diff options
author | Nico Golde <nion@debian.org> | 2008-03-28 17:08:08 +0000 |
---|---|---|
committer | Nico Golde <nion@debian.org> | 2008-03-28 17:08:08 +0000 |
commit | 4dde8db95231b7d1c1ff3d149442e1730e5e77b6 (patch) | |
tree | d168f8a276c90f7af14e7d147fb803964e9e4b73 | |
parent | 0674fc5363b8fcc72166092831258913f3b343a6 (diff) |
adding report-vuln script
git-svn-id: svn+ssh://svn.debian.org/svn/secure-testing@8437 e39458fd-73e7-0310-bf30-c45bca0a0e42
-rwxr-xr-x | bin/report-vuln | 121 | ||||
-rw-r--r-- | doc/narrative_introduction | 3 |
2 files changed, 124 insertions, 0 deletions
diff --git a/bin/report-vuln b/bin/report-vuln new file mode 100755 index 0000000000..fb42e7713f --- /dev/null +++ b/bin/report-vuln @@ -0,0 +1,121 @@ +#!/usr/bin/env python +# +# generate bug report content for a given package name +# and a number of CVE ids +# +# you could use it for example in combination with the +# following shell function: +# report-vuln(){ +# TMPFILE="$HOME/reportbug.tmp" +# $HOME/debian/svn/secure-testing/bin/report-vuln "$@" > $TMPFILE +# mutt -i $TMPFILE submit@bugs.debian.org +# rm $TMPFILE +# } + +import sys, re, httplib + +def gen_index(ids): + ret = '' + for cnt, id in enumerate(ids): + ret += '\n[' + str(cnt) + '] http://cve.mitre.org/cgi-bin/cvename.cgi?name=' + id + '\n' + ret += ' http://security-tracker.debian.net/tracker/' + id + + return ret + +# this is a hack that parses the cve id description from mitre +def get_cve(id): + desc = False + r = re.compile('.*<th\ colspan=.*>Description<.*') + tag = re.compile('.*</?tr>.*') + try: + conn = httplib.HTTPConnection('cve.mitre.org') + conn.request('GET', '/cgi-bin/cvename.cgi?name=' + id) + resp = conn.getresponse() + ret = '' + except Exception, e: + error('on doing HTTP request' + str(e)) + + for line in resp.read().rsplit('\n'): + if r.match(line): + desc = True + continue + + if tag.match(line) and desc: + continue + + if desc and '<td colspan="2">' in line: + ret += '| ' + re.sub('.*<td colspan="2">', '', line) + continue + + if desc and '</td>' in line: + break + + if desc and line != '': + ret = ret + '\n| ' + line + + return ret + '\n' + +def gen_text(pkg, cveid): + vuln_suff = 'y' + cve_suff = '' + time_w = 'was' + + if len(cveid) > 1: + cve_suff = 's' + vuln_suff = 'ies' + time_w = 'were' + + header = '''Package: %s +Version: FILLINAFFECTEDVERSION +Severity: FILLINSEVERITY +Tags: security + +Hi, +the following CVE (Common Vulnerabilities & Exposures) id%s %s +published for %s. + +''' % (pkg, cve_suff, time_w, pkg) + + footer = '''If you fix the vulnerabilit%s please also make sure to include the +CVE id%s in your changelog entry. + +For further information see:''' % (vuln_suff, cve_suff) + + print header + for cnt, cve in enumerate(cveid): + print cve + '[' + str(cnt) + ']:' + print get_cve(cve) + + print footer + print gen_index(cveid) + +def error(msg): + print 'error: ' + msg + sys.exit(1) + +def usage(): + print sys.argv[0], '<pkg> <cve id(s)>' + sys.exit(0) + +def main(): + if len(sys.argv) < 3: + usage() + + pkg = sys.argv[1] + cve = sys.argv[2:] + + # check for valid parameters + p = re.compile('^[a-z].*') + c = re.compile('(CVE|cve)\-[0-9]{4}-[0-9]{4}') + + if not p.match(pkg): + error(pkg + ' does not seem to be a valid source package name') + + for arg in cve: + if not c.match(arg): + error(arg + ' does not seem to be a valid CVE id') + + gen_text(pkg, cve) + +if __name__ == '__main__': + main() diff --git a/doc/narrative_introduction b/doc/narrative_introduction index b1d1a03ce4..c45bba7f2e 100644 --- a/doc/narrative_introduction +++ b/doc/narrative_introduction @@ -198,6 +198,9 @@ http://bugs.debian.org/cgi-bin/pkgreport.cgi?tag=security;users=debian-security@ A special exception is made for kernel related issues. The kernel-sec group will take care of them and file bugs if needed. +If you wan't to report a bug, bin/report-vuln might be helpful in creating +the bug report. + If a vulnerability does not affect Debian, e.g. because the vulnerable code is not contained, it is marked as <not-affected>: |