security-commits January 2008

security-commits@lists.fedoraproject.org

1 participants
101 discussions

fedora-security/tools/scripts add-cve-bug, 1.2, 1.3 add-issue, 1.2, 1.3 add-tracking-bugs, 1.2, 1.3 check-updates, 1.2, 1.3 generate-manifest, 1.2, 1.3 get-cve, 1.2, 1.3 package-release, 1.2, 1.3 parse-announce, 1.2, 1.3 suidaudit, 1.2, 1.3 update-cve-cache, 1.2, 1.3
by fedora-security-commits＠redhat.com 14 Jan '08

14 Jan '08

Author: lkundrak Update of /cvs/fedora/fedora-security/tools/scripts In directory cvs-int.fedora.redhat.com:/tmp/cvs-serv18701/scripts Modified Files: add-cve-bug add-issue add-tracking-bugs check-updates generate-manifest get-cve package-release parse-announce suidaudit update-cve-cache Log Message: Merge from lkundrak-tools-ng

1 0

fedora-security/tools/lib/Libexig Audit.pm, 1.2, 1.3 Bodhi.pm, 1.2, 1.3 Bugzilla.pm, 1.2, 1.3 CVE.pm, 1.2, 1.3 Fedora.pm, 1.2, 1.3 Util.pm, 1.2, 1.3
by fedora-security-commits＠redhat.com 14 Jan '08

14 Jan '08

Author: lkundrak Update of /cvs/fedora/fedora-security/tools/lib/Libexig In directory cvs-int.fedora.redhat.com:/tmp/cvs-serv18701/lib/Libexig Modified Files: Audit.pm Bodhi.pm Bugzilla.pm CVE.pm Fedora.pm Util.pm Log Message: Merge from lkundrak-tools-ng

1 0

fedora-security/tools META.yml, 1.1, 1.2 MANIFEST, 1.2, 1.3
by fedora-security-commits＠redhat.com 14 Jan '08

14 Jan '08

Author: lkundrak Update of /cvs/fedora/fedora-security/tools In directory cvs-int.fedora.redhat.com:/tmp/cvs-serv18701 Modified Files: MANIFEST Added Files: META.yml Log Message: Merge from lkundrak-tools-ng Index: META.yml =================================================================== RCS file: META.yml diff -N META.yml --- /dev/null 1 Jan 1970 00:00:00 -0000 +++ META.yml 14 Jan 2008 16:33:11 -0000 1.2 @@ -0,0 +1,35 @@ +--- +name: fedora-security +version: 0.9 +author: + - 'Lubomir Kundrak <lkundrak(a)redhat.com>' +abstract: Tools for Fedora Security Response Team use +license: unknown +requires: + Data::Dumper: 0 + Exporter: 0 + Fcntl: 0 + File::Temp: 0 + Getopt::Long: 0 + JSON: 0 + LWP::Simple: 0 + RPM2: 0 + XML::Parser: 0 + XMLRPC::Lite: 0 +generated_by: Module::Build version 0.2808 +meta-spec: + url: http://module-build.sourceforge.net/META-spec-v1.2.html + version: 1.2 +provides: + Libexig::Audit: + file: lib/Libexig/Audit.pm + Libexig::Bodhi: + file: lib/Libexig/Bodhi.pm + Libexig::Bugzilla: + file: lib/Libexig/Bugzilla.pm + Libexig::CVE: + file: lib/Libexig/CVE.pm + Libexig::Fedora: + file: lib/Libexig/Fedora.pm + Libexig::Util: + file: lib/Libexig/Util.pm Index: MANIFEST =================================================================== RCS file: /cvs/fedora/fedora-security/tools/MANIFEST,v retrieving revision 1.2 retrieving revision 1.3 diff -u -r1.2 -r1.3 --- MANIFEST 14 Jan 2008 16:04:46 -0000 1.2 +++ MANIFEST 14 Jan 2008 16:33:11 -0000 1.3 @@ -4,6 +4,7 @@ lib/Libexig/Bodhi.pm lib/Libexig/Bugzilla.pm lib/Libexig/CVE.pm +lib/Libexig/Fedora.pm lib/Libexig/Util.pm MANIFEST This list of files META.yml

1 0

fedora-security/tools META.yml, NONE, 1.1.2.1 MANIFEST, 1.1.2.1, 1.1.2.2
by fedora-security-commits＠redhat.com 14 Jan '08

14 Jan '08

Author: lkundrak Update of /cvs/fedora/fedora-security/tools In directory cvs-int.fedora.redhat.com:/tmp/cvs-serv18411 Modified Files: Tag: lkundrak-tools-ng MANIFEST Added Files: Tag: lkundrak-tools-ng META.yml Log Message: Fix package build --- NEW FILE META.yml --- --- name: fedora-security version: 0.9 author: - 'Lubomir Kundrak <lkundrak(a)redhat.com>' abstract: Tools for Fedora Security Response Team use license: unknown requires: Data::Dumper: 0 Exporter: 0 Fcntl: 0 File::Temp: 0 Getopt::Long: 0 JSON: 0 LWP::Simple: 0 RPM2: 0 XML::Parser: 0 XMLRPC::Lite: 0 generated_by: Module::Build version 0.2808 meta-spec: url: http://module-build.sourceforge.net/META-spec-v1.2.html version: 1.2 provides: Libexig::Audit: file: lib/Libexig/Audit.pm Libexig::Bodhi: file: lib/Libexig/Bodhi.pm Libexig::Bugzilla: file: lib/Libexig/Bugzilla.pm Libexig::CVE: file: lib/Libexig/CVE.pm Libexig::Fedora: file: lib/Libexig/Fedora.pm Libexig::Util: file: lib/Libexig/Util.pm Index: MANIFEST =================================================================== RCS file: /cvs/fedora/fedora-security/tools/MANIFEST,v retrieving revision 1.1.2.1 retrieving revision 1.1.2.2 diff -u -r1.1.2.1 -r1.1.2.2 --- MANIFEST 6 Jan 2008 03:31:52 -0000 1.1.2.1 +++ MANIFEST 14 Jan 2008 16:29:08 -0000 1.1.2.2 @@ -4,6 +4,7 @@ lib/Libexig/Bodhi.pm lib/Libexig/Bugzilla.pm lib/Libexig/CVE.pm +lib/Libexig/Fedora.pm lib/Libexig/Util.pm MANIFEST This list of files META.yml

1 0

fedora-security/tools/lib/Libexig Bugzilla.pm, 1.1, 1.2
by fedora-security-commits＠redhat.com 14 Jan '08

14 Jan '08

Author: lkundrak Update of /cvs/fedora/fedora-security/tools/lib/Libexig In directory cvs-int.fedora.redhat.com:/tmp/cvs-serv17909 Added Files: Bugzilla.pm Log Message: And you? Where did you go? Index: Bugzilla.pm =================================================================== RCS file: Bugzilla.pm diff -N Bugzilla.pm --- /dev/null 1 Jan 1970 00:00:00 -0000 +++ Bugzilla.pm 14 Jan 2008 16:14:48 -0000 1.2 @@ -0,0 +1,243 @@ +# $Id$ +# Bugzilla interface +# Lubomir Kundrak <lkundrak(a)redhat.com> + +package Libexig::Bugzilla; + +use XMLRPC::Lite; + +use warnings; +use strict; + +# Instantialize a Bugzilla connection +sub new +{ + my $class = shift; + my $self = shift; + + # Login credentials + if ($self->{username} and $self->{password}) { + $self->{creds} = [$self->{username}, $self->{password}]; + } else { + die 'Need username and password if not dryrun' + unless $self->{dryrun}; + $self->{creds} = []; + } + + # XMLRPC endpoint + $self->{url} = 'https://bugzilla.redhat.com/xmlrpc.cgi' + unless $self->{url}; + + $self->{rpc} = new XMLRPC::Lite ( + proxy => $self->{url}, + encoding => 'UTF-8', + ) + or die 'Could not create a RPC instnace'; + + if ($self->{debug}) { + use Data::Dumper; + } + + bless $self, $class; + return $self; +} + +# Get list of owners of a package from Bugzilla +sub owners +{ + my $self = shift; + my $component = shift; + + print STDERR "Getting list of owners\n" + if $self->{debug}; + + # Call bugzilla + my $call = $self->{rpc}->call('bugzilla.getCompInfo', $component); + my $result = $call->result + or die $call->faultstring; + print STDERR Dumper ($result) + if $self->{debug}; + + # Eliminate duplicates + my %people; + foreach my $instance (@{$result}) { + # blacklist some EOLed products + if ($instance->{'product'} eq 'Red Hat Linux' + || $instance->{'product'} eq 'Red Hat Linux Beta' + || $instance->{'product'} eq 'Red Hat Public Beta' + || $instance->{'product'} eq 'Red Hat Raw Hide' + || $instance->{'product'} eq 'Fedora Legacy' + || $instance->{'product'} eq 'eCos' + || $instance->{'product'} eq 'eCos runtime kernel' + || $instance->{'product'} =~ /^Red Hat Powertools/ + || $instance->{'product'} =~ /^Stronghold /) { + next; + } + # XXX: Add also 'initialqa'? + $people{$instance->{initialowner}} = 1 + if defined $instance->{initialowner}; + } + + return keys %people; +} + +# Create a bug (unless dryrun) and return its ID +sub file_bug +{ + my $self = shift; + return 0 if $self->{dryrun}; + + print STDERR "Creating a bug\n" + if $self->{debug}; + + my $call = $self->{rpc}->call('bugzilla.createBug', + shift, @{$self->{creds}}); + + my $result = $call->result + or die $call->faultstring; + + print STDERR 'Bugzilla answered to createBug: '.Dumper($result) + if $self->{debug}; + + return $result->[0]; +} + +# Get bugs +sub get_bugs +{ + my $self = shift; + my $bugs = shift or die 'No bugs to fetch!'; + my $columns = shift; + $columns = [] unless ($columns); # The default set + + my $call = $self->{rpc}->call('bugzilla.runQuery', { + 'bug_id' => $bugs, + 'bug_status' => [], + 'column_list' => $columns, + }, @{$self->{creds}}); + + my $result = $call->result + or die $call->faultstring; + + print STDERR 'Bugzilla answered to runQuery: '.Dumper($result) + if $self->{debug}; + + return $result->{bugs}; +} + +# Add blockers (unless dryrun) to a bug +sub add_blockers +{ + my $self = shift; + return 0 if $self->{dryrun}; + + my $bug = shift or die 'No blocker!'; + my $parents = shift or die 'No bug to block!'; + + my $call = $self->{rpc}->call('bugzilla.updateDepends', $bug, { + 'blocked' => $parents, + 'action' => 'add', + }, @{$self->{creds}}, 1); + + my $result = $call->result + or die $call->faultstring; + + print STDERR 'Bugzilla answered to updateDepends: '.Dumper($result) + if $self->{debug}; + return undef; +} + +# Add comment - wrapper around bugzilla addComment XMLRPC method +# +# Mandatory arguments: +# bugid, comment +# Optional arguments: +# isprivate, timestamp, worktime, bz_gid, private_in_it, nomail +sub add_comment +{ + my $self = shift; + + my $bug = shift or die 'No bug!'; + my $comment = shift or die 'No comment!'; + + if ($self->{dryrun}) { + print STDERR 'Would add following comment to bug: #'.$bug."\n"; + print STDERR "$comment\n"; + return 0; + } + + my $call = $self->{rpc}->call('bugzilla.addComment', $bug, $comment, + @{$self->{creds}}, @_); + + my $result = $call->result + or die $call->faultstring; + + print STDERR 'Bugzilla answered to addComment: '.Dumper($result) + if $self->{debug}; + return undef; +} + +# Add private comment to a bug +# +# Arguments: +# bugid, comment +sub add_private_comment +{ + my $self = shift; + + my $bug = shift; + my $comment = shift; + + $self->add_comment($bug, $comment, 1); +} + +# Close bug - wrapper around bugzilla closeBug XMLRPC method +# +# Mandatory arguments: +# bugid, resolution +# Optional arguments: +# dupeid, fixedin, comment, isprivate, private_in_it, nomail +sub close_bug +{ + my $self = shift; + + my $bug = shift or die 'No bug!'; + my $resolution = shift or die 'No resolution!'; + + if ($self->{dryrun}) { + print STDERR 'Would close bug #'.$bug.' as: '.$resolution."\n"; + return 0; + } + + my $call = $self->{rpc}->call('bugzilla.closeBug', $bug, $resolution, + @{$self->{creds}}, @_); + + my $result = $call->result + or die $call->faultstring; + + print STDERR 'Bugzilla answered to closeBug: '.Dumper($result) + if $self->{debug}; + return undef; +} + +# Close bug with comment +# +# Mandatory arguments: +# bugid, resulution, comment +# Optional arguments: +# newfixedin, dupeid +sub close_bug_with_comment +{ + my $self = shift; + + my $bug = shift; + my $resolution = shift; + my $comment = shift or die 'No comment!'; + + my $fixedin = shift; + my $dupeid = shift; + + $self->close_bug($bug, $resolution, $dupeid, $fixedin, $comment); +} + +1;

1 0

fedora-security/tools add-tracking-bugs, 1.4, NONE
by fedora-security-commits＠redhat.com 14 Jan '08

14 Jan '08

Author: lkundrak Update of /cvs/fedora/fedora-security/tools In directory cvs-int.fedora.redhat.com:/tmp/cvs-serv17809 Removed Files: add-tracking-bugs Log Message: Go a way, you should not exist! --- add-tracking-bugs DELETED ---

1 0

fedora-security/tools/lib/Libexig Audit.pm, 1.1, 1.2 Bodhi.pm, 1.1, 1.2 CVE.pm, 1.1, 1.2 Fedora.pm, 1.1, 1.2 Util.pm, 1.1, 1.2
by fedora-security-commits＠redhat.com 14 Jan '08

14 Jan '08

Author: lkundrak Update of /cvs/fedora/fedora-security/tools/lib/Libexig In directory cvs-int.fedora.redhat.com:/tmp/cvs-serv17363/lib/Libexig Added Files: Audit.pm Bodhi.pm CVE.pm Fedora.pm Util.pm Log Message: Merging (hopefully) stable from my branch Index: Audit.pm =================================================================== RCS file: Audit.pm diff -N Audit.pm --- /dev/null 1 Jan 1970 00:00:00 -0000 +++ Audit.pm 14 Jan 2008 16:04:47 -0000 1.2 @@ -0,0 +1,130 @@ +# $Id$ +# Audit database interface +# Lubomir Kundrak <lkundrak(a)redhat.com> + +package Libexig::Audit; + +use Libexig::Util; + +use warnings; +use strict; + +# Get lines from file and parse them +sub new +{ + my $class = shift; + my $self = shift; + + # Read standard input unless specified otherwise + $self->{file} = '-' unless $self->{file}; + + open (AUDIT, $self->{file}) + or die "Could not open $self->{file}"; + + $self->{audit} = []; + push @{$self->{audit}}, parse_line ($_) foreach <AUDIT>; + + close (AUDIT); + + bless $self, $class; + return $self; +} + +# Add an entry, to the proper place alphabetically +sub add +{ + my $self = shift; + my $entry = shift; + my $index; + + for ($index = 0; $index <= $#{$self->{audit}}; $index++) { + $self->{audit}->[$index]->{cve} or next; + $self->{audit}->[$index]->{cve} lt $entry->{cve} and last; + }; + + update_entry ($entry); + use Data::Dumper; + parse_line ($entry->{line}); # Check if it is well formed + insert ($self->{audit}, $index, $entry); +} + +# Save +sub save +{ + my $self = shift; + + open (AUDIT, '>'.$self->{file}) + or die "Could not open $self->{file}"; + + foreach my $entry (@{$self->{audit}}) { + #update_entry ($entry); + print AUDIT $entry->{line}; + } + + close (AUDIT); +} + +# Get an entry hash and reconstruct its 'line' field +# (useful if something got changed) +sub update_entry +{ + my $entry = shift; + + $entry->{cve} or return; + $entry->{line} = join " ", ( + $entry->{need_verif}.$entry->{cve}, + $entry->{status}, + ($entry->{fixed} + ? "($entry->{component}, $entry->{fixed})" + : "($entry->{component})"), + ($entry->{bug} + ? "#$entry->{bug}" + : ()), + ($entry->{since} + ? "[since $entry->{since}]" + : ()), + $entry->{comment} + ); + + chomp $entry->{line}; + $entry->{line} .= "\n"; +} + +# Get line and return a hash +sub parse_line +{ + $_ = shift; + if (/^#/ or /^\s*$/) { + return { + 'line' => $_, + }; + } elsif (/^ + (\*?)* # Needs verification + (\S+-\S+-\S+)\s* # CVE + (\*\*|version|VULNERABLE|ignore|backport|fixed)\s* # Status + $ + ([^\s,]+)\s* # Component + (,\s*(.*))?\s* # When fixed upstream + $\s* + (\#(\d+))?\s* # Bugzilla IS + (\[since\s+(\S+)\])?\s* # When fixed in Fedora + (.*) # Comment + /x) { + return { + need_verif => $1, + cve => $2, + status => $3, + component => $4, + fixed => $6, + bug => $8, + since => $10, + comment => $11, + line => $_, + }; + next; + } else { + die "Prase error: $_"; + } +} + +0.99999; Index: Bodhi.pm =================================================================== RCS file: Bodhi.pm diff -N Bodhi.pm --- /dev/null 1 Jan 1970 00:00:00 -0000 +++ Bodhi.pm 14 Jan 2008 16:04:47 -0000 1.2 @@ -0,0 +1,107 @@ +# $Id$ +# This is how do we interface with the Fedora Update System +# Lubomir Kundrak <lkundrak(a)redhat.com> + +package Libexig::Bodhi; + +use JSON; + +# Convert the text blob from bodhi to a hash, +# dissect some multipart values +sub update_to_hashref +{ + my @lines = split /\n/, shift; + my %retval; + my $line; + my $name; + + # Rougly process all the fields and header + + while ($line = shift @lines) { + + # Header + if ($line eq "=" x 80) { + $retval{'_NVR'} = ''; + + do { + $line = shift @lines; + $line =~ /\s+(.*)/ and $retval{'_NVR'} .= $1; + } while ($line ne '=' x 80); + + # Additional comment lines do not have leading : + # This causes havoc on comments including : character + } elsif ($line =~ /^\s*(Comments): (.*)/) { + $name = $1; # always 'Comments' + $retval{$name} = $2; + + # expect comments until blank line + $line = shift @lines; + while (defined($line) && $line !~ /^$/) { + $line =~ s/^\s*//; + $retval{$name} .= "\n$line"; + $line = shift @lines; + } + + # Blah: blah + } elsif ($line =~ /\s*([^:]*): (.*)/) { + $name = $1 if ($1); + if (defined $retval{$name}) { + $retval{$name} .= "\n$2"; + } else { + $retval{$name} = $2; + } + + # Update URL + } elsif ($line =~ /^ (http.*)/) { + $retval{'_Update URL'} = "$1"; + } + } + + # Grok bug strings + + if ($retval{'Bugs'}) { + my %bugs; + my $bug; + + foreach (split /\n/, $retval{'Bugs'}) { + if (/(\d+) - (.*)/) { + $bug = $1; + $bugs{$bug} = $2; + } else { + #$bugs{$bug} .= " $2"; + } + } + + $retval{'_Bugs'} = \%bugs; + } + + # Grok raw NVR list + + my @nvrs = split /,\s*/, $retval{'_NVR'}; + $retval{'_NVRs'} = \@nvrs; + + # Parsing comments, not yet implemented, of no use for us + + return \%retval; +} + +# Get array of all updates for a package +sub get_updates +{ + my $pkg = shift or die 'No package name supplied'; + my @retval; + + + # Get updates + $json = `wget --post-data 'package=$pkg&tg_paginate_limit=0' -qO - \\ + 'https://admin.fedoraproject.org/updates/list?tg_format=json'`; + $obj = jsonToObj ($json); + + foreach my $update (@{$obj->{'updates'}}) { + push @retval, update_to_hashref ($update); + } + + return @retval; +} + +1; Index: CVE.pm =================================================================== RCS file: CVE.pm diff -N CVE.pm --- /dev/null 1 Jan 1970 00:00:00 -0000 +++ CVE.pm 14 Jan 2008 16:04:47 -0000 1.2 @@ -0,0 +1,123 @@ +# $Id$ +# Get CVE information from NVD and maintain NVD XML file cache +# Lubomir Kundrak <lkundrak(a)redhat.com> + +package Libexig::CVE; + +#use warnings; +#use strict; + +use Exporter 'import'; +use XML::Parser; +use LWP::Simple; + +@EXPORT = qw/cve/; + +my $sourcebase = 'http://nvd.nist.gov/download/'; +my $cachebase = $ENV{'HOME'}.'/.nvdcache/'; + +my $parser = new XML::Parser ( + 'Style' => 'Tree', +); + +sub get_element +{ + my $tree = shift; + + my $tag = shift @{$tree}; + my $content = shift @{$tree}; + my $arguments = shift @{$content}; + + if ($tag and $content and $arguments) { + return [$tag, $content, $arguments]; + } else { + return undef; + } +} + +# Gets <desc> element and returns description from 'cve' source +sub get_desc +{ + my $e = shift; + + while (my $e = get_element ($e->[1])) { + # <descript> + $e->[2]->{'source'} eq 'cve' or next; + return $e->[1]->[1]; + } +} + +# Gets <refs> element and returns array of all url=s of <ref>s +sub get_refs +{ + my $e = shift; + my @refs; + + while (my $e = get_element ($e->[1])) { + # <ref> + push @refs, $e->[2]->{'url'}; + } + + return @refs; +} + +# Get <entry> and return its description and references +sub do_entry +{ + my $e = shift; + my $desc; + my @refs; + + $e->[2]->{'type'} eq 'CVE' or die 'Non-CVE entry'; + + while (my $e = get_element ($e->[1])) { + $desc = get_desc ($e) if $e->[0] eq 'desc'; + @refs = get_refs ($e) if $e->[0] eq 'refs'; + + $desc and @refs and return ($desc, [@refs]); + } +} + +# Update file in cache if older than age and return its path +sub nvdcache +{ + my ($file, $age) = @_; + + mkdir $cachebase; + system ("mkdir -p '$cachebase'"); + mirror ($sourcebase.$file, $cachebase.$file) + or die ('Failed to update cache'); + return $cachebase.$file; +} + +# lala +sub cve +{ + my $cve = shift; + + $cve =~ /^CVE-(\d+)-\d+$/ or die "'$cve' does not look like a CVE id"; + my $year = ($1 > 2002 ? $1 : 2002); + + foreach ( + # File name => cache update threshold (minutes, XXX: not implemented) + # order is important + [ 'nvdcve-modified.xml' => 0 ], + [ 'nvdcve-recent.xml' => 0 ], + [ 'nvdcve-'.$year.'.xml' => 1440 ], + ) { + my $file = nvdcache (@{$_}); + my $tree = $parser->parsefile ($file); + my $e = get_element ($tree); + + while (my $e = get_element ($e->[1])) { + # matching <entry name="$cve"> + if ($e->[0] eq 'entry' and $e->[2]->{'name'} eq $cve) { + return do_entry ($e); + } + } + } + + return undef; +} + +1; Index: Fedora.pm =================================================================== RCS file: Fedora.pm diff -N Fedora.pm --- /dev/null 1 Jan 1970 00:00:00 -0000 +++ Fedora.pm 14 Jan 2008 16:04:47 -0000 1.2 @@ -0,0 +1,255 @@ +# $Id$ +# Fedora specific routines and constants +# Lubomir Kundrak <lkundrak(a)redhat.com> + +package Libexig::Fedora; + +use warnings; +use strict; + +%Libexig::Fedora::srt_bz_map = ( + 'critical' => 'urgent', + 'important' => 'high', + 'moderate' => 'medium', + 'low' => 'low', +); + +### +### Parent bugs from CVE +### + +# Get the text to include in the CVE bug descripiton +sub cve_bug_desc +{ + my $cve = shift; + my $desc = shift; + my $refs = shift; + + return + "Common Vulnerabilities and Exposures assigned an ". + "identifier $cve to the following vulnerability:". + "\n\n". + ($desc ? $desc : '(Please paste the CVE details manually)'). + "\n\n". + "References:\n\n". + ($refs ? join ("\n", @{$refs}) : '(References here, one per line)'); +} + +# Construct the parent bug +sub cve_bug +{ + my $cve = shift; + my $component = shift; + my $summary = shift; + my $desc = shift; + my $impact = shift; + my $bugzilla = shift; + + # Get CC list + # TODO: get rid of duplicates + my @cc; + foreach (split (/,/,$component)) { + push (@cc,$bugzilla->owners ($_)); + } + + return ( + 'bug_file_loc' => "http://nvd.nist.gov/nvd.cfm?cvename=$cve", + 'rep_platform' => 'All', + 'op_sys' => 'Linux', + 'short_desc' => "$cve $summary", + 'keywords' => 'Security', + 'product' => 'Security Response', + 'comment' => $desc, + 'component' => 'vulnerability', + 'bug_severity' => $Libexig::Fedora::srt_bz_map{$impact}, + 'priority' => $Libexig::Fedora::srt_bz_map{$impact}, + 'version' => 'unspecified', + 'cc' => join (',', @cc), + 'alias' => $cve, + ); +} + +### +### Tracking bugs +### + +my $comment_head = + 'This is an automatically created tracking bug! '. + 'It was created to ensure that one or more security '. + 'vulnerabilities are fixed in all affected branches.'. + "\n\n". + 'You should *not* refer to this bug publicly, as it is a '. + 'private "Fedora Project Contributors" bug.'. + "\n\n". + 'For comments that are specific to the vulnerability please use bugs '. + 'filed against "Security Response" product referenced in "Blocks" '. + 'field.'. + "\n\n"; + +my $comment_tail = + 'For more information see: '. + 'http://fedoraproject.org/wiki/Security/TrackingBugs'; + +my $comment_update = + # Following the list of parent bugs + "\n". + 'When creating an update for the version this this bug is reported '. + 'against please include the bug IDs of respective bugs filed '. + 'against "Security Response" product as well as of this bug and let the '. + 'update system close them. Please '. + 'note that the update announcement will (and should) contain only '. + 'references to "Security Response" bugs as long as the tracking '. + 'bug is restricted to "Fedora Project Contributors".'. + "\n\n"; + +my $comment_rawhide = + "\n". + 'Please close this bug with RAWHIDE (referencing appropriate N-V-R in '. + 'Fixed In field if possible) once is it fixed in devel branch. '. + 'Do *not* include the bug id of this bug in the RPM changelog and the '. + 'commit message.'. + "\n\n"; + +my %priorities = ( + 'urgent', => 4, + 'high', => 3, + 'medium', => 2, + 'low' => 1, +); + +# Valid versions +my %versions = ( + '6', => '6', + 'f6', => '6', + 'fc6', => '6', + '7', => '7', + 'f7', => '7', + 'fc7', => '7', + '8', => '8', + 'f8', => '8', + 'fc8', => '8', + '9', => 'rawhide', + 'f9', => 'rawhide', + 'fc9', => 'rawhide', + 'devel', => 'rawhide', +); + +sub tracking_bugs +{ + my $bugs = shift; + my $component = shift; + my @versions = @_; + + my @retval; + + # Construct a tracking bug template + + my %bug_tmpl = ( + 'bug_file_loc' => 'http://fedoraproject.org/wiki/Security/TrackingBugs', + 'rep_platform' => 'All', + 'op_sys' => 'Linux', + 'short_desc' => '', + 'keywords' => 'Security', + 'product' => 'Fedora', + 'component' => $component, + 'bug_severity' => 'low', + 'priority' => 'low', + 'bit-58' => '1', # Fedora Project Contributors + ); + + my $comment_parents = ''; + + foreach my $bug (@{$bugs}) { + + # Take the highest of priorities + $bug_tmpl{'bug_severity'} = $bug->{'bug_severity'} + if ($priorities{$bug->{'bug_severity'}} > $priorities{$bug_tmpl{'bug_severity'}}); + $bug_tmpl{'priority'} = $bug->{'priority'} + if ($priorities{$bug->{'priority'}} > $priorities{$bug_tmpl{'priority'}}); + + # This will be overwriten if we block just one parent bug + $bug_tmpl{'short_desc'} .= $bug->{'alias'}.' '; + + # Add the parent bug to the comment + $comment_parents .= "\tbug #$bug->{'bug_id'}: $bug->{'short_short_desc'}\n"; + } + + if (@{$bugs} > 1) { + $bug_tmpl{'short_desc'} .= "Multiple $component vulnerabilities"; + } else { + $bug_tmpl{'short_desc'} = $bugs->[0]->{'short_short_desc'}; + } + + # Create a bug hash for each version + + foreach my $version (@versions) { + my %bug = %bug_tmpl; + $bug{'short_desc'} .= " [Fedora $versions{$version}]"; + $bug{'version'} = $versions{$version}; + + $bug{'comment'} = + $comment_head. + $comment_parents. + ($bug{'version'} eq 'rawhide' ? $comment_rawhide : $comment_update). + $comment_tail; + + push @retval, \%bug; + } + + return \@retval; +} + +# file_tracking_bugs +# +# Arguments: +# - ref to list of parent bug ids +# - ref to list of bugs to file (each element must be hash as expected by BZ) +# this list is prepared by tracking_bugs +# - Bugzilla object reference +# - component +sub file_tracking_bugs +{ + my $parent_bugs = shift; + my $tracking_bugs = shift; + my $bugzilla = shift; + my $component = shift; + + my $comment = "Created Fedora tracking bugs for $component:\n\n"; + + foreach my $bug (@{$tracking_bugs}) { + use Data::Dumper; + my $bug_id = $bugzilla->file_bug ($bug); + + if (!defined($bug_id)) { + print STDERR "Error: Bug creation failed! (dryrun mode?)\n"; + #return undef; + } + + ### XXX: Move this somewhere else? + if ($bug->{'version'} ne 'rawhide') { + my $tr_comment = + 'You can eventually use the following link to '. + 'create the update request: '."\n". + 'https://admin.fedoraproject.org/updates/new/'. + '?request=Stable'. + '&type=security'. + '&release=Fedora%20'.$bug->{'version'}. + '&bugs='.$bug_id; + + foreach my $bug (@{$parent_bugs}) { + $tr_comment .= ','.$bug; + } + + $bugzilla->add_comment ($bug_id, $tr_comment); + } + + $bugzilla->add_blockers ($bug_id, $parent_bugs); + $comment .= $bug->{'version'}.": bug #$bug_id\n"; + } + + foreach my $bug (@{$parent_bugs}) { + $bugzilla->add_private_comment ($bug, $comment); + } + + return $comment; +} Index: Util.pm =================================================================== RCS file: Util.pm diff -N Util.pm --- /dev/null 1 Jan 1970 00:00:00 -0000 +++ Util.pm 14 Jan 2008 16:04:47 -0000 1.2 @@ -0,0 +1,54 @@ +# $Id$ +# Random routines that are shared across the tooling +# Lubomir Kundrak <lkundrak(a)redhat.com> + +package Libexig::Util; + +#use warnings; +#use strict; + +use Exporter 'import'; +use File::Temp ('tempfile'); + +@EXPORT = qw/edit_string read_noecho insert/; + +# Launch an editor for editing the bugzilla comment or whatever +sub edit_string +{ + my $string = shift; + + my ($tmpfh, $tmpname) = tempfile (); + print $tmpfh $string; + close ($tmpfh); + my $editor = ($ENV{'EDITOR'} or 'vi'); + system ($editor, $tmpname); + open ($tmpfh, "<$tmpname"); + $string = join ('', <$tmpfh>); + close ($tmpfh); + + return $string; +} + +# Get password not echoing characters +sub read_noecho +{ + print STDERR @_; + system ('stty -echo'); + my $string = <STDIN>; + system ('stty echo'); + chomp ($string); + print STDERR "\n"; + $string; +} + +# Insert a sub-list into a list +sub insert +{ + my $array = shift; + my $index = shift; + my @what = @_; + + splice (@{$array}, $index, 0, @what); +} + +1;

1 0

fedora-security/tools/scripts add-cve-bug, 1.1, 1.2 add-issue, 1.1, 1.2 add-tracking-bugs, 1.1, 1.2 check-updates, 1.1, 1.2 generate-manifest, 1.1, 1.2 get-cve, 1.1, 1.2 package-release, 1.1, 1.2 parse-announce, 1.1, 1.2 suidaudit, 1.1, 1.2 update-cve-cache, 1.1, 1.2
by fedora-security-commits＠redhat.com 14 Jan '08

14 Jan '08

Author: lkundrak Update of /cvs/fedora/fedora-security/tools/scripts In directory cvs-int.fedora.redhat.com:/tmp/cvs-serv17363/scripts Added Files: add-cve-bug add-issue add-tracking-bugs check-updates generate-manifest get-cve package-release parse-announce suidaudit update-cve-cache Log Message: Merging (hopefully) stable from my branch Index: add-cve-bug =================================================================== RCS file: add-cve-bug diff -N add-cve-bug --- /dev/null 1 Jan 1970 00:00:00 -0000 +++ add-cve-bug 14 Jan 2008 16:04:47 -0000 1.2 @@ -0,0 +1,102 @@ +#!/usr/bin/env perl + +# $Id$ +# Create a bugzilla from a CVE entry +# Lubomir Kundrak <lkundrak(a)redhat.com> + +# Typical use: +#$ ./add-cve-bug \ +# --cve=CVE-2007-4251 \ +# --component=openoffice.org \ +# --summary="OpenOffice crashes upon opening certain files" \ +# --impact=low +# (Was used to create #251717) + +my $usage = 'add-cve-bug [options...] + --cve=<cve> CVE ID (mandatory) + --username=<username> Bugzilla login (defaults to $LOGNAME(a)redhat.com) + --password=<password> Bugzilla passwords (asks for it, if not supplied) + --component=<pkg[,<pkg>...] Affected package, to find owner to CC (mandatory) + --summary=<summary> Text to follow CVE ID in bugzilla (mandatory) + --impact=<impact> Impact: critical, important, moderate, low + --interactive Launch editor to edit the description + --dryrun Do not write anything, usable with --debug + --debug Dump interesting info + --help This text +'; + +use Getopt::Long; +use Data::Dumper; + +use Libexig::Fedora; +use Libexig::CVE; +use Libexig::Bugzilla; +use Libexig::Util; + +use warnings; +use strict; + +# Command line options +my ($cve, $interactive, $dryrun, $debug, + $username, $password, $component, $summary, $impact); + +# Parse command line options +my %options; +GetOptions(\%options, + 'cve=s', + 'username=s', + 'password=s', + 'component=s', + 'summary=s', + 'impact=s', + 'interactive', + 'dryrun', + 'debug', + 'help', +) or die 'Incorrect arguments. Try --help.'; + +if ($options{'help'}) { + print $usage; + exit; +} + +$dryrun = ($options{'dryrun'} or 0); +$debug = ($options{'debug'} or 0); +$interactive = ($options{'interactive'} or 0); + +$cve = $options{'cve'} or die 'cve argument is mandatory'; +$component = $options{'component'} or die 'component argument is mandatory'; +$summary = $options{'summary'} or die 'summary argument is mandatory'; +$impact = ($options{'impact'} or 'low'); +defined $Libexig::Fedora::srt_bz_map{$impact} or die 'specified unrecognized impact value'; + +$username = ($options{'username'} or $ENV{'LOGNAME'}.'@redhat.com'); +$password = ($options{'password'} or $dryrun or + read_noecho ("Bugzilla password for $username: ")); + # TODO: add whiteboard option to fill in and get impact from it + +# Get CVE details from NVD or user + +print "Getting a bug description from CVE\n" if $debug; +my ($desc, $refs) = cve ($cve); + +die 'Cannot fetch CVE description; re-run with --interactive' + unless $desc or $interactive; + +my $bug_desc = Libexig::Fedora::cve_bug_desc ($cve, $desc, $refs); +$bug_desc = edit_string ($bug_desc) if $interactive; + +# File it in Bugzilla + +my $bugzilla = new Libexig::Bugzilla ({ + 'username' => $username, + 'password' => $password, + 'dryrun' => $dryrun, + 'debug' => $debug, +}); + +my %bug = Libexig::Fedora::cve_bug ($cve, $component, $summary, $bug_desc, $impact, $bugzilla); +print 'About to add this bug: '.Dumper(\%bug) if $debug; +my $bug_id = $bugzilla->file_bug (\%bug); + +print STDERR "Created bug #$bug_id\n"; Index: add-issue =================================================================== RCS file: add-issue diff -N add-issue --- /dev/null 1 Jan 1970 00:00:00 -0000 +++ add-issue 14 Jan 2008 16:04:47 -0000 1.2 @@ -0,0 +1,90 @@ +#!/usr/bin/env perl + +# $Id$ +# File a bugs for specified versions and add dependencies +# Lubomir Kundrak <lkundrak(a)redhat.com> + +# XXX: debug, dryrun +my $usage = 'add-cve-bug [options...] + --versions=<ver>[,...] Affected Fedora versions + --bugs=<bug>[,...]] Tracking bugs for respective versions + --need_verif Needs verification (**) + --cve=<cve> CVE name + --status=<status> Either "fixed" or "ignore" or implied "VULNERABLE" + --component=<pkg> Affected package, to find owner to CC (mandatory) + --fixed=<version> "fixed ..." or "not fixed ..." + --since=<update> Fedora update or NVR this was fixed in + --comment=<comment> Free-form comment string +'; + +use Getopt::Long; +use Libexig::Audit; + +use warnings; +use strict; + +my %versions = ( + '7' => '../audit/fc7', + '8' => '../audit/f8', + '9' => '../audit/f9', +); + +# Command line options +my (@versions, @bugs, $need_verif, $cve, $status, $component, + $fixed, $since, $comment); + +# Parse command line options + +my %options; +GetOptions(\%options, + 'versions=s', + 'bugs=s', + 'need_verif', + 'cve=s', + 'status=s', + 'component=s', + 'fixed=s', + 'since=s', + 'comment=s', + 'help', +) or die 'Incorrect arguments. Try --help.'; + +if ($options{help}) { + print $usage; + exit; +} + +@versions = $options{versions} + ? split (/,/, $options{versions}) # versions were specified + : keys %versions; # all known versions + +@bugs = $options{bugs} + ? split (/,/, $options{bugs}) + : (); + +$need_verif = ($options{need_verif} ? '**' : ''); +$cve = ($options{cve} or 'GENERIC-MAP-NOMATCH'); +$status = ($options{status} or 'VULNERABLE'); +$component = ($options{component}) or die 'component argument is mandatory'; +$fixed = ($options{fixed} or ''); +$since = ($options{since} or ''); +$comment = ($options{comment} or ''); + +# Add a line for each version + +foreach my $version (@versions) { + my $entry = { + need_verif => $need_verif, + cve => $cve, + status => $status, + component => $component, + fixed => $fixed, + bug => shift @bugs, + since => $since, + comment => $comment, + }; + + my $audit = new Libexig::Audit ({file => $versions{$version}}); + $audit->add ($entry); + $audit->save; +} Index: add-tracking-bugs =================================================================== RCS file: add-tracking-bugs diff -N add-tracking-bugs --- /dev/null 1 Jan 1970 00:00:00 -0000 +++ add-tracking-bugs 14 Jan 2008 16:04:47 -0000 1.2 @@ -0,0 +1,81 @@ +#!/usr/bin/env perl + +# $Id$ +# File a bugs for specified versions and add dependencies +# Lubomir Kundrak <lkundrak(a)redhat.com> + +my $usage = 'add-tracking-bugs [options...] + --bugs=<bug>[,...] Parent bugs + --versions=<ver>[,...] Affected Fedora versions + --component=<pkg> Affected package, to find owner to CC (mandatory) + --username=<username> Bugzilla login (defaults to $LOGNAME(a)redhat.com) + --password=<password> Bugzilla passwords (asks for it, if not supplied) + --dryrun Do not write anything, usable with --debug + --debug Dump more or less interesting info + --help This text +'; + +use XMLRPC::Lite; +use Getopt::Long; +use Data::Dumper; + +use Libexig::Util; +use Libexig::Bugzilla; +use Libexig::Fedora; + +use warnings; +use strict; + +# Command line options +my (@bugs, @versions, $dryrun, $debug, + $username, $password, $component); + +# Parse command line options: + +my %options; +GetOptions(\%options, + 'bugs=s', + 'component=s', + 'versions=s', + 'username=s', + 'password=s', + 'dryrun', + 'debug', + 'help', +) or die 'Incorrect arguments. Try --help.'; + +if ($options{'help'}) { + print $usage; + exit; +} + +$options{'bugs'} or die 'bugs argument is mandatory'; +@bugs = split (/,/, $options{'bugs'}); + +$options{'versions'} or die 'versions argument is mandatory'; +@versions = split (/,/, $options{'versions'}); +#XXX +##$versions{$_} or die "Invalid version: $_" foreach (@versions); + +$component = $options{'component'} or die 'component argument is mandatory'; +$dryrun = ($options{'dryrun'} or 0); +$debug = ($options{'debug'} or 0); +$username = ($options{'username'} or $ENV{'LOGNAME'}.'@redhat.com'); +$password = ($options{'password'} or read_noecho ("Bugzilla password for $username: ")) + unless $dryrun; + + +my $bugzilla = new Libexig::Bugzilla ({ + 'username' => $username, + 'password' => $password, + 'dryrun' => $dryrun, + 'debug' => $debug, +}); + +# All the work (not the one that makes Jack a dull boy) +my $parent_bugs = $bugzilla->get_bugs (\@bugs, + ['alias','keywords','priority','bug_id', 'bug_severity', 'short_short_desc']); +my $tracking_bugs = Libexig::Fedora::tracking_bugs ($parent_bugs, $component, @versions); + +print STDERR Libexig::Fedora::file_tracking_bugs (\@bugs, $tracking_bugs, $bugzilla, $component); + Index: check-updates =================================================================== RCS file: check-updates diff -N check-updates --- /dev/null 1 Jan 1970 00:00:00 -0000 +++ check-updates 14 Jan 2008 16:04:47 -0000 1.2 @@ -0,0 +1,32 @@ +#!/usr/bin/env perl + +# $Id$ +# Dump what's VULNERABLE, but been subject to an update +# Lubomir Kundrak <lkundrak(a)redhat.com> + +#use warnings; +use strict; + +use Libexig::Audit; +use Libexig::Bodhi; + +# Parse the audit file +my $audit = new Libexig::Audit ({file => $ARGV[0]}); + +foreach my $entry (@{$audit->{audit}}) { + $entry->{'status'} eq 'VULNERABLE' or next; + + # See if the VULNERABLE bug was referenced by an update + foreach my $u (Libexig::Bodhi::get_updates ($entry->{component})) { + $u->{'_Bugs'}->{$entry->{bug}} or next; + + # Modify the line accordingly + $entry->{since} = $u->{'Update ID'}; + $u->{'Status'} eq 'stable' and $entry->{status} = 'fixed'; + Libexig::Audit::update_entry ($entry); + + last; + }; +} + +$audit->save; Index: generate-manifest =================================================================== RCS file: generate-manifest diff -N generate-manifest --- /dev/null 1 Jan 1970 00:00:00 -0000 +++ generate-manifest 14 Jan 2008 16:04:47 -0000 1.2 @@ -0,0 +1,28 @@ +#!/bin/sh + +# $Id$ +# List generate list of latest versions of all packages in a brew tag +# Lubomir Kundrak <lkundrak(a)redhat.com> + +if [ -z "$KOJI" ] +then + KOJI="koji" +fi + +if [ -z "$@" ] +then + export TAGS=" + dist-fc7-updates + dist-f8-updates + dist-f9-build + " +else + export TAGS="$@" +fi + +for TAG in $TAGS +do + echo -n "Generating manifest for $TAG..." + "$KOJI" list-tagged --inherit --latest "$TAG" >"$TAG" + echo " done" +done Index: get-cve =================================================================== RCS file: get-cve diff -N get-cve --- /dev/null 1 Jan 1970 00:00:00 -0000 +++ get-cve 14 Jan 2008 16:04:47 -0000 1.2 @@ -0,0 +1,18 @@ +#!/usr/bin/env perl + +# $Id$ +# Get CVE information from NVD +# Lubomir Kundrak <lkundrak(a)redhat.com> + + +use warnings; +use strict; + +use Libexig::CVE; +use Data::Dumper; + +@ARGV or die 'Usage: get-cve <cve> [...]'; + +foreach my $cve (@ARGV) { + print Dumper ($cve, Libexig::CVE::cve ($cve)); +} Index: package-release =================================================================== RCS file: package-release diff -N package-release --- /dev/null 1 Jan 1970 00:00:00 -0000 +++ package-release 14 Jan 2008 16:04:47 -0000 1.2 @@ -0,0 +1,96 @@ +#!/usr/bin/perl -w + +# $Id$ + +# Script for querying which release we ship a package in, and what the +# version of said package is. +# +# This script was originally writeen by Jason L Tibbitts III + +# TODO: Use getopt (add options at that time) +# TODO: Allow for fuzzy matching (partial searching) + +use LWP::Simple; +use Net::FTP; +use strict; + +# Global variables +my ($owner_file, $mirror_host, $mirror_path, @releases); + + +$owner_file='http://cvs.fedora.redhat.com/viewcvs/*checkout*/owners/owners.list?root=ext…'; +$mirror_host='download.fedora.redhat.com'; +$mirror_path='/pub/fedora/linux/releases/%s/Everything/source/SRPMS'; +@releases=qw( 7 ); + +sub get_owner_content { + my $match = pop; + + my ($distro, $package, $desc, $owner, $qa, $cc); + + my %owner; + + my $owner_content = get($owner_file) + or die "Couldn't get $owner_file"; + + foreach (split(/\n/, $owner_content)) { + next if /^#/; + chomp; + + ($distro, $package, $desc, $owner, $qa, $cc) = split(/\|/, $_); + + next if ( $package !~ m/$match/i); + + $owner{$package} = {}; + $owner{$package}->{'product'} = $distro; + $owner{$package}->{'package'} = $package; + $owner{$package}->{'description'} = $desc; + $owner{$package}->{'owner'} = $owner; + $owner{$package}->{'qacontact'} = $qa; + $owner{$package}->{'cclist'} = $cc; + } + + return %owner; + +} + +my $package = $ARGV[0]; + +my %owner = get_owner_content($package); + +if (!keys(%owner) or $package eq '') { + print "Could not find package \"$package\" in $owner_file\n"; + exit 1; +} + +foreach (keys(%owner)) { +print "Found package $_ in owners.list:\n"; +} + +my $ftp = Net::FTP->new($mirror_host, Debug => 0) + or die "Cannot connect to $mirror_host: $@"; +$ftp->login("anonymous",'-anonymous@') + or die "Cannot login ", $ftp->message; + + +foreach my $release (@releases) { + my ($f, $dir, $files, $rev, $ver, $name); + + $dir = sprintf($mirror_path, $release); + $release eq "development" && ($release = "dev"); + $files = $ftp->ls($dir) + or die "Cannot list directory ", $ftp->message; + + foreach my $f (@$files) { + chomp($f); + $f =~ s/$dir\///; + next unless $f =~ /^(.*$package.*)-([^\-]*)-([^\-]*)\.src\.rpm$/i; + $name = $1; + $ver = $2; + $rev = $3; + + print " $release\t$name\t$ver\t$rev\t$f\n"; + } +} + +$ftp->quit; Index: parse-announce =================================================================== RCS file: parse-announce diff -N parse-announce --- /dev/null 1 Jan 1970 00:00:00 -0000 +++ parse-announce 14 Jan 2008 16:04:47 -0000 1.2 @@ -0,0 +1,99 @@ +#!/usr/bin/perl -w + +# $Id$ + +use strict; +use Mail::Mbox::MessageParser; +use Email::Simple; + +die "\nUsage: parse-announce mbox-file audit-file\n\n" if not defined($ARGV[1]); + +my $mbox_filename = $ARGV[0]; +my $audit_filename = $ARGV[1]; +my (@file, %cve_id, $audit_version); + +$ARGV[1] =~ /(\d+)$/; +$audit_version = $1; + +# Suck in the audit file +open(FH, $ARGV[1]); +while (<FH>) { + my ($temp_cve, $temp_text, $temp_line, $temp_package); + chomp; + $temp_line = $_; + push @file, $temp_line; + + if ($temp_line =~ /^(CVE-\d{4}-\d{4}) (.*)/) { + $temp_cve = $1; + $temp_text = $2; + if ($temp_text =~ /$([\w\-\_\.]+)[\,$]/) { + $temp_package = $1; + } elsif ($temp_text =~ /\*\* (\w+)/) { + $temp_package = $1; + } else { + die "Couldn't determine the package name from the audit file"; + } + + $cve_id{$temp_cve} = {} if not $cve_id{$temp_cve}; + $cve_id{$temp_cve}->{$temp_package} = [$#file, $temp_line]; + } +} + +close(FH); + +my $folder_reader = new Mail::Mbox::MessageParser({ + 'file_name' => $mbox_filename, + 'enable_cache' => 0, +}); + +die $folder_reader unless ref $folder_reader; + +while (!$folder_reader->end_of_file()) { + my (@cves, $errata_id, $temp_cve); + my ($product, $package); + + + my $email = $folder_reader->read_next_email(); + my $mail = Email::Simple->new($$email); + my $subject = $mail->header('Subject'); + my $body = $mail->body; + + if ($body =~ m/Product\s*:\s+Fedora Core (\d+)/) { + $product = $1; + } else { + # Add support for fedora extras here + warn "Product name couldn't be found"; + next; + } + + if ($body =~ m/Name\s*:\s+(\w+)/) { + $package = $1; + } else { + warn "Package Name couldn't be found"; + next; + } + + if ($body =~ m/(FEDORA-\d{4}-\d+)/) { + $errata_id = $1; + } else { + warn "Errata ID couldn't be found"; + next; + } + + while ($body =~ m/(CVE-\d{4}-\d{4})/g) { + if ($cve_id{$1}) { + if ($cve_id{$1}->{$package} and $product eq $audit_version) { + $cve_id{$1}->{$package}->[1] .= "[since $errata_id]"; + my $file_line = $cve_id{$1}->{$package}->[0]; + next if $file[$file_line] =~ /\[since FEDORA/; + $file[$file_line] = $file[$file_line] . " [since $errata_id]" + } + } else { + print "$1 **FIXME** ($package) [since $errata_id]\n"; + } + } +} + +foreach (@file) { + print $_, "\n"; +} Index: suidaudit =================================================================== RCS file: suidaudit diff -N suidaudit --- /dev/null 1 Jan 1970 00:00:00 -0000 +++ suidaudit 14 Jan 2008 16:04:47 -0000 1.2 @@ -0,0 +1,47 @@ +#!/usr/bin/env perl + +# $Id$ +# Audit RPM files for setuid and setgid files +# Lubomir Kundrak <lkundrak(a)redhat.com> + +use strict; +use warnings; + +use RPM2; +use Fcntl ':mode'; + +foreach my $rpm (@ARGV) { + + my $hdr = RPM2->open_package ($rpm) + or die $!; + + my $pkgname = $hdr->tag('Name'); + + my $name; my @names = $hdr->tag('BASENAMES'); + my $mode; my @modes = $hdr->tag('FILEMODES'); + my $class; my @classes = $hdr->tag('FILECLASS'); + my $dirindex; my @dirindexes = $hdr->tag('DIRINDEXES'); + my $username; my @usernames = $hdr->tag('FILEUSERNAME'); + my $groupname; my @groupnames = $hdr->tag('FILEGROUPNAME'); + + my @classdict = $hdr->tag('CLASSDICT'); + my @dirnames = $hdr->tag('DIRNAMES'); + + while ( + $mode = shift @modes, + $username = shift @usernames, + $groupname = shift @groupnames, + $class = shift @classes, + $dirindex = shift @dirindexes, + $name = shift @names + ) { + if ($mode & S_IFREG and $mode & (S_ISUID | S_ISGID)) { + printf "%-25s %06o %8s:%-8s %-30s %-.50s...\n", + $pkgname, $mode, + (($mode & S_ISUID) ? $username : '-'), + (($mode & S_ISGID) ? $groupname : '-'), + $dirnames[$dirindex].$name, + $classdict[$class]; + } + } +} Index: update-cve-cache =================================================================== RCS file: update-cve-cache diff -N update-cve-cache --- /dev/null 1 Jan 1970 00:00:00 -0000 +++ update-cve-cache 14 Jan 2008 16:04:47 -0000 1.2 @@ -0,0 +1,14 @@ +#!/usr/bin/env perl + +# $Id$ +# Generate CVE cache so that tools utilizing Libexig::CVE run smoothly +# Lubomir Kundrak <lkundrak(a)redhat.com> + +use warnings; +use strict; + +use Libexig::CVE; + +#Libexig::CVE::nvdcache ('nvdcve-modified.xml'); +#Libexig::CVE::nvdcache ('nvdcve-recent.xml'); +Libexig::CVE::nvdcache ('nvdcve-'.$_.'.xml') foreach (2002..`date +%Y`);

1 0

fedora-security/tools Build.PL, 1.1, 1.2 MANIFEST, 1.1, 1.2 MANIFEST.SKIP, 1.1, 1.2 fedora-security.spec, 1.1, 1.2 generate-manifest, 1.4, NONE get-cve, 1.1, NONE package-release, 1.4, NONE parse-announce, 1.1, NONE suidaudit, 1.1, NONE
by fedora-security-commits＠redhat.com 14 Jan '08

14 Jan '08

Author: lkundrak Update of /cvs/fedora/fedora-security/tools In directory cvs-int.fedora.redhat.com:/tmp/cvs-serv17363 Added Files: Build.PL MANIFEST MANIFEST.SKIP fedora-security.spec Removed Files: generate-manifest get-cve package-release parse-announce suidaudit Log Message: Merging (hopefully) stable from my branch Index: Build.PL =================================================================== RCS file: Build.PL diff -N Build.PL --- /dev/null 1 Jan 1970 00:00:00 -0000 +++ Build.PL 14 Jan 2008 16:04:46 -0000 1.2 @@ -0,0 +1,25 @@ +#!/usr/bin/env perl + +use Module::Build; + +Module::Build->new ( + module_name => 'fedora-security', + dist_version => '0.9', + dist_abstract => 'Tools for Fedora Security Response Team use', + dist_author => 'Lubomir Kundrak <lkundrak(a)redhat.com>', + script_files => 'scripts', + requires => { + 'Data::Dumper' => 0, + 'Exporter' => 0, + 'Fcntl' => 0, + 'File::Temp' => 0, + 'Getopt::Long' => 0, + 'JSON' => 0, + 'LWP::Simple' => 0, + 'RPM2' => 0, + 'XML::Parser' => 0, + 'XMLRPC::Lite' => 0, + }, +)->create_build_script; + + Index: MANIFEST =================================================================== RCS file: MANIFEST diff -N MANIFEST --- /dev/null 1 Jan 1970 00:00:00 -0000 +++ MANIFEST 14 Jan 2008 16:04:46 -0000 1.2 @@ -0,0 +1,19 @@ +Build.PL +fedora-security.spec +lib/Libexig/Audit.pm +lib/Libexig/Bodhi.pm +lib/Libexig/Bugzilla.pm +lib/Libexig/CVE.pm +lib/Libexig/Util.pm +MANIFEST This list of files +META.yml +scripts/add-cve-bug +scripts/add-issue +scripts/add-tracking-bugs +scripts/check-updates +scripts/generate-manifest +scripts/get-cve +scripts/package-release +scripts/parse-announce +scripts/suidaudit +scripts/update-cve-cache Index: MANIFEST.SKIP =================================================================== RCS file: MANIFEST.SKIP diff -N MANIFEST.SKIP --- /dev/null 1 Jan 1970 00:00:00 -0000 +++ MANIFEST.SKIP 14 Jan 2008 16:04:46 -0000 1.2 @@ -0,0 +1,39 @@ +# Avoid version control files. +\bRCS\b +\bCVS\b +,v$ +\B\.svn\b +\B\.cvsignore$ + +# Avoid Makemaker generated and utility files. +\bMakefile$ +\bblib +\bMakeMaker-\d +\bpm_to_blib$ +\bblibdirs$ +^MANIFEST\.SKIP$ + +# Avoid Module::Build generated and utility files. +\bBuild$ +\bBuild.bat$ +\b_build + +# Avoid Devel::Cover generated files +\bcover_db + +# Avoid temp and backup files. +~$ +\.tmp$ +\.old$ +\.bak$ +\#$ +\.# +\.rej$ + +# Avoid OS-specific files/dirs +# Mac OSX metadata +\B\.DS_Store +# Mac OSX SMB mount metadata files +\B\._ +# Avoid archives of this distribution +\bfedora-security-[\d\.\_]+ Index: fedora-security.spec =================================================================== RCS file: fedora-security.spec diff -N fedora-security.spec --- /dev/null 1 Jan 1970 00:00:00 -0000 +++ fedora-security.spec 14 Jan 2008 16:04:46 -0000 1.2 @@ -0,0 +1,61 @@ +Name: fedora-security +Version: 0.9 +Release: 2%{?dist} +Summary: Tools for Fedora Security Response Team use + +Group: Development/Libraries +License: GPLv2 +URL: http://people.redhat.com/~lkundrak/fedora-security/ +Source0: http://people.redhat.com/~lkundrak/fedora-security/%{name}-%{version}.tar.gz +BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n) + +BuildArch: noarch +BuildRequires: perl(Module::Build) +Requires: perl(:MODULE_COMPAT_%(eval "`%{__perl} -V:version`"; echo $version)) + +%description +Tools for Fedora Security Response Team use + + +%prep +%setup -q + +# Filter unwanted Requires: +cat << \EOF > %{name}-req +#!/bin/sh +%{__perl_requires} $* |\ + sed -e '/perl(Email::Simple)/d' |\ + sed -e '/perl(Mail::Mbox::MessageParser)/d' |\ + sed -e '/perl(Net::FTP)/d' +EOF + +%define __perl_requires %{_builddir}/%{name}-%{version}/%{name}-req +chmod +x %{__perl_requires} + + +%build +%{__perl} Build.PL --installdirs vendor +./Build + + +%install +rm -rf $RPM_BUILD_ROOT +./Build install --destdir $RPM_BUILD_ROOT +find $RPM_BUILD_ROOT -type f -name .packlist -exec rm -f {} ';' +find $RPM_BUILD_ROOT -depth -type d -exec rmdir {} 2>/dev/null ';' +chmod -R u+w $RPM_BUILD_ROOT/* + + +%clean +rm -rf $RPM_BUILD_ROOT + + +%files +%defattr(-,root,root,-) +%{_bindir}/* +%{perl_vendorlib}/* + + +%changelog +* Sun Jan 06 2008 Lubomir Kundrak <lkundrak(a)redhat.com> 0.9-1 +- Initial packaging attempt --- generate-manifest DELETED --- --- get-cve DELETED --- --- package-release DELETED --- --- parse-announce DELETED --- --- suidaudit DELETED ---

1 0

fedora-security/tools/scripts add-tracking-bugs, 1.1.2.4, 1.1.2.5
by fedora-security-commits＠redhat.com 14 Jan '08

14 Jan '08

Author: thoger Update of /cvs/fedora/fedora-security/tools/scripts In directory cvs-int.fedora.redhat.com:/tmp/cvs-serv23159/tools/scripts Modified Files: Tag: lkundrak-tools-ng add-tracking-bugs Log Message: an attempt to unscrew add-tracking-bugs Index: add-tracking-bugs =================================================================== RCS file: /cvs/fedora/fedora-security/tools/scripts/Attic/add-tracking-bugs,v retrieving revision 1.1.2.4 retrieving revision 1.1.2.5 diff -u -r1.1.2.4 -r1.1.2.5 --- add-tracking-bugs 10 Jan 2008 18:01:25 -0000 1.1.2.4 +++ add-tracking-bugs 14 Jan 2008 13:52:05 -0000 1.1.2.5 @@ -64,7 +64,6 @@ $password = ($options{'password'} or read_noecho ("Bugzilla password for $username: ")) unless $dryrun; -$dryrun = 1; my $bugzilla = new Libexig::Bugzilla ({ 'username' => $username, @@ -74,7 +73,9 @@ }); # All the work (not the one that makes Jack a dull boy) - -my $parent_bugs = $bugzilla->get_bugs (\@bugs, ['alias','keywords','priority','bug_id', 'bug_severity', 'short_short_desc']); +my $parent_bugs = $bugzilla->get_bugs (\@bugs, + ['alias','keywords','priority','bug_id', 'bug_severity', 'short_short_desc']); my $tracking_bugs = Libexig::Fedora::tracking_bugs ($parent_bugs, $component, @versions); -print STDERR Libexig::Fedora::file_tracking_bugs ($parent_bugs, $tracking_bugs, $bugzilla, $component); + +print STDERR Libexig::Fedora::file_tracking_bugs (\@bugs, $tracking_bugs, $bugzilla, $component); +

1 0

← Newer
1
2
3
4
5
6
7
...
11
Older →

2025

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

security-commits January 2008