From 8846bec763397a5dd90bb8fbde674a5ba127b560 Mon Sep 17 00:00:00 2001
From: Carles Pina i Estany <carles@pina.cat>
Date: Mon, 15 Feb 2021 09:14:47 +0000
Subject: Fix CVE10k problem for CVE with more than 4 numbers

It had no consequences in security-tracker: the
next-oldstable-point-update.txt file is empty and the
next-point-update.txt CVEs are not used yet for what I can see via this
code path.
---
 bin/tracker_data.py    | 22 +++-------------------
 bin/tracker_service.py | 19 ++++++++++++++++---
 2 files changed, 19 insertions(+), 22 deletions(-)

(limited to 'bin')

diff --git a/bin/tracker_data.py b/bin/tracker_data.py
index f0bbb0de70..15d173ad6e 100644
--- a/bin/tracker_data.py
+++ b/bin/tracker_data.py
@@ -20,6 +20,7 @@ import subprocess
 
 import requests
 import six
+from debian_support import PointUpdateParser
 
 
 class TrackerData(object):
@@ -125,26 +126,9 @@ class TrackerData(object):
         with open(os.path.join(self.DATA_DIR, 'dla-needed.txt'), 'r') as f:
             self.dla_needed = self.parse_needed_file(f)
 
-    @classmethod
-    def parse_point_update_file(self, inputfile):
-        CVE_RE = 'CVE-[0-9]{4}-[0-9X]{4}'
-        result = {}
-        for line in inputfile:
-            res = re.match(CVE_RE, line)
-            if res:
-                cve = res.group(0)
-                result[cve] = {}
-                continue
-            elif line.startswith('\t['):
-                dist, _, pkg, ver = line.split()
-                result[cve][pkg] = ver
-        return result
-
     def load_point_updates(self):
-        with open(os.path.join(self.DATA_DIR, 'next-oldstable-point-update.txt'), 'r') as f:
-            self.oldstable_point_update = self.parse_point_update_file(f)
-        with open(os.path.join(self.DATA_DIR, 'next-point-update.txt'), 'r') as f:
-            self.stable_point_update = self.parse_point_update_file(f)
+        self.oldstable_point_update = PointUpdateParser.parseNextOldstablePointUpdate()
+        self.stable_point_update = PointUpdateParser.parseNextPointUpdateStable()
 
     def iterate_packages(self):
         """Iterate over known packages"""
diff --git a/bin/tracker_service.py b/bin/tracker_service.py
index 42394f0f1d..2686bc4c24 100755
--- a/bin/tracker_service.py
+++ b/bin/tracker_service.py
@@ -1314,8 +1314,9 @@ Debian bug number.'''),
         urgency = defaultdict(lambda: defaultdict(dict))
         nodsa = defaultdict(lambda: defaultdict(dict))
         nodsa_reason = defaultdict(lambda: defaultdict(dict))
+        next_point_update = defaultdict(lambda: defaultdict(set))
         supported_releases = config.get_supported_releases()
-        for (pkg, issue, desc, debianbug, release, subrelease, db_version, db_fixed_version, db_status, db_urgency, db_remote, db_nodsa, db_nodsa_reason) in self.db.cursor().execute(
+        for (pkg, issue, desc, debianbug, release, subrelease, db_version, db_fixed_version, db_status, db_urgency, db_remote, db_nodsa, db_nodsa_reason, db_next_point_update) in self.db.cursor().execute(
                 """SELECT sp.name, st.bug_name,
                 (SELECT cve_desc FROM nvd_data
                 WHERE cve_name = st.bug_name),
@@ -1335,7 +1336,9 @@ Debian bug number.'''),
                 AND nd.bug_name = st.bug_name) AS nodsa,
                 (SELECT reason FROM package_notes_nodsa AS nd
                 WHERE nd.package = sp.name AND nd.release = sp.release
-                AND nd.bug_name = st.bug_name) AS nodsa_reason
+                AND nd.bug_name = st.bug_name) AS nodsa_reason,
+                (SELECT next_point_update.release as next_point_update_release FROM next_point_update
+                WHERE st.bug_name=next_point_update.cve_name) AS next_point_update_release
                 FROM source_package_status AS st, source_packages AS sp, bugs
                 WHERE sp.rowid = st.package AND st.bug_name = bugs.name
                 AND ( st.bug_name LIKE 'CVE-%' OR st.bug_name LIKE 'TEMP-%' )
@@ -1365,6 +1368,8 @@ Debian bug number.'''),
             fixed_version[pkg][issue][repository] = db_fixed_version
             status[pkg][issue][repository] = db_status
             urgency[pkg][issue][repository] = db_urgency
+            if db_next_point_update:
+                next_point_update[pkg][issue].add(db_next_point_update)
             if str(db_nodsa) != 'None':
                 nodsa[pkg][issue][repository] = db_nodsa
             if str(db_nodsa_reason) != 'None':
@@ -1422,6 +1427,12 @@ Debian bug number.'''),
                         suite_nodsa = nodsa[pkg][issue][repository]
                     if repository in nodsa_reason[pkg][issue]:
                         suite_nodsa_reason = nodsa_reason[pkg][issue][repository]
+                    if pkg in next_point_update and \
+                            issue in next_point_update[pkg] and \
+                            release in next_point_update[pkg][issue]:
+                        suite_next_point_update = True
+                    else:
+                        suite_next_point_update = None
                     for repository in repositories[pkg][issue]:
                         for suffix in ('','-security','-lts'):
                             subrelease=release+suffix
@@ -1432,7 +1443,9 @@ Debian bug number.'''),
                                         "fixed_version" : suite_fixed_version,
                                         "urgency": suite_urgency,
                                         "nodsa": suite_nodsa,
-                                        "nodsa_reason": suite_nodsa_reason}
+                                        "nodsa_reason": suite_nodsa_reason,
+                                        "next_point_update": suite_next_point_update
+                                        }
                     clean_dict(suites[release])
                 pkg_issue = { "description": description,
                               "debianbug": debianbug,
-- 
cgit v1.2.3