From 8846bec763397a5dd90bb8fbde674a5ba127b560 Mon Sep 17 00:00:00 2001
From: Carles Pina i Estany <carles@pina.cat>
Date: Mon, 15 Feb 2021 09:14:47 +0000
Subject: Fix CVE10k problem for CVE with more than 4 numbers

It had no consequences in security-tracker: the
next-oldstable-point-update.txt file is empty and the
next-point-update.txt CVEs are not used yet for what I can see via this
code path.
---
 lib/python/debian_support.py | 40 ++++++++++++++++++++++++++++++++++++++++
 lib/python/security_db.py    | 39 ++++++++++++++++++++++++++++++++++++++-
 2 files changed, 78 insertions(+), 1 deletion(-)

(limited to 'lib')

diff --git a/lib/python/debian_support.py b/lib/python/debian_support.py
index 4c8cff5b38..59d68a8865 100644
--- a/lib/python/debian_support.py
+++ b/lib/python/debian_support.py
@@ -577,6 +577,46 @@ def getconfig():
     _config = json.load(open(findresource("data", "config.json")))
     return _config
 
+class PointUpdateParser:
+    @staticmethod
+    def parseNextPointUpdateStable():
+        """ Reads data/next-point-update.txt and returns a dictionary such as:
+
+            {'CVE-2014-10402': {'libdbi-perl': '1.642-1+deb10u2'},
+             'CVE-2019-10203': {'pdns': '4.1.6-3+deb10u1'}
+            }
+        """
+        return PointUpdateParser._parsePointUpdateFile(
+            findresource("data", "next-point-update.txt")
+        )
+
+    @staticmethod
+    def parseNextOldstablePointUpdate():
+        """ Returns a dictionary with the same structure as
+            PointUpdateParser.parseNextPointUpdateStable() for the file
+            data/next-oldstable-point-update.txt
+        """
+        return PointUpdateParser._parsePointUpdateFile(
+            findresource("data", "next-oldstable-point-update.txt")
+        )
+
+    @staticmethod
+    def _parsePointUpdateFile(file_path):
+        CVE_RE = 'CVE-[0-9]{4}-[0-9X]{4,}'
+        result = {}
+
+        with open(file_path) as f:
+            for line in f:
+                res = re.match(CVE_RE, line)
+                if res:
+                    cve = res.group(0)
+                    result[cve] = {}
+                    continue
+                elif line.startswith('\t['):
+                    dist, _, pkg, ver = line.split()
+                    result[cve][pkg] = ver
+        return result
+
 _releasecodename = None
 def releasecodename(dist):
     """Converts a release name to the code name.
diff --git a/lib/python/security_db.py b/lib/python/security_db.py
index e8167f3187..d501feefda 100644
--- a/lib/python/security_db.py
+++ b/lib/python/security_db.py
@@ -43,6 +43,7 @@ import zlib
 
 import config
 import debian_support
+from debian_support import PointUpdateParser
 
 from helpers import isstring
 
@@ -250,7 +251,7 @@ class DB:
         # Enable WAL.  This means that updates will not block readers.
         c.execute("PRAGMA journal_mode = WAL")
 
-        self.schema_version = 22
+        self.schema_version = 23
         self._initFunctions()
 
         for (v,) in c.execute("PRAGMA user_version"):
@@ -267,6 +268,8 @@ class DB:
                     except apsw.SQLError:
                         pass
                 c.execute("PRAGMA user_version = 22")
+            elif v == 22:
+                self._initSchema22()
             elif v != self.schema_version:
                 if self.verbose:
                     print("DB: schema version mismatch: expected %d, got %d"
@@ -463,6 +466,21 @@ class DB:
             PRIMARY KEY (bug_name, package, release))
             """)
 
+    def _initSchema22(self):
+        cursor = self.db.cursor()
+
+        cursor.execute("PRAGMA user_version = 1")
+        self._initNextPointRelease(cursor)
+        cursor.execute("PRAGMA user_version = %d" % self.schema_version)
+
+    def _initNextPointRelease(self, cursor):
+        cursor.execute(
+            """CREATE TABLE next_point_update
+            (cve_name TEXT NOT NULL,
+            release TEXT NOT NULL,
+            PRIMARY KEY (cve_name, release))
+            """)
+
     def _initViews(self, cursor):
         testing = config.get_release_codename('testing')
         cursor.execute(
@@ -896,6 +914,7 @@ class DB:
             cursor.execute("DELETE FROM bugs_xref")
             cursor.execute("DELETE FROM package_notes_nodsa")
             cursor.execute("DELETE FROM removed_packages")
+            cursor.execute("DELETE FROM next_point_update")
 
             # The *_status tables are regenerated anyway, no need to
             # delete them here.
@@ -1033,6 +1052,24 @@ class DB:
                 if not present:
                     n.writeDB(cursor, target, bug_origin=source)
 
+        def insert_next_point_update(cve_names, code_name):
+            for cve_name in cve_names:
+                cursor.execute(
+                    """INSERT OR REPLACE INTO next_point_update (cve_name, release)
+                    VALUES (?, ?)""", (cve_name, code_name))
+
+        def read_next_point_update():
+            if self.verbose:
+                print("    insert next-point-update.txt/next-oldstable-point-update.txt")
+
+            insert_next_point_update(PointUpdateParser.parseNextPointUpdateStable(),
+                                     config.get_release_codename('stable'))
+
+            insert_next_point_update(PointUpdateParser.parseNextOldstablePointUpdate(),
+                                     config.get_release_codename('oldstable'))
+
+        read_next_point_update()
+
         if errors:
             raise InsertError(errors)
 
-- 
cgit v1.2.3