknown source
version
-my $sources=$ENV{SOURCES_FILE};
-my $need_rebuild=0;
-
-my @urgencies=("high", "medium", "low",
"unknown");
-my %colormap=(
- high => "#FF0000",
- medium => "#FF9999",
- low => "#FFFFFF",
- unknown => "#FFFF00"
-);
-
-my $unprop = my $unprop_all = my $unfixed = my $todos = 0;
-
-sub record {
- my ($package, $condition, $item, $urgency)=@_;
-
- if ($html) {
- $condition=~s{bug #(\d+)}{<a
href="http://bugs.debian.org/$1">bug #$1</a>}g;
- $condition=~s{unfixed}{<b>unfixed</b>}g;
- $item=~s#((?:CAN|CVE)-\d+-\d+)#<a
href="http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=$1">$1</a>#g;
- }
-
- push @{$data{$package}{$condition}}, {item => $item, urgency =>
$urgency};
-}
-
-foreach my $list (@ARGV) {
- if (-d $list) {
- $list="$list/list";
- }
-
- open (IN, $list) || die "open $list: $!";
- while (<IN>) {
- print STDERR "line: $_" if $debug;
- chomp;
- if (/^\[/) {
- ($id)=m/((?:DSA|DTSA|CAN|CVE)-[^\s]+) /;
- }
- elsif (/^((?:DSA|DTSA|CAN|CVE)-[^\s]+)/) {
- $id=$1;
- }
- elsif (/^\s+[!-]\s+(\S+)\s+(.*?)\s*$/) {
- my $package=$1;
- my $rest=$2;
- my $version;
- my $notes;
- if ($rest=~/([^\(\s]+)\s+\((.*)\)/) {
- $version=$1;
- $notes=$2;
- }
- elsif ($rest=~/\((.*)\)/) {
- $version="";
- $notes=$1;
- }
- else {
- $version=$rest;
- $notes="";
- }
- my @notes=split(/\s*;\s+/, $notes);
-
- my $urgency="unknown";
- foreach my $u (@urgencies) {
- if (grep { $_ eq $u } @notes) {
- $urgency=$u;
- @notes = grep { $_ ne $u } @notes;
- last;
- }
- }
-
- if ($package=~/kernel-source-([0-9.]+)/) {
- my $kernversion=$1;
- if (exists $needkernel{$kernversion} &&
- length $version &&
- system("dpkg --compare-versions $needkernel{$kernversion} lt
$version") != 0) {
- $needkernel{$kernversion}=$version;
- }
- }
-
- my @maddy;
- for (1..5) {
- @maddy=`madison -s ''$suite''
''$package''`;
- if ($? & 127 || ($? >> 8 != 0 && $? >> 8 != 1)) {
- # good old unrelaible newraff,
- # home of our archive..
- next;
- }
- last;
- }
- if ($? & 127) {
- record($package, "<em>[madison segfaulted 5 times in a row..
Medic!]</em>", $id);
- }
- elsif ($? >> 8 != 0 && $? >> 8 != 1) {
- record($package, "<em>[madison exited with ".($? >>
8)."]</em>", $id);
- }
- if (! @maddy) {
- next;
- }
-
- if (grep { $_ eq ''unfixed'' || $_ eq
''pending'' } @notes) {
- record($package, ''(''.join("; ",
@notes).'')'', $id, $urgency);
- $unfixed++;
- }
- else {
- foreach my $maddy (@maddy) {
- my @fields = split(/\s*\|\s*/, $maddy);
- my $havver=$fields[1];
- my $arches=$fields[3];
- $version=~s/\s+//; # strip whitespace
- $arches=~s/\s+$//;
- my $cmp=system("dpkg --compare-versions ''$havver''
''>='' ''$version''");
- if ($cmp != 0) {
- if ($html && $suite eq ''testing'') {
- $havver=''<a
href="http://bjorn.haxx.se/debian/testing.pl?package=''.uri_escape($package).''">''.$havver.''</a>'';
- }
- record($package, "$version needed, have $havver".(@maddy > 1
? " [$arches]" : ""), $id, $urgency);
- $unprop++;
- $unprop_all++ unless @maddy > 1;
- }
- }
- }
- }
- elsif (/\s+TODO/) {
- $todos++;
- }
- }
-}
-
-
-foreach my $package (sort keys %data) {
- foreach my $condition (sort keys %{$data{$package}}) {
- print OUT "<li>" if $html;
- print OUT "$package $condition for ";
- my $items=0;
- foreach my $i (sort @{$data{$package}{$condition}}) {
- print OUT ", " if $items > 0;
-
- if ($html) {
- my $color=$colormap{$i->{urgency}};
- print OUT "<span style=\"background:$color\">";
- }
- print OUT $i->{item};
- if ($html) {
- print OUT "</span>";
- }
-
- $items++;
- }
- print OUT "\n";
- }
-}
-
-foreach my $version (sort keys %needkernel) {
- my %images;
-
- if ($needkern{$version} eq "0") {
- next;
- }
-
- my @dctrl;
- if (defined $sources && length $sources) {
- my $cat=($sources=~/\.gz/) ? "zcat" : "cat";
- @dctrl=`$cat $sources | grep-dctrl -F Binary kernel-image-$version -s
Package,Build-Depends -`;
- }
-
- my $package="";
- my $haveversion;
-
- foreach my $line (@dctrl) {
- chomp;
- if ($line=~/Package:\s*(\S+)/) {
- $package=$1;
- $haveversion="0";
- } elsif ($line=~/Build-Depends/) {
- if ($line=~/kernel-tree-$version-([^,\s]+)/) {
- $haveversion="$version-$1";
- } elsif ($line=~/kernel-source-$version\s+\(>?=\s*([^\s\)]+)\)/) {
- $haveversion="$1";
- }
- } else {
- if ($package=~/linux-kernel-di/ || $package eq "") {
- next;
- }
- $images{$package}=$haveversion;
- $package="";
- }
- }
-
- foreach $package (sort keys %images) {
- if ($images{$package} eq "0") {
- print OUT "<li>" if ($html && $list_unknown);
- print OUT "$package built from kernel-source-$version
$needkernel{$version} needed, current version unknown\n" if $list_unknown;
- } elsif (!system("dpkg --compare-versions $needkernel{$version} gt
$images{$package}")) {
- print OUT "<li>" if $html;
- print OUT "$package built from kernel-source-$version
$needkernel{$version} needed, have $images{$package}\n";
- $need_rebuild++;
- }
- }
-
-
-}
-
-
-if ($html) {
- print OUT "</ul>\n";
- print OUT "<hr>\n";
- print OUT "Total holes unfixed: $unfixed<br>\n";
- print OUT "Total holes fixed in unstable but not $suite:
$unprop_all";
- if ($unprop_all != $unprop) {
- print OUT " (+".($unprop - $unprop_all)." on some
arches)";
- }
- print OUT "<br>\n";
- print OUT "Total number of kernel image packages not up to date:
$need_rebuild<br>\n";
- print OUT "Number of TODO lines in <a
href=\"http://svn.debian.org/wsvn/secure-testing/data/?rev=0&sc=0\">records</a>:
$todos<br>\n";
- print OUT "Maintained by the <a
href=\"http://secure-testing.debian.net/\">testing security
team</a><br>\n";
- print OUT "Last update: ".`date`."<br>\n";
- print OUT "</html>\n";
-}
-
-close OUT;
-if (defined $output) {
- rename("$output.tmp.$$", $output) || die "rename: $!";
-}
Deleted: data/updatelist
==================================================================---
data/updatelist 2005-08-27 17:03:52 UTC (rev 1671)
+++ data/updatelist 2005-08-27 17:07:18 UTC (rev 1672)
@@ -1,153 +0,0 @@
-#!/usr/bin/perl
-my $full_can_html=shift;
-my $dsa_list=shift;
-my $dtsa_list=shift;
-my $our_list=shift;
-
-my %cans;
-
-sub read_dsa {
- my $list=shift;
-
- open (DSA, "<$list") || die "$list: $!\n";
- my $dsa;
- while (<DSA>) {
- if (/^\[/) {
- ($dsa)=m/(DT?SA-.*?) /;
- }
- if (/\{(CAN|CVE)/) {
- my ($canlist)=m/\{(.*)\}/;
- foreach my $can (split '' '', $canlist) {
- $can=~s/CVE-/CAN-/g;
- next unless $can=~/^CAN-\d+/;
- $cans{$can}{can}=$can;
- push @{$cans{$can}{dsa}}, $dsa;
- $can=~s/CAN-/CVE-/g;
- $cans{$can}{can}=$can;
- push @{$cans{$can}{dsa}}, $dsa;
- }
- }
- }
- close DSA;
-}
-read_dsa($dsa_list);
-read_dsa($dtsa_list);
-
-my %listedcans;
-
-open (FULL_CAN, "<$full_can_html") || die "$full_can_html:
$!\n";
-my $can;
-while (<FULL_CAN>) {
- if (m!<b>(CAN-\d+-\d+)</b>!) {
- $can=$1;
- $cans{$can}{can}=$can;
- $listedcans{$can}=1;
- }
- elsif (m!<b>(CVE-\d+-\d+)</b>!) {
- $can=$1;
- $cans{$can}{can}=$can;
- $listedcans{$can}=1;
- }
- if (m!\*\*\s+RESERVED\s+\*\*!) {
- $cans{$can}{reserved}=1;
-
- }
- if (m!\*\*\s+REJECT\s+\*\*!) {
- $cans{$can}{rejected}=1;
- }
- if (m!Description:\s*</b><br>\s*(.*)! &&
- ! m!\*\*\s+RESERVED\s+\*\*! && ! m!\*\*\s+REJECT\s+\*\*!) {
- $cans{$can}{description}="($1 ...)";
- }
-}
-close FULL_CAN;
-
-my $stopped=0;
-my @out;
-
-sub docan {
- my $can=shift;
-
- push @out, "$can".(length $cans{$can}{description} ? "
".$cans{$can}{description} : "")."\n";
- if ($cans{$can}{reserved}) {
- push @out, "\tNOTE: reserved\n";
- }
- if ($cans{$can}{rejected}) {
- push @out, "\tNOTE: rejected\n";
- }
- if ($cans{$can}{dsa}) {
- push @out, "\t{".join(" ",
@{$cans{$can}{dsa}})."}\n";
- }
- if ($cans{$can}{notes}) {
- foreach (@{$cans{$can}{notes}}) {
- push @out, "\t$_\n";
- }
- }
- if (! $cans{$can}{reserved} && ! $cans{$can}{rejected} &&
- ! $cans{$can}{dsa} && ! $cans{$can}{notes} &&
- ! $stopped) {
- push @out, "\tTODO: check\n";
- }
-
- delete $cans{$can};
-}
-
-open (IN, "<$our_list") || die "$our_list: $!\n";
-my $can;
-while (<IN>) {
- chomp;
- if (/^((?:CAN|CVE)-(?:[0-9]+|[A-Z]+)-(?:[0-9]+|[A-Z]+))\s*(.*)/) {
- my $desc=$2;
- docan($can) if $can;
- $can=$1;
- if (length $desc && $desc !~ /^\(.*\)$/ &&
- (! exists $cans{$can}{description} ||
- ! length $cans{$can}{description})) {
- $cans{$can}{description}=$desc;
- }
- }
- elsif (/^\s+NOTE:\s*(reserved|rejected)\s*$/) {
- # skip it
- }
- elsif (/^\s+NOTE: covered by DT?SA.*/) {
- # skip it (old form)
- }
- elsif (/^\s+{DT?SA.*/) {
- # skip
- }
- elsif (/^\s+(.*)/ && $can) {
- push @{$cans{$can}{notes}}, $1;
- }
- elsif (/^STOP/) {
- docan($can) if $can;
- push @out, "$_\n";
- $stopped=1;
- $can='''';
- }
- else {
- docan($can) if $can;
- push @out, "$_\n" if length $_;
- $can='''';
- }
-}
-close IN;
-docan($can) if $can;
-
-foreach my $can (reverse sort { $cans{$a}{can} cmp $cans{$b}{can} } keys %cans)
{
- next unless $listedcans{$can};
- print $can.(length $cans{$can}{description} ? "
".$cans{$can}{description} : "")."\n";
- if ($cans{$can}{reserved}) {
- print "\tNOTE: reserved\n";
- }
- if ($cans{$can}{rejected}) {
- print "\tNOTE: rejected\n";
- }
- if ($cans{$can}{dsa}) {
- print "\t{".join(" ",
@{$cans{$can}{dsa}})."}\n";
- }
- if (!$cans{$can}{reserved} || $cans{$can}{rejected} || $cans{$can}{dsa}) {
- print "\tTODO: check\n";
- }
-}
-
-print @out;