summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorCarles Pina i Estany <carles@pina.cat>2021-02-15 09:14:47 +0000
committerSebastien Delafond <seb@debian.org>2021-02-15 09:14:47 +0000
commit8846bec763397a5dd90bb8fbde674a5ba127b560 (patch)
tree25bc1c5cd6072eba029643c372811827cbcc4c2d
parent42b4e9fea7b1dddc9df42a121255c55896182b5b (diff)
Fix CVE10k problem for CVE with more than 4 numbers
It had no consequences in security-tracker: the next-oldstable-point-update.txt file is empty and the next-point-update.txt CVEs are not used yet for what I can see via this code path.
-rw-r--r--bin/tracker_data.py22
-rwxr-xr-xbin/tracker_service.py19
-rw-r--r--lib/python/debian_support.py40
-rw-r--r--lib/python/security_db.py39
4 files changed, 97 insertions, 23 deletions
diff --git a/bin/tracker_data.py b/bin/tracker_data.py
index f0bbb0de70..15d173ad6e 100644
--- a/bin/tracker_data.py
+++ b/bin/tracker_data.py
@@ -20,6 +20,7 @@ import subprocess
import requests
import six
+from debian_support import PointUpdateParser
class TrackerData(object):
@@ -125,26 +126,9 @@ class TrackerData(object):
with open(os.path.join(self.DATA_DIR, 'dla-needed.txt'), 'r') as f:
self.dla_needed = self.parse_needed_file(f)
- @classmethod
- def parse_point_update_file(self, inputfile):
- CVE_RE = 'CVE-[0-9]{4}-[0-9X]{4}'
- result = {}
- for line in inputfile:
- res = re.match(CVE_RE, line)
- if res:
- cve = res.group(0)
- result[cve] = {}
- continue
- elif line.startswith('\t['):
- dist, _, pkg, ver = line.split()
- result[cve][pkg] = ver
- return result
-
def load_point_updates(self):
- with open(os.path.join(self.DATA_DIR, 'next-oldstable-point-update.txt'), 'r') as f:
- self.oldstable_point_update = self.parse_point_update_file(f)
- with open(os.path.join(self.DATA_DIR, 'next-point-update.txt'), 'r') as f:
- self.stable_point_update = self.parse_point_update_file(f)
+ self.oldstable_point_update = PointUpdateParser.parseNextOldstablePointUpdate()
+ self.stable_point_update = PointUpdateParser.parseNextPointUpdateStable()
def iterate_packages(self):
"""Iterate over known packages"""
diff --git a/bin/tracker_service.py b/bin/tracker_service.py
index 42394f0f1d..2686bc4c24 100755
--- a/bin/tracker_service.py
+++ b/bin/tracker_service.py
@@ -1314,8 +1314,9 @@ Debian bug number.'''),
urgency = defaultdict(lambda: defaultdict(dict))
nodsa = defaultdict(lambda: defaultdict(dict))
nodsa_reason = defaultdict(lambda: defaultdict(dict))
+ next_point_update = defaultdict(lambda: defaultdict(set))
supported_releases = config.get_supported_releases()
- for (pkg, issue, desc, debianbug, release, subrelease, db_version, db_fixed_version, db_status, db_urgency, db_remote, db_nodsa, db_nodsa_reason) in self.db.cursor().execute(
+ for (pkg, issue, desc, debianbug, release, subrelease, db_version, db_fixed_version, db_status, db_urgency, db_remote, db_nodsa, db_nodsa_reason, db_next_point_update) in self.db.cursor().execute(
"""SELECT sp.name, st.bug_name,
(SELECT cve_desc FROM nvd_data
WHERE cve_name = st.bug_name),
@@ -1335,7 +1336,9 @@ Debian bug number.'''),
AND nd.bug_name = st.bug_name) AS nodsa,
(SELECT reason FROM package_notes_nodsa AS nd
WHERE nd.package = sp.name AND nd.release = sp.release
- AND nd.bug_name = st.bug_name) AS nodsa_reason
+ AND nd.bug_name = st.bug_name) AS nodsa_reason,
+ (SELECT next_point_update.release as next_point_update_release FROM next_point_update
+ WHERE st.bug_name=next_point_update.cve_name) AS next_point_update_release
FROM source_package_status AS st, source_packages AS sp, bugs
WHERE sp.rowid = st.package AND st.bug_name = bugs.name
AND ( st.bug_name LIKE 'CVE-%' OR st.bug_name LIKE 'TEMP-%' )
@@ -1365,6 +1368,8 @@ Debian bug number.'''),
fixed_version[pkg][issue][repository] = db_fixed_version
status[pkg][issue][repository] = db_status
urgency[pkg][issue][repository] = db_urgency
+ if db_next_point_update:
+ next_point_update[pkg][issue].add(db_next_point_update)
if str(db_nodsa) != 'None':
nodsa[pkg][issue][repository] = db_nodsa
if str(db_nodsa_reason) != 'None':
@@ -1422,6 +1427,12 @@ Debian bug number.'''),
suite_nodsa = nodsa[pkg][issue][repository]
if repository in nodsa_reason[pkg][issue]:
suite_nodsa_reason = nodsa_reason[pkg][issue][repository]
+ if pkg in next_point_update and \
+ issue in next_point_update[pkg] and \
+ release in next_point_update[pkg][issue]:
+ suite_next_point_update = True
+ else:
+ suite_next_point_update = None
for repository in repositories[pkg][issue]:
for suffix in ('','-security','-lts'):
subrelease=release+suffix
@@ -1432,7 +1443,9 @@ Debian bug number.'''),
"fixed_version" : suite_fixed_version,
"urgency": suite_urgency,
"nodsa": suite_nodsa,
- "nodsa_reason": suite_nodsa_reason}
+ "nodsa_reason": suite_nodsa_reason,
+ "next_point_update": suite_next_point_update
+ }
clean_dict(suites[release])
pkg_issue = { "description": description,
"debianbug": debianbug,
diff --git a/lib/python/debian_support.py b/lib/python/debian_support.py
index 4c8cff5b38..59d68a8865 100644
--- a/lib/python/debian_support.py
+++ b/lib/python/debian_support.py
@@ -577,6 +577,46 @@ def getconfig():
_config = json.load(open(findresource("data", "config.json")))
return _config
+class PointUpdateParser:
+ @staticmethod
+ def parseNextPointUpdateStable():
+ """ Reads data/next-point-update.txt and returns a dictionary such as:
+
+ {'CVE-2014-10402': {'libdbi-perl': '1.642-1+deb10u2'},
+ 'CVE-2019-10203': {'pdns': '4.1.6-3+deb10u1'}
+ }
+ """
+ return PointUpdateParser._parsePointUpdateFile(
+ findresource("data", "next-point-update.txt")
+ )
+
+ @staticmethod
+ def parseNextOldstablePointUpdate():
+ """ Returns a dictionary with the same structure as
+ PointUpdateParser.parseNextPointUpdateStable() for the file
+ data/next-oldstable-point-update.txt
+ """
+ return PointUpdateParser._parsePointUpdateFile(
+ findresource("data", "next-oldstable-point-update.txt")
+ )
+
+ @staticmethod
+ def _parsePointUpdateFile(file_path):
+ CVE_RE = 'CVE-[0-9]{4}-[0-9X]{4,}'
+ result = {}
+
+ with open(file_path) as f:
+ for line in f:
+ res = re.match(CVE_RE, line)
+ if res:
+ cve = res.group(0)
+ result[cve] = {}
+ continue
+ elif line.startswith('\t['):
+ dist, _, pkg, ver = line.split()
+ result[cve][pkg] = ver
+ return result
+
_releasecodename = None
def releasecodename(dist):
"""Converts a release name to the code name.
diff --git a/lib/python/security_db.py b/lib/python/security_db.py
index e8167f3187..d501feefda 100644
--- a/lib/python/security_db.py
+++ b/lib/python/security_db.py
@@ -43,6 +43,7 @@ import zlib
import config
import debian_support
+from debian_support import PointUpdateParser
from helpers import isstring
@@ -250,7 +251,7 @@ class DB:
# Enable WAL. This means that updates will not block readers.
c.execute("PRAGMA journal_mode = WAL")
- self.schema_version = 22
+ self.schema_version = 23
self._initFunctions()
for (v,) in c.execute("PRAGMA user_version"):
@@ -267,6 +268,8 @@ class DB:
except apsw.SQLError:
pass
c.execute("PRAGMA user_version = 22")
+ elif v == 22:
+ self._initSchema22()
elif v != self.schema_version:
if self.verbose:
print("DB: schema version mismatch: expected %d, got %d"
@@ -463,6 +466,21 @@ class DB:
PRIMARY KEY (bug_name, package, release))
""")
+ def _initSchema22(self):
+ cursor = self.db.cursor()
+
+ cursor.execute("PRAGMA user_version = 1")
+ self._initNextPointRelease(cursor)
+ cursor.execute("PRAGMA user_version = %d" % self.schema_version)
+
+ def _initNextPointRelease(self, cursor):
+ cursor.execute(
+ """CREATE TABLE next_point_update
+ (cve_name TEXT NOT NULL,
+ release TEXT NOT NULL,
+ PRIMARY KEY (cve_name, release))
+ """)
+
def _initViews(self, cursor):
testing = config.get_release_codename('testing')
cursor.execute(
@@ -896,6 +914,7 @@ class DB:
cursor.execute("DELETE FROM bugs_xref")
cursor.execute("DELETE FROM package_notes_nodsa")
cursor.execute("DELETE FROM removed_packages")
+ cursor.execute("DELETE FROM next_point_update")
# The *_status tables are regenerated anyway, no need to
# delete them here.
@@ -1033,6 +1052,24 @@ class DB:
if not present:
n.writeDB(cursor, target, bug_origin=source)
+ def insert_next_point_update(cve_names, code_name):
+ for cve_name in cve_names:
+ cursor.execute(
+ """INSERT OR REPLACE INTO next_point_update (cve_name, release)
+ VALUES (?, ?)""", (cve_name, code_name))
+
+ def read_next_point_update():
+ if self.verbose:
+ print(" insert next-point-update.txt/next-oldstable-point-update.txt")
+
+ insert_next_point_update(PointUpdateParser.parseNextPointUpdateStable(),
+ config.get_release_codename('stable'))
+
+ insert_next_point_update(PointUpdateParser.parseNextOldstablePointUpdate(),
+ config.get_release_codename('oldstable'))
+
+ read_next_point_update()
+
if errors:
raise InsertError(errors)

© 2014-2024 Faster IT GmbH | imprint | privacy policy