fedora-security/tools/scripts add-cve-bug, 1.2, 1.3 add-issue, 1.2, 1.3 add-tracking-bugs, 1.2, 1.3 check-updates, 1.2, 1.3 generate-manifest, 1.2, 1.3 get-cve, 1.2, 1.3 package-release, 1.2, 1.3 parse-announce, 1.2, 1.3 suidaudit, 1.2, 1.3 update-cve-cache, 1.2, 1.3
by fedora-security-commits@redhat.com
Author: lkundrak
Update of /cvs/fedora/fedora-security/tools/scripts
In directory cvs-int.fedora.redhat.com:/tmp/cvs-serv18701/scripts
Modified Files:
add-cve-bug add-issue add-tracking-bugs check-updates
generate-manifest get-cve package-release parse-announce
suidaudit update-cve-cache
Log Message:
Merge from lkundrak-tools-ng
16 years, 5 months
fedora-security/tools/lib/Libexig Audit.pm, 1.2, 1.3 Bodhi.pm, 1.2, 1.3 Bugzilla.pm, 1.2, 1.3 CVE.pm, 1.2, 1.3 Fedora.pm, 1.2, 1.3 Util.pm, 1.2, 1.3
by fedora-security-commits@redhat.com
Author: lkundrak
Update of /cvs/fedora/fedora-security/tools/lib/Libexig
In directory cvs-int.fedora.redhat.com:/tmp/cvs-serv18701/lib/Libexig
Modified Files:
Audit.pm Bodhi.pm Bugzilla.pm CVE.pm Fedora.pm Util.pm
Log Message:
Merge from lkundrak-tools-ng
16 years, 5 months
fedora-security/tools META.yml, 1.1, 1.2 MANIFEST, 1.2, 1.3
by fedora-security-commits@redhat.com
Author: lkundrak
Update of /cvs/fedora/fedora-security/tools
In directory cvs-int.fedora.redhat.com:/tmp/cvs-serv18701
Modified Files:
MANIFEST
Added Files:
META.yml
Log Message:
Merge from lkundrak-tools-ng
Index: META.yml
===================================================================
RCS file: META.yml
diff -N META.yml
--- /dev/null 1 Jan 1970 00:00:00 -0000
+++ META.yml 14 Jan 2008 16:33:11 -0000 1.2
@@ -0,0 +1,35 @@
+---
+name: fedora-security
+version: 0.9
+author:
+ - 'Lubomir Kundrak <lkundrak(a)redhat.com>'
+abstract: Tools for Fedora Security Response Team use
+license: unknown
+requires:
+ Data::Dumper: 0
+ Exporter: 0
+ Fcntl: 0
+ File::Temp: 0
+ Getopt::Long: 0
+ JSON: 0
+ LWP::Simple: 0
+ RPM2: 0
+ XML::Parser: 0
+ XMLRPC::Lite: 0
+generated_by: Module::Build version 0.2808
+meta-spec:
+ url: http://module-build.sourceforge.net/META-spec-v1.2.html
+ version: 1.2
+provides:
+ Libexig::Audit:
+ file: lib/Libexig/Audit.pm
+ Libexig::Bodhi:
+ file: lib/Libexig/Bodhi.pm
+ Libexig::Bugzilla:
+ file: lib/Libexig/Bugzilla.pm
+ Libexig::CVE:
+ file: lib/Libexig/CVE.pm
+ Libexig::Fedora:
+ file: lib/Libexig/Fedora.pm
+ Libexig::Util:
+ file: lib/Libexig/Util.pm
Index: MANIFEST
===================================================================
RCS file: /cvs/fedora/fedora-security/tools/MANIFEST,v
retrieving revision 1.2
retrieving revision 1.3
diff -u -r1.2 -r1.3
--- MANIFEST 14 Jan 2008 16:04:46 -0000 1.2
+++ MANIFEST 14 Jan 2008 16:33:11 -0000 1.3
@@ -4,6 +4,7 @@
lib/Libexig/Bodhi.pm
lib/Libexig/Bugzilla.pm
lib/Libexig/CVE.pm
+lib/Libexig/Fedora.pm
lib/Libexig/Util.pm
MANIFEST This list of files
META.yml
16 years, 5 months
fedora-security/tools META.yml, NONE, 1.1.2.1 MANIFEST, 1.1.2.1, 1.1.2.2
by fedora-security-commits@redhat.com
Author: lkundrak
Update of /cvs/fedora/fedora-security/tools
In directory cvs-int.fedora.redhat.com:/tmp/cvs-serv18411
Modified Files:
Tag: lkundrak-tools-ng
MANIFEST
Added Files:
Tag: lkundrak-tools-ng
META.yml
Log Message:
Fix package build
--- NEW FILE META.yml ---
---
name: fedora-security
version: 0.9
author:
- 'Lubomir Kundrak <lkundrak(a)redhat.com>'
abstract: Tools for Fedora Security Response Team use
license: unknown
requires:
Data::Dumper: 0
Exporter: 0
Fcntl: 0
File::Temp: 0
Getopt::Long: 0
JSON: 0
LWP::Simple: 0
RPM2: 0
XML::Parser: 0
XMLRPC::Lite: 0
generated_by: Module::Build version 0.2808
meta-spec:
url: http://module-build.sourceforge.net/META-spec-v1.2.html
version: 1.2
provides:
Libexig::Audit:
file: lib/Libexig/Audit.pm
Libexig::Bodhi:
file: lib/Libexig/Bodhi.pm
Libexig::Bugzilla:
file: lib/Libexig/Bugzilla.pm
Libexig::CVE:
file: lib/Libexig/CVE.pm
Libexig::Fedora:
file: lib/Libexig/Fedora.pm
Libexig::Util:
file: lib/Libexig/Util.pm
Index: MANIFEST
===================================================================
RCS file: /cvs/fedora/fedora-security/tools/MANIFEST,v
retrieving revision 1.1.2.1
retrieving revision 1.1.2.2
diff -u -r1.1.2.1 -r1.1.2.2
--- MANIFEST 6 Jan 2008 03:31:52 -0000 1.1.2.1
+++ MANIFEST 14 Jan 2008 16:29:08 -0000 1.1.2.2
@@ -4,6 +4,7 @@
lib/Libexig/Bodhi.pm
lib/Libexig/Bugzilla.pm
lib/Libexig/CVE.pm
+lib/Libexig/Fedora.pm
lib/Libexig/Util.pm
MANIFEST This list of files
META.yml
16 years, 5 months
fedora-security/tools/lib/Libexig Bugzilla.pm, 1.1, 1.2
by fedora-security-commits@redhat.com
Author: lkundrak
Update of /cvs/fedora/fedora-security/tools/lib/Libexig
In directory cvs-int.fedora.redhat.com:/tmp/cvs-serv17909
Added Files:
Bugzilla.pm
Log Message:
And you? Where did you go?
Index: Bugzilla.pm
===================================================================
RCS file: Bugzilla.pm
diff -N Bugzilla.pm
--- /dev/null 1 Jan 1970 00:00:00 -0000
+++ Bugzilla.pm 14 Jan 2008 16:14:48 -0000 1.2
@@ -0,0 +1,243 @@
+# $Id$
+# Bugzilla interface
+# Lubomir Kundrak <lkundrak(a)redhat.com>
+
+package Libexig::Bugzilla;
+
+use XMLRPC::Lite;
+
+use warnings;
+use strict;
+
+# Instantialize a Bugzilla connection
+sub new
+{
+ my $class = shift;
+ my $self = shift;
+
+ # Login credentials
+ if ($self->{username} and $self->{password}) {
+ $self->{creds} = [$self->{username}, $self->{password}];
+ } else {
+ die 'Need username and password if not dryrun'
+ unless $self->{dryrun};
+ $self->{creds} = [];
+ }
+
+ # XMLRPC endpoint
+ $self->{url} = 'https://bugzilla.redhat.com/xmlrpc.cgi'
+ unless $self->{url};
+
+ $self->{rpc} = new XMLRPC::Lite (
+ proxy => $self->{url},
+ encoding => 'UTF-8',
+ )
+ or die 'Could not create a RPC instnace';
+
+ if ($self->{debug}) {
+ use Data::Dumper;
+ }
+
+ bless $self, $class;
+ return $self;
+}
+
+# Get list of owners of a package from Bugzilla
+sub owners
+{
+ my $self = shift;
+ my $component = shift;
+
+ print STDERR "Getting list of owners\n"
+ if $self->{debug};
+
+ # Call bugzilla
+ my $call = $self->{rpc}->call('bugzilla.getCompInfo', $component);
+ my $result = $call->result
+ or die $call->faultstring;
+ print STDERR Dumper ($result)
+ if $self->{debug};
+
+ # Eliminate duplicates
+ my %people;
+ foreach my $instance (@{$result}) {
+ # blacklist some EOLed products
+ if ($instance->{'product'} eq 'Red Hat Linux'
+ || $instance->{'product'} eq 'Red Hat Linux Beta'
+ || $instance->{'product'} eq 'Red Hat Public Beta'
+ || $instance->{'product'} eq 'Red Hat Raw Hide'
+ || $instance->{'product'} eq 'Fedora Legacy'
+ || $instance->{'product'} eq 'eCos'
+ || $instance->{'product'} eq 'eCos runtime kernel'
+ || $instance->{'product'} =~ /^Red Hat Powertools/
+ || $instance->{'product'} =~ /^Stronghold /) {
+ next;
+ }
+ # XXX: Add also 'initialqa'?
+ $people{$instance->{initialowner}} = 1
+ if defined $instance->{initialowner};
+ }
+
+ return keys %people;
+}
+
+# Create a bug (unless dryrun) and return its ID
+sub file_bug
+{
+ my $self = shift;
+ return 0 if $self->{dryrun};
+
+ print STDERR "Creating a bug\n"
+ if $self->{debug};
+
+ my $call = $self->{rpc}->call('bugzilla.createBug',
+ shift, @{$self->{creds}});
+
+ my $result = $call->result
+ or die $call->faultstring;
+
+ print STDERR 'Bugzilla answered to createBug: '.Dumper($result)
+ if $self->{debug};
+
+ return $result->[0];
+}
+
+# Get bugs
+sub get_bugs
+{
+ my $self = shift;
+ my $bugs = shift or die 'No bugs to fetch!';
+ my $columns = shift;
+ $columns = [] unless ($columns); # The default set
+
+ my $call = $self->{rpc}->call('bugzilla.runQuery', {
+ 'bug_id' => $bugs,
+ 'bug_status' => [],
+ 'column_list' => $columns,
+ }, @{$self->{creds}});
+
+ my $result = $call->result
+ or die $call->faultstring;
+
+ print STDERR 'Bugzilla answered to runQuery: '.Dumper($result)
+ if $self->{debug};
+
+ return $result->{bugs};
+}
+
+# Add blockers (unless dryrun) to a bug
+sub add_blockers
+{
+ my $self = shift;
+ return 0 if $self->{dryrun};
+
+ my $bug = shift or die 'No blocker!';
+ my $parents = shift or die 'No bug to block!';
+
+ my $call = $self->{rpc}->call('bugzilla.updateDepends', $bug, {
+ 'blocked' => $parents,
+ 'action' => 'add',
+ }, @{$self->{creds}}, 1);
+
+ my $result = $call->result
+ or die $call->faultstring;
+
+ print STDERR 'Bugzilla answered to updateDepends: '.Dumper($result)
+ if $self->{debug};
+ return undef;
+}
+
+# Add comment - wrapper around bugzilla addComment XMLRPC method
+#
+# Mandatory arguments:
+# bugid, comment
+# Optional arguments:
+# isprivate, timestamp, worktime, bz_gid, private_in_it, nomail
+sub add_comment
+{
+ my $self = shift;
+
+ my $bug = shift or die 'No bug!';
+ my $comment = shift or die 'No comment!';
+
+ if ($self->{dryrun}) {
+ print STDERR 'Would add following comment to bug: #'.$bug."\n";
+ print STDERR "$comment\n";
+ return 0;
+ }
+
+ my $call = $self->{rpc}->call('bugzilla.addComment', $bug, $comment,
+ @{$self->{creds}}, @_);
+
+ my $result = $call->result
+ or die $call->faultstring;
+
+ print STDERR 'Bugzilla answered to addComment: '.Dumper($result)
+ if $self->{debug};
+ return undef;
+}
+
+# Add private comment to a bug
+#
+# Arguments:
+# bugid, comment
+sub add_private_comment
+{
+ my $self = shift;
+
+ my $bug = shift;
+ my $comment = shift;
+
+ $self->add_comment($bug, $comment, 1);
+}
+
+# Close bug - wrapper around bugzilla closeBug XMLRPC method
+#
+# Mandatory arguments:
+# bugid, resolution
+# Optional arguments:
+# dupeid, fixedin, comment, isprivate, private_in_it, nomail
+sub close_bug
+{
+ my $self = shift;
+
+ my $bug = shift or die 'No bug!';
+ my $resolution = shift or die 'No resolution!';
+
+ if ($self->{dryrun}) {
+ print STDERR 'Would close bug #'.$bug.' as: '.$resolution."\n";
+ return 0;
+ }
+
+ my $call = $self->{rpc}->call('bugzilla.closeBug', $bug, $resolution,
+ @{$self->{creds}}, @_);
+
+ my $result = $call->result
+ or die $call->faultstring;
+
+ print STDERR 'Bugzilla answered to closeBug: '.Dumper($result)
+ if $self->{debug};
+ return undef;
+}
+
+# Close bug with comment
+#
+# Mandatory arguments:
+# bugid, resulution, comment
+# Optional arguments:
+# newfixedin, dupeid
+sub close_bug_with_comment
+{
+ my $self = shift;
+
+ my $bug = shift;
+ my $resolution = shift;
+ my $comment = shift or die 'No comment!';
+
+ my $fixedin = shift;
+ my $dupeid = shift;
+
+ $self->close_bug($bug, $resolution, $dupeid, $fixedin, $comment);
+}
+
+1;
16 years, 5 months
fedora-security/tools add-tracking-bugs, 1.4, NONE
by fedora-security-commits@redhat.com
Author: lkundrak
Update of /cvs/fedora/fedora-security/tools
In directory cvs-int.fedora.redhat.com:/tmp/cvs-serv17809
Removed Files:
add-tracking-bugs
Log Message:
Go a way, you should not exist!
--- add-tracking-bugs DELETED ---
16 years, 5 months
fedora-security/tools/lib/Libexig Audit.pm, 1.1, 1.2 Bodhi.pm, 1.1, 1.2 CVE.pm, 1.1, 1.2 Fedora.pm, 1.1, 1.2 Util.pm, 1.1, 1.2
by fedora-security-commits@redhat.com
Author: lkundrak
Update of /cvs/fedora/fedora-security/tools/lib/Libexig
In directory cvs-int.fedora.redhat.com:/tmp/cvs-serv17363/lib/Libexig
Added Files:
Audit.pm Bodhi.pm CVE.pm Fedora.pm Util.pm
Log Message:
Merging (hopefully) stable from my branch
Index: Audit.pm
===================================================================
RCS file: Audit.pm
diff -N Audit.pm
--- /dev/null 1 Jan 1970 00:00:00 -0000
+++ Audit.pm 14 Jan 2008 16:04:47 -0000 1.2
@@ -0,0 +1,130 @@
+# $Id$
+# Audit database interface
+# Lubomir Kundrak <lkundrak(a)redhat.com>
+
+package Libexig::Audit;
+
+use Libexig::Util;
+
+use warnings;
+use strict;
+
+# Get lines from file and parse them
+sub new
+{
+ my $class = shift;
+ my $self = shift;
+
+ # Read standard input unless specified otherwise
+ $self->{file} = '-' unless $self->{file};
+
+ open (AUDIT, $self->{file})
+ or die "Could not open $self->{file}";
+
+ $self->{audit} = [];
+ push @{$self->{audit}}, parse_line ($_) foreach <AUDIT>;
+
+ close (AUDIT);
+
+ bless $self, $class;
+ return $self;
+}
+
+# Add an entry, to the proper place alphabetically
+sub add
+{
+ my $self = shift;
+ my $entry = shift;
+ my $index;
+
+ for ($index = 0; $index <= $#{$self->{audit}}; $index++) {
+ $self->{audit}->[$index]->{cve} or next;
+ $self->{audit}->[$index]->{cve} lt $entry->{cve} and last;
+ };
+
+ update_entry ($entry);
+ use Data::Dumper;
+ parse_line ($entry->{line}); # Check if it is well formed
+ insert ($self->{audit}, $index, $entry);
+}
+
+# Save
+sub save
+{
+ my $self = shift;
+
+ open (AUDIT, '>'.$self->{file})
+ or die "Could not open $self->{file}";
+
+ foreach my $entry (@{$self->{audit}}) {
+ #update_entry ($entry);
+ print AUDIT $entry->{line};
+ }
+
+ close (AUDIT);
+}
+
+# Get an entry hash and reconstruct its 'line' field
+# (useful if something got changed)
+sub update_entry
+{
+ my $entry = shift;
+
+ $entry->{cve} or return;
+ $entry->{line} = join " ", (
+ $entry->{need_verif}.$entry->{cve},
+ $entry->{status},
+ ($entry->{fixed}
+ ? "($entry->{component}, $entry->{fixed})"
+ : "($entry->{component})"),
+ ($entry->{bug}
+ ? "#$entry->{bug}"
+ : ()),
+ ($entry->{since}
+ ? "[since $entry->{since}]"
+ : ()),
+ $entry->{comment}
+ );
+
+ chomp $entry->{line};
+ $entry->{line} .= "\n";
+}
+
+# Get line and return a hash
+sub parse_line
+{
+ $_ = shift;
+ if (/^#/ or /^\s*$/) {
+ return {
+ 'line' => $_,
+ };
+ } elsif (/^
+ (\*?)* # Needs verification
+ (\S+-\S+-\S+)\s* # CVE
+ (\*\*|version|VULNERABLE|ignore|backport|fixed)\s* # Status
+ \(
+ ([^\s,]+)\s* # Component
+ (,\s*(.*))?\s* # When fixed upstream
+ \)\s*
+ (\#(\d+))?\s* # Bugzilla IS
+ (\[since\s+(\S+)\])?\s* # When fixed in Fedora
+ (.*) # Comment
+ /x) {
+ return {
+ need_verif => $1,
+ cve => $2,
+ status => $3,
+ component => $4,
+ fixed => $6,
+ bug => $8,
+ since => $10,
+ comment => $11,
+ line => $_,
+ };
+ next;
+ } else {
+ die "Prase error: $_";
+ }
+}
+
+0.99999;
Index: Bodhi.pm
===================================================================
RCS file: Bodhi.pm
diff -N Bodhi.pm
--- /dev/null 1 Jan 1970 00:00:00 -0000
+++ Bodhi.pm 14 Jan 2008 16:04:47 -0000 1.2
@@ -0,0 +1,107 @@
+# $Id$
+# This is how do we interface with the Fedora Update System
+# Lubomir Kundrak <lkundrak(a)redhat.com>
+
+package Libexig::Bodhi;
+
+use JSON;
+
+# Convert the text blob from bodhi to a hash,
+# dissect some multipart values
+sub update_to_hashref
+{
+ my @lines = split /\n/, shift;
+ my %retval;
+ my $line;
+ my $name;
+
+ # Rougly process all the fields and header
+
+ while ($line = shift @lines) {
+
+ # Header
+ if ($line eq "=" x 80) {
+ $retval{'_NVR'} = '';
+
+ do {
+ $line = shift @lines;
+ $line =~ /\s+(.*)/ and $retval{'_NVR'} .= $1;
+ } while ($line ne '=' x 80);
+
+ # Additional comment lines do not have leading :
+ # This causes havoc on comments including : character
+ } elsif ($line =~ /^\s*(Comments): (.*)/) {
+ $name = $1; # always 'Comments'
+ $retval{$name} = $2;
+
+ # expect comments until blank line
+ $line = shift @lines;
+ while (defined($line) && $line !~ /^$/) {
+ $line =~ s/^\s*//;
+ $retval{$name} .= "\n$line";
+ $line = shift @lines;
+ }
+
+ # Blah: blah
+ } elsif ($line =~ /\s*([^:]*): (.*)/) {
+ $name = $1 if ($1);
+ if (defined $retval{$name}) {
+ $retval{$name} .= "\n$2";
+ } else {
+ $retval{$name} = $2;
+ }
+
+ # Update URL
+ } elsif ($line =~ /^ (http.*)/) {
+ $retval{'_Update URL'} = "$1";
+ }
+ }
+
+ # Grok bug strings
+
+ if ($retval{'Bugs'}) {
+ my %bugs;
+ my $bug;
+
+ foreach (split /\n/, $retval{'Bugs'}) {
+ if (/(\d+) - (.*)/) {
+ $bug = $1;
+ $bugs{$bug} = $2;
+ } else {
+ #$bugs{$bug} .= " $2";
+ }
+ }
+
+ $retval{'_Bugs'} = \%bugs;
+ }
+
+ # Grok raw NVR list
+
+ my @nvrs = split /,\s*/, $retval{'_NVR'};
+ $retval{'_NVRs'} = \@nvrs;
+
+ # Parsing comments, not yet implemented, of no use for us
+
+ return \%retval;
+}
+
+# Get array of all updates for a package
+sub get_updates
+{
+ my $pkg = shift or die 'No package name supplied';
+ my @retval;
+
+
+ # Get updates
+ $json = `wget --post-data 'package=$pkg&tg_paginate_limit=0' -qO - \\
+ 'https://admin.fedoraproject.org/updates/list?tg_format=json'`;
+ $obj = jsonToObj ($json);
+
+ foreach my $update (@{$obj->{'updates'}}) {
+ push @retval, update_to_hashref ($update);
+ }
+
+ return @retval;
+}
+
+1;
Index: CVE.pm
===================================================================
RCS file: CVE.pm
diff -N CVE.pm
--- /dev/null 1 Jan 1970 00:00:00 -0000
+++ CVE.pm 14 Jan 2008 16:04:47 -0000 1.2
@@ -0,0 +1,123 @@
+# $Id$
+# Get CVE information from NVD and maintain NVD XML file cache
+# Lubomir Kundrak <lkundrak(a)redhat.com>
+
+package Libexig::CVE;
+
+#use warnings;
+#use strict;
+
+use Exporter 'import';
+use XML::Parser;
+use LWP::Simple;
+
+@EXPORT = qw/cve/;
+
+my $sourcebase = 'http://nvd.nist.gov/download/';
+my $cachebase = $ENV{'HOME'}.'/.nvdcache/';
+
+my $parser = new XML::Parser (
+ 'Style' => 'Tree',
+);
+
+sub get_element
+{
+ my $tree = shift;
+
+ my $tag = shift @{$tree};
+ my $content = shift @{$tree};
+ my $arguments = shift @{$content};
+
+ if ($tag and $content and $arguments) {
+ return [$tag, $content, $arguments];
+ } else {
+ return undef;
+ }
+}
+
+# Gets <desc> element and returns description from 'cve' source
+sub get_desc
+{
+ my $e = shift;
+
+ while (my $e = get_element ($e->[1])) {
+ # <descript>
+ $e->[2]->{'source'} eq 'cve' or next;
+ return $e->[1]->[1];
+ }
+}
+
+# Gets <refs> element and returns array of all url=s of <ref>s
+sub get_refs
+{
+ my $e = shift;
+ my @refs;
+
+ while (my $e = get_element ($e->[1])) {
+ # <ref>
+ push @refs, $e->[2]->{'url'};
+ }
+
+ return @refs;
+}
+
+# Get <entry> and return its description and references
+sub do_entry
+{
+ my $e = shift;
+ my $desc;
+ my @refs;
+
+ $e->[2]->{'type'} eq 'CVE' or die 'Non-CVE entry';
+
+ while (my $e = get_element ($e->[1])) {
+ $desc = get_desc ($e) if $e->[0] eq 'desc';
+ @refs = get_refs ($e) if $e->[0] eq 'refs';
+
+ $desc and @refs and return ($desc, [@refs]);
+ }
+}
+
+# Update file in cache if older than age and return its path
+sub nvdcache
+{
+ my ($file, $age) = @_;
+
+ mkdir $cachebase;
+ system ("mkdir -p '$cachebase'");
+ mirror ($sourcebase.$file, $cachebase.$file)
+ or die ('Failed to update cache');
+ return $cachebase.$file;
+}
+
+# lala
+sub cve
+{
+ my $cve = shift;
+
+ $cve =~ /^CVE-(\d+)-\d+$/ or die "'$cve' does not look like a CVE id";
+ my $year = ($1 > 2002 ? $1 : 2002);
+
+ foreach (
+ # File name => cache update threshold (minutes, XXX: not implemented)
+ # order is important
+ [ 'nvdcve-modified.xml' => 0 ],
+ [ 'nvdcve-recent.xml' => 0 ],
+ [ 'nvdcve-'.$year.'.xml' => 1440 ],
+ ) {
+ my $file = nvdcache (@{$_});
+ my $tree = $parser->parsefile ($file);
+ my $e = get_element ($tree);
+
+ while (my $e = get_element ($e->[1])) {
+ # matching <entry name="$cve">
+ if ($e->[0] eq 'entry' and $e->[2]->{'name'} eq $cve) {
+ return do_entry ($e);
+ }
+ }
+ }
+
+ return undef;
+}
+
+1;
Index: Fedora.pm
===================================================================
RCS file: Fedora.pm
diff -N Fedora.pm
--- /dev/null 1 Jan 1970 00:00:00 -0000
+++ Fedora.pm 14 Jan 2008 16:04:47 -0000 1.2
@@ -0,0 +1,255 @@
+# $Id$
+# Fedora specific routines and constants
+# Lubomir Kundrak <lkundrak(a)redhat.com>
+
+package Libexig::Fedora;
+
+use warnings;
+use strict;
+
+%Libexig::Fedora::srt_bz_map = (
+ 'critical' => 'urgent',
+ 'important' => 'high',
+ 'moderate' => 'medium',
+ 'low' => 'low',
+);
+
+###
+### Parent bugs from CVE
+###
+
+# Get the text to include in the CVE bug descripiton
+sub cve_bug_desc
+{
+ my $cve = shift;
+ my $desc = shift;
+ my $refs = shift;
+
+ return
+ "Common Vulnerabilities and Exposures assigned an ".
+ "identifier $cve to the following vulnerability:".
+ "\n\n".
+ ($desc ? $desc : '(Please paste the CVE details manually)').
+ "\n\n".
+ "References:\n\n".
+ ($refs ? join ("\n", @{$refs}) : '(References here, one per line)');
+}
+
+# Construct the parent bug
+sub cve_bug
+{
+ my $cve = shift;
+ my $component = shift;
+ my $summary = shift;
+ my $desc = shift;
+ my $impact = shift;
+ my $bugzilla = shift;
+
+ # Get CC list
+ # TODO: get rid of duplicates
+ my @cc;
+ foreach (split (/,/,$component)) {
+ push (@cc,$bugzilla->owners ($_));
+ }
+
+ return (
+ 'bug_file_loc' => "http://nvd.nist.gov/nvd.cfm?cvename=$cve",
+ 'rep_platform' => 'All',
+ 'op_sys' => 'Linux',
+ 'short_desc' => "$cve $summary",
+ 'keywords' => 'Security',
+ 'product' => 'Security Response',
+ 'comment' => $desc,
+ 'component' => 'vulnerability',
+ 'bug_severity' => $Libexig::Fedora::srt_bz_map{$impact},
+ 'priority' => $Libexig::Fedora::srt_bz_map{$impact},
+ 'version' => 'unspecified',
+ 'cc' => join (',', @cc),
+ 'alias' => $cve,
+ );
+}
+
+###
+### Tracking bugs
+###
+
+my $comment_head =
+ 'This is an automatically created tracking bug! '.
+ 'It was created to ensure that one or more security '.
+ 'vulnerabilities are fixed in all affected branches.'.
+ "\n\n".
+ 'You should *not* refer to this bug publicly, as it is a '.
+ 'private "Fedora Project Contributors" bug.'.
+ "\n\n".
+ 'For comments that are specific to the vulnerability please use bugs '.
+ 'filed against "Security Response" product referenced in "Blocks" '.
+ 'field.'.
+ "\n\n";
+
+my $comment_tail =
+ 'For more information see: '.
+ 'http://fedoraproject.org/wiki/Security/TrackingBugs';
+
+my $comment_update =
+ # Following the list of parent bugs
+ "\n".
+ 'When creating an update for the version this this bug is reported '.
+ 'against please include the bug IDs of respective bugs filed '.
+ 'against "Security Response" product as well as of this bug and let the '.
+ 'update system close them. Please '.
+ 'note that the update announcement will (and should) contain only '.
+ 'references to "Security Response" bugs as long as the tracking '.
+ 'bug is restricted to "Fedora Project Contributors".'.
+ "\n\n";
+
+my $comment_rawhide =
+ "\n".
+ 'Please close this bug with RAWHIDE (referencing appropriate N-V-R in '.
+ 'Fixed In field if possible) once is it fixed in devel branch. '.
+ 'Do *not* include the bug id of this bug in the RPM changelog and the '.
+ 'commit message.'.
+ "\n\n";
+
+my %priorities = (
+ 'urgent', => 4,
+ 'high', => 3,
+ 'medium', => 2,
+ 'low' => 1,
+);
+
+# Valid versions
+my %versions = (
+ '6', => '6',
+ 'f6', => '6',
+ 'fc6', => '6',
+ '7', => '7',
+ 'f7', => '7',
+ 'fc7', => '7',
+ '8', => '8',
+ 'f8', => '8',
+ 'fc8', => '8',
+ '9', => 'rawhide',
+ 'f9', => 'rawhide',
+ 'fc9', => 'rawhide',
+ 'devel', => 'rawhide',
+);
+
+sub tracking_bugs
+{
+ my $bugs = shift;
+ my $component = shift;
+ my @versions = @_;
+
+ my @retval;
+
+ # Construct a tracking bug template
+
+ my %bug_tmpl = (
+ 'bug_file_loc' => 'http://fedoraproject.org/wiki/Security/TrackingBugs',
+ 'rep_platform' => 'All',
+ 'op_sys' => 'Linux',
+ 'short_desc' => '',
+ 'keywords' => 'Security',
+ 'product' => 'Fedora',
+ 'component' => $component,
+ 'bug_severity' => 'low',
+ 'priority' => 'low',
+ 'bit-58' => '1', # Fedora Project Contributors
+ );
+
+ my $comment_parents = '';
+
+ foreach my $bug (@{$bugs}) {
+
+ # Take the highest of priorities
+ $bug_tmpl{'bug_severity'} = $bug->{'bug_severity'}
+ if ($priorities{$bug->{'bug_severity'}} > $priorities{$bug_tmpl{'bug_severity'}});
+ $bug_tmpl{'priority'} = $bug->{'priority'}
+ if ($priorities{$bug->{'priority'}} > $priorities{$bug_tmpl{'priority'}});
+
+ # This will be overwriten if we block just one parent bug
+ $bug_tmpl{'short_desc'} .= $bug->{'alias'}.' ';
+
+ # Add the parent bug to the comment
+ $comment_parents .= "\tbug #$bug->{'bug_id'}: $bug->{'short_short_desc'}\n";
+ }
+
+ if (@{$bugs} > 1) {
+ $bug_tmpl{'short_desc'} .= "Multiple $component vulnerabilities";
+ } else {
+ $bug_tmpl{'short_desc'} = $bugs->[0]->{'short_short_desc'};
+ }
+
+ # Create a bug hash for each version
+
+ foreach my $version (@versions) {
+ my %bug = %bug_tmpl;
+ $bug{'short_desc'} .= " [Fedora $versions{$version}]";
+ $bug{'version'} = $versions{$version};
+
+ $bug{'comment'} =
+ $comment_head.
+ $comment_parents.
+ ($bug{'version'} eq 'rawhide' ? $comment_rawhide : $comment_update).
+ $comment_tail;
+
+ push @retval, \%bug;
+ }
+
+ return \@retval;
+}
+
+# file_tracking_bugs
+#
+# Arguments:
+# - ref to list of parent bug ids
+# - ref to list of bugs to file (each element must be hash as expected by BZ)
+# this list is prepared by tracking_bugs
+# - Bugzilla object reference
+# - component
+sub file_tracking_bugs
+{
+ my $parent_bugs = shift;
+ my $tracking_bugs = shift;
+ my $bugzilla = shift;
+ my $component = shift;
+
+ my $comment = "Created Fedora tracking bugs for $component:\n\n";
+
+ foreach my $bug (@{$tracking_bugs}) {
+ use Data::Dumper;
+ my $bug_id = $bugzilla->file_bug ($bug);
+
+ if (!defined($bug_id)) {
+ print STDERR "Error: Bug creation failed! (dryrun mode?)\n";
+ #return undef;
+ }
+
+ ### XXX: Move this somewhere else?
+ if ($bug->{'version'} ne 'rawhide') {
+ my $tr_comment =
+ 'You can eventually use the following link to '.
+ 'create the update request: '."\n".
+ 'https://admin.fedoraproject.org/updates/new/'.
+ '?request=Stable'.
+ '&type=security'.
+ '&release=Fedora%20'.$bug->{'version'}.
+ '&bugs='.$bug_id;
+
+ foreach my $bug (@{$parent_bugs}) {
+ $tr_comment .= ','.$bug;
+ }
+
+ $bugzilla->add_comment ($bug_id, $tr_comment);
+ }
+
+ $bugzilla->add_blockers ($bug_id, $parent_bugs);
+ $comment .= $bug->{'version'}.": bug #$bug_id\n";
+ }
+
+ foreach my $bug (@{$parent_bugs}) {
+ $bugzilla->add_private_comment ($bug, $comment);
+ }
+
+ return $comment;
+}
Index: Util.pm
===================================================================
RCS file: Util.pm
diff -N Util.pm
--- /dev/null 1 Jan 1970 00:00:00 -0000
+++ Util.pm 14 Jan 2008 16:04:47 -0000 1.2
@@ -0,0 +1,54 @@
+# $Id$
+# Random routines that are shared across the tooling
+# Lubomir Kundrak <lkundrak(a)redhat.com>
+
+package Libexig::Util;
+
+#use warnings;
+#use strict;
+
+use Exporter 'import';
+use File::Temp ('tempfile');
+
+@EXPORT = qw/edit_string read_noecho insert/;
+
+# Launch an editor for editing the bugzilla comment or whatever
+sub edit_string
+{
+ my $string = shift;
+
+ my ($tmpfh, $tmpname) = tempfile ();
+ print $tmpfh $string;
+ close ($tmpfh);
+ my $editor = ($ENV{'EDITOR'} or 'vi');
+ system ($editor, $tmpname);
+ open ($tmpfh, "<$tmpname");
+ $string = join ('', <$tmpfh>);
+ close ($tmpfh);
+
+ return $string;
+}
+
+# Get password not echoing characters
+sub read_noecho
+{
+ print STDERR @_;
+ system ('stty -echo');
+ my $string = <STDIN>;
+ system ('stty echo');
+ chomp ($string);
+ print STDERR "\n";
+ $string;
+}
+
+# Insert a sub-list into a list
+sub insert
+{
+ my $array = shift;
+ my $index = shift;
+ my @what = @_;
+
+ splice (@{$array}, $index, 0, @what);
+}
+
+1;
16 years, 5 months
fedora-security/tools/scripts add-cve-bug, 1.1, 1.2 add-issue, 1.1, 1.2 add-tracking-bugs, 1.1, 1.2 check-updates, 1.1, 1.2 generate-manifest, 1.1, 1.2 get-cve, 1.1, 1.2 package-release, 1.1, 1.2 parse-announce, 1.1, 1.2 suidaudit, 1.1, 1.2 update-cve-cache, 1.1, 1.2
by fedora-security-commits@redhat.com
Author: lkundrak
Update of /cvs/fedora/fedora-security/tools/scripts
In directory cvs-int.fedora.redhat.com:/tmp/cvs-serv17363/scripts
Added Files:
add-cve-bug add-issue add-tracking-bugs check-updates
generate-manifest get-cve package-release parse-announce
suidaudit update-cve-cache
Log Message:
Merging (hopefully) stable from my branch
Index: add-cve-bug
===================================================================
RCS file: add-cve-bug
diff -N add-cve-bug
--- /dev/null 1 Jan 1970 00:00:00 -0000
+++ add-cve-bug 14 Jan 2008 16:04:47 -0000 1.2
@@ -0,0 +1,102 @@
+#!/usr/bin/env perl
+
+# $Id$
+# Create a bugzilla from a CVE entry
+# Lubomir Kundrak <lkundrak(a)redhat.com>
+
+# Typical use:
+#$ ./add-cve-bug \
+# --cve=CVE-2007-4251 \
+# --component=openoffice.org \
+# --summary="OpenOffice crashes upon opening certain files" \
+# --impact=low
+# (Was used to create #251717)
+
+my $usage = 'add-cve-bug [options...]
+ --cve=<cve> CVE ID (mandatory)
+ --username=<username> Bugzilla login (defaults to $LOGNAME(a)redhat.com)
+ --password=<password> Bugzilla passwords (asks for it, if not supplied)
+ --component=<pkg[,<pkg>...] Affected package, to find owner to CC (mandatory)
+ --summary=<summary> Text to follow CVE ID in bugzilla (mandatory)
+ --impact=<impact> Impact: critical, important, moderate, low
+ --interactive Launch editor to edit the description
+ --dryrun Do not write anything, usable with --debug
+ --debug Dump interesting info
+ --help This text
+';
+
+use Getopt::Long;
+use Data::Dumper;
+
+use Libexig::Fedora;
+use Libexig::CVE;
+use Libexig::Bugzilla;
+use Libexig::Util;
+
+use warnings;
+use strict;
+
+# Command line options
+my ($cve, $interactive, $dryrun, $debug,
+ $username, $password, $component, $summary, $impact);
+
+# Parse command line options
+my %options;
+GetOptions(\%options,
+ 'cve=s',
+ 'username=s',
+ 'password=s',
+ 'component=s',
+ 'summary=s',
+ 'impact=s',
+ 'interactive',
+ 'dryrun',
+ 'debug',
+ 'help',
+) or die 'Incorrect arguments. Try --help.';
+
+if ($options{'help'}) {
+ print $usage;
+ exit;
+}
+
+$dryrun = ($options{'dryrun'} or 0);
+$debug = ($options{'debug'} or 0);
+$interactive = ($options{'interactive'} or 0);
+
+$cve = $options{'cve'} or die 'cve argument is mandatory';
+$component = $options{'component'} or die 'component argument is mandatory';
+$summary = $options{'summary'} or die 'summary argument is mandatory';
+$impact = ($options{'impact'} or 'low');
+defined $Libexig::Fedora::srt_bz_map{$impact} or die 'specified unrecognized impact value';
+
+$username = ($options{'username'} or $ENV{'LOGNAME'}.'@redhat.com');
+$password = ($options{'password'} or $dryrun or
+ read_noecho ("Bugzilla password for $username: "));
+ # TODO: add whiteboard option to fill in and get impact from it
+
+# Get CVE details from NVD or user
+
+print "Getting a bug description from CVE\n" if $debug;
+my ($desc, $refs) = cve ($cve);
+
+die 'Cannot fetch CVE description; re-run with --interactive'
+ unless $desc or $interactive;
+
+my $bug_desc = Libexig::Fedora::cve_bug_desc ($cve, $desc, $refs);
+$bug_desc = edit_string ($bug_desc) if $interactive;
+
+# File it in Bugzilla
+
+my $bugzilla = new Libexig::Bugzilla ({
+ 'username' => $username,
+ 'password' => $password,
+ 'dryrun' => $dryrun,
+ 'debug' => $debug,
+});
+
+my %bug = Libexig::Fedora::cve_bug ($cve, $component, $summary, $bug_desc, $impact, $bugzilla);
+print 'About to add this bug: '.Dumper(\%bug) if $debug;
+my $bug_id = $bugzilla->file_bug (\%bug);
+
+print STDERR "Created bug #$bug_id\n";
Index: add-issue
===================================================================
RCS file: add-issue
diff -N add-issue
--- /dev/null 1 Jan 1970 00:00:00 -0000
+++ add-issue 14 Jan 2008 16:04:47 -0000 1.2
@@ -0,0 +1,90 @@
+#!/usr/bin/env perl
+
+# $Id$
+# File a bugs for specified versions and add dependencies
+# Lubomir Kundrak <lkundrak(a)redhat.com>
+
+# XXX: debug, dryrun
+my $usage = 'add-cve-bug [options...]
+ --versions=<ver>[,...] Affected Fedora versions
+ --bugs=<bug>[,...]] Tracking bugs for respective versions
+ --need_verif Needs verification (**)
+ --cve=<cve> CVE name
+ --status=<status> Either "fixed" or "ignore" or implied "VULNERABLE"
+ --component=<pkg> Affected package, to find owner to CC (mandatory)
+ --fixed=<version> "fixed ..." or "not fixed ..."
+ --since=<update> Fedora update or NVR this was fixed in
+ --comment=<comment> Free-form comment string
+';
+
+use Getopt::Long;
+use Libexig::Audit;
+
+use warnings;
+use strict;
+
+my %versions = (
+ '7' => '../audit/fc7',
+ '8' => '../audit/f8',
+ '9' => '../audit/f9',
+);
+
+# Command line options
+my (@versions, @bugs, $need_verif, $cve, $status, $component,
+ $fixed, $since, $comment);
+
+# Parse command line options
+
+my %options;
+GetOptions(\%options,
+ 'versions=s',
+ 'bugs=s',
+ 'need_verif',
+ 'cve=s',
+ 'status=s',
+ 'component=s',
+ 'fixed=s',
+ 'since=s',
+ 'comment=s',
+ 'help',
+) or die 'Incorrect arguments. Try --help.';
+
+if ($options{help}) {
+ print $usage;
+ exit;
+}
+
+@versions = $options{versions}
+ ? split (/,/, $options{versions}) # versions were specified
+ : keys %versions; # all known versions
+
+@bugs = $options{bugs}
+ ? split (/,/, $options{bugs})
+ : ();
+
+$need_verif = ($options{need_verif} ? '**' : '');
+$cve = ($options{cve} or 'GENERIC-MAP-NOMATCH');
+$status = ($options{status} or 'VULNERABLE');
+$component = ($options{component}) or die 'component argument is mandatory';
+$fixed = ($options{fixed} or '');
+$since = ($options{since} or '');
+$comment = ($options{comment} or '');
+
+# Add a line for each version
+
+foreach my $version (@versions) {
+ my $entry = {
+ need_verif => $need_verif,
+ cve => $cve,
+ status => $status,
+ component => $component,
+ fixed => $fixed,
+ bug => shift @bugs,
+ since => $since,
+ comment => $comment,
+ };
+
+ my $audit = new Libexig::Audit ({file => $versions{$version}});
+ $audit->add ($entry);
+ $audit->save;
+}
Index: add-tracking-bugs
===================================================================
RCS file: add-tracking-bugs
diff -N add-tracking-bugs
--- /dev/null 1 Jan 1970 00:00:00 -0000
+++ add-tracking-bugs 14 Jan 2008 16:04:47 -0000 1.2
@@ -0,0 +1,81 @@
+#!/usr/bin/env perl
+
+# $Id$
+# File a bugs for specified versions and add dependencies
+# Lubomir Kundrak <lkundrak(a)redhat.com>
+
+my $usage = 'add-tracking-bugs [options...]
+ --bugs=<bug>[,...] Parent bugs
+ --versions=<ver>[,...] Affected Fedora versions
+ --component=<pkg> Affected package, to find owner to CC (mandatory)
+ --username=<username> Bugzilla login (defaults to $LOGNAME(a)redhat.com)
+ --password=<password> Bugzilla passwords (asks for it, if not supplied)
+ --dryrun Do not write anything, usable with --debug
+ --debug Dump more or less interesting info
+ --help This text
+';
+
+use XMLRPC::Lite;
+use Getopt::Long;
+use Data::Dumper;
+
+use Libexig::Util;
+use Libexig::Bugzilla;
+use Libexig::Fedora;
+
+use warnings;
+use strict;
+
+# Command line options
+my (@bugs, @versions, $dryrun, $debug,
+ $username, $password, $component);
+
+# Parse command line options:
+
+my %options;
+GetOptions(\%options,
+ 'bugs=s',
+ 'component=s',
+ 'versions=s',
+ 'username=s',
+ 'password=s',
+ 'dryrun',
+ 'debug',
+ 'help',
+) or die 'Incorrect arguments. Try --help.';
+
+if ($options{'help'}) {
+ print $usage;
+ exit;
+}
+
+$options{'bugs'} or die 'bugs argument is mandatory';
+@bugs = split (/,/, $options{'bugs'});
+
+$options{'versions'} or die 'versions argument is mandatory';
+@versions = split (/,/, $options{'versions'});
+#XXX
+##$versions{$_} or die "Invalid version: $_" foreach (@versions);
+
+$component = $options{'component'} or die 'component argument is mandatory';
+$dryrun = ($options{'dryrun'} or 0);
+$debug = ($options{'debug'} or 0);
+$username = ($options{'username'} or $ENV{'LOGNAME'}.'@redhat.com');
+$password = ($options{'password'} or read_noecho ("Bugzilla password for $username: "))
+ unless $dryrun;
+
+
+my $bugzilla = new Libexig::Bugzilla ({
+ 'username' => $username,
+ 'password' => $password,
+ 'dryrun' => $dryrun,
+ 'debug' => $debug,
+});
+
+# All the work (not the one that makes Jack a dull boy)
+my $parent_bugs = $bugzilla->get_bugs (\@bugs,
+ ['alias','keywords','priority','bug_id', 'bug_severity', 'short_short_desc']);
+my $tracking_bugs = Libexig::Fedora::tracking_bugs ($parent_bugs, $component, @versions);
+
+print STDERR Libexig::Fedora::file_tracking_bugs (\@bugs, $tracking_bugs, $bugzilla, $component);
+
Index: check-updates
===================================================================
RCS file: check-updates
diff -N check-updates
--- /dev/null 1 Jan 1970 00:00:00 -0000
+++ check-updates 14 Jan 2008 16:04:47 -0000 1.2
@@ -0,0 +1,32 @@
+#!/usr/bin/env perl
+
+# $Id$
+# Dump what's VULNERABLE, but been subject to an update
+# Lubomir Kundrak <lkundrak(a)redhat.com>
+
+#use warnings;
+use strict;
+
+use Libexig::Audit;
+use Libexig::Bodhi;
+
+# Parse the audit file
+my $audit = new Libexig::Audit ({file => $ARGV[0]});
+
+foreach my $entry (@{$audit->{audit}}) {
+ $entry->{'status'} eq 'VULNERABLE' or next;
+
+ # See if the VULNERABLE bug was referenced by an update
+ foreach my $u (Libexig::Bodhi::get_updates ($entry->{component})) {
+ $u->{'_Bugs'}->{$entry->{bug}} or next;
+
+ # Modify the line accordingly
+ $entry->{since} = $u->{'Update ID'};
+ $u->{'Status'} eq 'stable' and $entry->{status} = 'fixed';
+ Libexig::Audit::update_entry ($entry);
+
+ last;
+ };
+}
+
+$audit->save;
Index: generate-manifest
===================================================================
RCS file: generate-manifest
diff -N generate-manifest
--- /dev/null 1 Jan 1970 00:00:00 -0000
+++ generate-manifest 14 Jan 2008 16:04:47 -0000 1.2
@@ -0,0 +1,28 @@
+#!/bin/sh
+
+# $Id$
+# List generate list of latest versions of all packages in a brew tag
+# Lubomir Kundrak <lkundrak(a)redhat.com>
+
+if [ -z "$KOJI" ]
+then
+ KOJI="koji"
+fi
+
+if [ -z "$@" ]
+then
+ export TAGS="
+ dist-fc7-updates
+ dist-f8-updates
+ dist-f9-build
+ "
+else
+ export TAGS="$@"
+fi
+
+for TAG in $TAGS
+do
+ echo -n "Generating manifest for $TAG..."
+ "$KOJI" list-tagged --inherit --latest "$TAG" >"$TAG"
+ echo " done"
+done
Index: get-cve
===================================================================
RCS file: get-cve
diff -N get-cve
--- /dev/null 1 Jan 1970 00:00:00 -0000
+++ get-cve 14 Jan 2008 16:04:47 -0000 1.2
@@ -0,0 +1,18 @@
+#!/usr/bin/env perl
+
+# $Id$
+# Get CVE information from NVD
+# Lubomir Kundrak <lkundrak(a)redhat.com>
+
+
+use warnings;
+use strict;
+
+use Libexig::CVE;
+use Data::Dumper;
+
+@ARGV or die 'Usage: get-cve <cve> [...]';
+
+foreach my $cve (@ARGV) {
+ print Dumper ($cve, Libexig::CVE::cve ($cve));
+}
Index: package-release
===================================================================
RCS file: package-release
diff -N package-release
--- /dev/null 1 Jan 1970 00:00:00 -0000
+++ package-release 14 Jan 2008 16:04:47 -0000 1.2
@@ -0,0 +1,96 @@
+#!/usr/bin/perl -w
+
+# $Id$
+
+# Script for querying which release we ship a package in, and what the
+# version of said package is.
+#
+# This script was originally writeen by Jason L Tibbitts III
+
+# TODO: Use getopt (add options at that time)
+# TODO: Allow for fuzzy matching (partial searching)
+
+use LWP::Simple;
+use Net::FTP;
+use strict;
+
+# Global variables
+my ($owner_file, $mirror_host, $mirror_path, @releases);
+
+
+$owner_file='http://cvs.fedora.redhat.com/viewcvs/*checkout*/owners/owners.list?root=e...';
+$mirror_host='download.fedora.redhat.com';
+$mirror_path='/pub/fedora/linux/releases/%s/Everything/source/SRPMS';
+@releases=qw( 7 );
+
+sub get_owner_content {
+ my $match = pop;
+
+ my ($distro, $package, $desc, $owner, $qa, $cc);
+
+ my %owner;
+
+ my $owner_content = get($owner_file)
+ or die "Couldn't get $owner_file";
+
+ foreach (split(/\n/, $owner_content)) {
+ next if /^#/;
+ chomp;
+
+ ($distro, $package, $desc, $owner, $qa, $cc) = split(/\|/, $_);
+
+ next if ( $package !~ m/$match/i);
+
+ $owner{$package} = {};
+ $owner{$package}->{'product'} = $distro;
+ $owner{$package}->{'package'} = $package;
+ $owner{$package}->{'description'} = $desc;
+ $owner{$package}->{'owner'} = $owner;
+ $owner{$package}->{'qacontact'} = $qa;
+ $owner{$package}->{'cclist'} = $cc;
+ }
+
+ return %owner;
+
+}
+
+my $package = $ARGV[0];
+
+my %owner = get_owner_content($package);
+
+if (!keys(%owner) or $package eq '') {
+ print "Could not find package \"$package\" in $owner_file\n";
+ exit 1;
+}
+
+foreach (keys(%owner)) {
+print "Found package $_ in owners.list:\n";
+}
+
+my $ftp = Net::FTP->new($mirror_host, Debug => 0)
+ or die "Cannot connect to $mirror_host: $@";
+$ftp->login("anonymous",'-anonymous@')
+ or die "Cannot login ", $ftp->message;
+
+
+foreach my $release (@releases) {
+ my ($f, $dir, $files, $rev, $ver, $name);
+
+ $dir = sprintf($mirror_path, $release);
+ $release eq "development" && ($release = "dev");
+ $files = $ftp->ls($dir)
+ or die "Cannot list directory ", $ftp->message;
+
+ foreach my $f (@$files) {
+ chomp($f);
+ $f =~ s/$dir\///;
+ next unless $f =~ /^(.*$package.*)-([^\-]*)-([^\-]*)\.src\.rpm$/i;
+ $name = $1;
+ $ver = $2;
+ $rev = $3;
+
+ print " $release\t$name\t$ver\t$rev\t$f\n";
+ }
+}
+
+$ftp->quit;
Index: parse-announce
===================================================================
RCS file: parse-announce
diff -N parse-announce
--- /dev/null 1 Jan 1970 00:00:00 -0000
+++ parse-announce 14 Jan 2008 16:04:47 -0000 1.2
@@ -0,0 +1,99 @@
+#!/usr/bin/perl -w
+
+# $Id$
+
+use strict;
+use Mail::Mbox::MessageParser;
+use Email::Simple;
+
+die "\nUsage: parse-announce mbox-file audit-file\n\n" if not defined($ARGV[1]);
+
+my $mbox_filename = $ARGV[0];
+my $audit_filename = $ARGV[1];
+my (@file, %cve_id, $audit_version);
+
+$ARGV[1] =~ /(\d+)$/;
+$audit_version = $1;
+
+# Suck in the audit file
+open(FH, $ARGV[1]);
+while (<FH>) {
+ my ($temp_cve, $temp_text, $temp_line, $temp_package);
+ chomp;
+ $temp_line = $_;
+ push @file, $temp_line;
+
+ if ($temp_line =~ /^(CVE-\d{4}-\d{4}) (.*)/) {
+ $temp_cve = $1;
+ $temp_text = $2;
+ if ($temp_text =~ /\(([\w\-\_\.]+)[\,\)]/) {
+ $temp_package = $1;
+ } elsif ($temp_text =~ /\*\* (\w+)/) {
+ $temp_package = $1;
+ } else {
+ die "Couldn't determine the package name from the audit file";
+ }
+
+ $cve_id{$temp_cve} = {} if not $cve_id{$temp_cve};
+ $cve_id{$temp_cve}->{$temp_package} = [$#file, $temp_line];
+ }
+}
+
+close(FH);
+
+my $folder_reader = new Mail::Mbox::MessageParser({
+ 'file_name' => $mbox_filename,
+ 'enable_cache' => 0,
+});
+
+die $folder_reader unless ref $folder_reader;
+
+while (!$folder_reader->end_of_file()) {
+ my (@cves, $errata_id, $temp_cve);
+ my ($product, $package);
+
+
+ my $email = $folder_reader->read_next_email();
+ my $mail = Email::Simple->new($$email);
+ my $subject = $mail->header('Subject');
+ my $body = $mail->body;
+
+ if ($body =~ m/Product\s*:\s+Fedora Core (\d+)/) {
+ $product = $1;
+ } else {
+ # Add support for fedora extras here
+ warn "Product name couldn't be found";
+ next;
+ }
+
+ if ($body =~ m/Name\s*:\s+(\w+)/) {
+ $package = $1;
+ } else {
+ warn "Package Name couldn't be found";
+ next;
+ }
+
+ if ($body =~ m/(FEDORA-\d{4}-\d+)/) {
+ $errata_id = $1;
+ } else {
+ warn "Errata ID couldn't be found";
+ next;
+ }
+
+ while ($body =~ m/(CVE-\d{4}-\d{4})/g) {
+ if ($cve_id{$1}) {
+ if ($cve_id{$1}->{$package} and $product eq $audit_version) {
+ $cve_id{$1}->{$package}->[1] .= "[since $errata_id]";
+ my $file_line = $cve_id{$1}->{$package}->[0];
+ next if $file[$file_line] =~ /\[since FEDORA/;
+ $file[$file_line] = $file[$file_line] . " [since $errata_id]"
+ }
+ } else {
+ print "$1 **FIXME** ($package) [since $errata_id]\n";
+ }
+ }
+}
+
+foreach (@file) {
+ print $_, "\n";
+}
Index: suidaudit
===================================================================
RCS file: suidaudit
diff -N suidaudit
--- /dev/null 1 Jan 1970 00:00:00 -0000
+++ suidaudit 14 Jan 2008 16:04:47 -0000 1.2
@@ -0,0 +1,47 @@
+#!/usr/bin/env perl
+
+# $Id$
+# Audit RPM files for setuid and setgid files
+# Lubomir Kundrak <lkundrak(a)redhat.com>
+
+use strict;
+use warnings;
+
+use RPM2;
+use Fcntl ':mode';
+
+foreach my $rpm (@ARGV) {
+
+ my $hdr = RPM2->open_package ($rpm)
+ or die $!;
+
+ my $pkgname = $hdr->tag('Name');
+
+ my $name; my @names = $hdr->tag('BASENAMES');
+ my $mode; my @modes = $hdr->tag('FILEMODES');
+ my $class; my @classes = $hdr->tag('FILECLASS');
+ my $dirindex; my @dirindexes = $hdr->tag('DIRINDEXES');
+ my $username; my @usernames = $hdr->tag('FILEUSERNAME');
+ my $groupname; my @groupnames = $hdr->tag('FILEGROUPNAME');
+
+ my @classdict = $hdr->tag('CLASSDICT');
+ my @dirnames = $hdr->tag('DIRNAMES');
+
+ while (
+ $mode = shift @modes,
+ $username = shift @usernames,
+ $groupname = shift @groupnames,
+ $class = shift @classes,
+ $dirindex = shift @dirindexes,
+ $name = shift @names
+ ) {
+ if ($mode & S_IFREG and $mode & (S_ISUID | S_ISGID)) {
+ printf "%-25s %06o %8s:%-8s %-30s %-.50s...\n",
+ $pkgname, $mode,
+ (($mode & S_ISUID) ? $username : '-'),
+ (($mode & S_ISGID) ? $groupname : '-'),
+ $dirnames[$dirindex].$name,
+ $classdict[$class];
+ }
+ }
+}
Index: update-cve-cache
===================================================================
RCS file: update-cve-cache
diff -N update-cve-cache
--- /dev/null 1 Jan 1970 00:00:00 -0000
+++ update-cve-cache 14 Jan 2008 16:04:47 -0000 1.2
@@ -0,0 +1,14 @@
+#!/usr/bin/env perl
+
+# $Id$
+# Generate CVE cache so that tools utilizing Libexig::CVE run smoothly
+# Lubomir Kundrak <lkundrak(a)redhat.com>
+
+use warnings;
+use strict;
+
+use Libexig::CVE;
+
+#Libexig::CVE::nvdcache ('nvdcve-modified.xml');
+#Libexig::CVE::nvdcache ('nvdcve-recent.xml');
+Libexig::CVE::nvdcache ('nvdcve-'.$_.'.xml') foreach (2002..`date +%Y`);
16 years, 5 months
fedora-security/tools Build.PL, 1.1, 1.2 MANIFEST, 1.1, 1.2 MANIFEST.SKIP, 1.1, 1.2 fedora-security.spec, 1.1, 1.2 generate-manifest, 1.4, NONE get-cve, 1.1, NONE package-release, 1.4, NONE parse-announce, 1.1, NONE suidaudit, 1.1, NONE
by fedora-security-commits@redhat.com
Author: lkundrak
Update of /cvs/fedora/fedora-security/tools
In directory cvs-int.fedora.redhat.com:/tmp/cvs-serv17363
Added Files:
Build.PL MANIFEST MANIFEST.SKIP fedora-security.spec
Removed Files:
generate-manifest get-cve package-release parse-announce
suidaudit
Log Message:
Merging (hopefully) stable from my branch
Index: Build.PL
===================================================================
RCS file: Build.PL
diff -N Build.PL
--- /dev/null 1 Jan 1970 00:00:00 -0000
+++ Build.PL 14 Jan 2008 16:04:46 -0000 1.2
@@ -0,0 +1,25 @@
+#!/usr/bin/env perl
+
+use Module::Build;
+
+Module::Build->new (
+ module_name => 'fedora-security',
+ dist_version => '0.9',
+ dist_abstract => 'Tools for Fedora Security Response Team use',
+ dist_author => 'Lubomir Kundrak <lkundrak(a)redhat.com>',
+ script_files => 'scripts',
+ requires => {
+ 'Data::Dumper' => 0,
+ 'Exporter' => 0,
+ 'Fcntl' => 0,
+ 'File::Temp' => 0,
+ 'Getopt::Long' => 0,
+ 'JSON' => 0,
+ 'LWP::Simple' => 0,
+ 'RPM2' => 0,
+ 'XML::Parser' => 0,
+ 'XMLRPC::Lite' => 0,
+ },
+)->create_build_script;
+
+
Index: MANIFEST
===================================================================
RCS file: MANIFEST
diff -N MANIFEST
--- /dev/null 1 Jan 1970 00:00:00 -0000
+++ MANIFEST 14 Jan 2008 16:04:46 -0000 1.2
@@ -0,0 +1,19 @@
+Build.PL
+fedora-security.spec
+lib/Libexig/Audit.pm
+lib/Libexig/Bodhi.pm
+lib/Libexig/Bugzilla.pm
+lib/Libexig/CVE.pm
+lib/Libexig/Util.pm
+MANIFEST This list of files
+META.yml
+scripts/add-cve-bug
+scripts/add-issue
+scripts/add-tracking-bugs
+scripts/check-updates
+scripts/generate-manifest
+scripts/get-cve
+scripts/package-release
+scripts/parse-announce
+scripts/suidaudit
+scripts/update-cve-cache
Index: MANIFEST.SKIP
===================================================================
RCS file: MANIFEST.SKIP
diff -N MANIFEST.SKIP
--- /dev/null 1 Jan 1970 00:00:00 -0000
+++ MANIFEST.SKIP 14 Jan 2008 16:04:46 -0000 1.2
@@ -0,0 +1,39 @@
+# Avoid version control files.
+\bRCS\b
+\bCVS\b
+,v$
+\B\.svn\b
+\B\.cvsignore$
+
+# Avoid Makemaker generated and utility files.
+\bMakefile$
+\bblib
+\bMakeMaker-\d
+\bpm_to_blib$
+\bblibdirs$
+^MANIFEST\.SKIP$
+
+# Avoid Module::Build generated and utility files.
+\bBuild$
+\bBuild.bat$
+\b_build
+
+# Avoid Devel::Cover generated files
+\bcover_db
+
+# Avoid temp and backup files.
+~$
+\.tmp$
+\.old$
+\.bak$
+\#$
+\.#
+\.rej$
+
+# Avoid OS-specific files/dirs
+# Mac OSX metadata
+\B\.DS_Store
+# Mac OSX SMB mount metadata files
+\B\._
+# Avoid archives of this distribution
+\bfedora-security-[\d\.\_]+
Index: fedora-security.spec
===================================================================
RCS file: fedora-security.spec
diff -N fedora-security.spec
--- /dev/null 1 Jan 1970 00:00:00 -0000
+++ fedora-security.spec 14 Jan 2008 16:04:46 -0000 1.2
@@ -0,0 +1,61 @@
+Name: fedora-security
+Version: 0.9
+Release: 2%{?dist}
+Summary: Tools for Fedora Security Response Team use
+
+Group: Development/Libraries
+License: GPLv2
+URL: http://people.redhat.com/~lkundrak/fedora-security/
+Source0: http://people.redhat.com/~lkundrak/fedora-security/%{name}-%{version}.tar.gz
+BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n)
+
+BuildArch: noarch
+BuildRequires: perl(Module::Build)
+Requires: perl(:MODULE_COMPAT_%(eval "`%{__perl} -V:version`"; echo $version))
+
+%description
+Tools for Fedora Security Response Team use
+
+
+%prep
+%setup -q
+
+# Filter unwanted Requires:
+cat << \EOF > %{name}-req
+#!/bin/sh
+%{__perl_requires} $* |\
+ sed -e '/perl(Email::Simple)/d' |\
+ sed -e '/perl(Mail::Mbox::MessageParser)/d' |\
+ sed -e '/perl(Net::FTP)/d'
+EOF
+
+%define __perl_requires %{_builddir}/%{name}-%{version}/%{name}-req
+chmod +x %{__perl_requires}
+
+
+%build
+%{__perl} Build.PL --installdirs vendor
+./Build
+
+
+%install
+rm -rf $RPM_BUILD_ROOT
+./Build install --destdir $RPM_BUILD_ROOT
+find $RPM_BUILD_ROOT -type f -name .packlist -exec rm -f {} ';'
+find $RPM_BUILD_ROOT -depth -type d -exec rmdir {} 2>/dev/null ';'
+chmod -R u+w $RPM_BUILD_ROOT/*
+
+
+%clean
+rm -rf $RPM_BUILD_ROOT
+
+
+%files
+%defattr(-,root,root,-)
+%{_bindir}/*
+%{perl_vendorlib}/*
+
+
+%changelog
+* Sun Jan 06 2008 Lubomir Kundrak <lkundrak(a)redhat.com> 0.9-1
+- Initial packaging attempt
--- generate-manifest DELETED ---
--- get-cve DELETED ---
--- package-release DELETED ---
--- parse-announce DELETED ---
--- suidaudit DELETED ---
16 years, 5 months
fedora-security/tools/scripts add-tracking-bugs, 1.1.2.4, 1.1.2.5
by fedora-security-commits@redhat.com
Author: thoger
Update of /cvs/fedora/fedora-security/tools/scripts
In directory cvs-int.fedora.redhat.com:/tmp/cvs-serv23159/tools/scripts
Modified Files:
Tag: lkundrak-tools-ng
add-tracking-bugs
Log Message:
an attempt to unscrew add-tracking-bugs
Index: add-tracking-bugs
===================================================================
RCS file: /cvs/fedora/fedora-security/tools/scripts/Attic/add-tracking-bugs,v
retrieving revision 1.1.2.4
retrieving revision 1.1.2.5
diff -u -r1.1.2.4 -r1.1.2.5
--- add-tracking-bugs 10 Jan 2008 18:01:25 -0000 1.1.2.4
+++ add-tracking-bugs 14 Jan 2008 13:52:05 -0000 1.1.2.5
@@ -64,7 +64,6 @@
$password = ($options{'password'} or read_noecho ("Bugzilla password for $username: "))
unless $dryrun;
-$dryrun = 1;
my $bugzilla = new Libexig::Bugzilla ({
'username' => $username,
@@ -74,7 +73,9 @@
});
# All the work (not the one that makes Jack a dull boy)
-
-my $parent_bugs = $bugzilla->get_bugs (\@bugs, ['alias','keywords','priority','bug_id', 'bug_severity', 'short_short_desc']);
+my $parent_bugs = $bugzilla->get_bugs (\@bugs,
+ ['alias','keywords','priority','bug_id', 'bug_severity', 'short_short_desc']);
my $tracking_bugs = Libexig::Fedora::tracking_bugs ($parent_bugs, $component, @versions);
-print STDERR Libexig::Fedora::file_tracking_bugs ($parent_bugs, $tracking_bugs, $bugzilla, $component);
+
+print STDERR Libexig::Fedora::file_tracking_bugs (\@bugs, $tracking_bugs, $bugzilla, $component);
+
16 years, 5 months