diff options
| author | Salvatore Bonaccorso <carnil@debian.org> | 2014-09-01 10:40:19 +0000 |
|---|---|---|
| committer | Salvatore Bonaccorso <carnil@debian.org> | 2014-09-01 10:40:19 +0000 |
| commit | bd8595277d4cf204bf2275e7e47639ad531332fb (patch) | |
| tree | 20b217d156b6ad9ce63607ad9d96762da4078919 | |
| parent | cc78a021fac0dcfdaf0fcaa4ef8a729d98f514ac (diff) | |
add support for squeeze-lts (Closes: #759727 once Florian has applied this to soler.d.o)
git-svn-id: svn+ssh://svn.debian.org/svn/secure-testing@28539 e39458fd-73e7-0310-bf30-c45bca0a0e42
| -rw-r--r-- | Makefile | 23 | ||||
| -rwxr-xr-x | bin/check-syntax | 6 | ||||
| -rw-r--r-- | bin/tracker_service.py | 2 | ||||
| -rwxr-xr-x | bin/update | 2 | ||||
| -rwxr-xr-x | bin/updatelist | 2 | ||||
| -rw-r--r-- | lib/python/bugs.py | 47 | ||||
| -rw-r--r-- | lib/python/sectracker/parsers.py | 17 | ||||
| -rw-r--r-- | lib/python/sectracker_test/test_analyzers.py | 1 | ||||
| -rw-r--r-- | lib/python/sectracker_test/test_parsers.py | 5 | ||||
| -rw-r--r-- | lib/python/security_db.py | 35 |
10 files changed, 121 insertions, 19 deletions
@@ -7,6 +7,7 @@ BUG_LISTS = $(wildcard data/*/list) MIRROR = http://cdn.debian.net/debian/ squeeze_ARCHS = amd64 armel i386 ia64 mips mipsel powerpc s390 sparc kfreebsd-i386 kfreebsd-amd64 +squeeze_LTS_ARCHS = amd64 i386 wheezy_ARCHS = amd64 armel armhf i386 ia64 mips mipsel powerpc s390 s390x sparc kfreebsd-i386 kfreebsd-amd64 jessie_ARCHS = amd64 armel armhf i386 mips mipsel powerpc s390x kfreebsd-i386 kfreebsd-amd64 sid_ARCHS = amd64 armel armhf hurd-i386 i386 kfreebsd-i386 kfreebsd-amd64 mips mipsel powerpc s390x sparc @@ -27,7 +28,7 @@ clean: test check: check-syntax check-syntax: stamps/CVE-syntax \ - stamps/DSA-syntax stamps/DTSA-syntax + stamps/DSA-syntax stamps/DTSA-syntax stamps/DLA-syntax stamps/CVE-syntax: data/CVE/list bin/check-syntax $(PYTHON_MODULES) $(PYTHON) bin/check-syntax CVE data/CVE/list @@ -41,6 +42,10 @@ stamps/DTSA-syntax: data/DTSA/list bin/check-syntax $(PYTHON_MODULES) $(PYTHON) bin/check-syntax DTSA data/DTSA/list touch $@ +stamps/DLA-syntax: data/DLA/list bin/check-syntax $(PYTHON_MODULES) + $(PYTHON) bin/check-syntax DLA data/DLA/list + touch $@ + .PHONY: serve serve: @bash bin/test-web-server @@ -136,7 +141,7 @@ update-security: update-old-security done ; \ done -update-old-security: +update-old-security: update-lts for archive in $(OLDSTABLE); do \ for section in main contrib non-free ; do \ $(PYTHON) bin/apt-update-file \ @@ -150,6 +155,20 @@ update-old-security: done ; \ done +LTS_MIRROR = http://ftp.de.debian.org/debian/dists +update-lts: update-lts-$(OLDSTABLE) + +update-lts-$(OLDSTABLE): + set -e && archive=$(shell echo $@ | cut -d- -f3) ; \ + for arch in $($(shell echo $@ | cut -d- -f3)_LTS_ARCHS) ; do \ + $(PYTHON) bin/apt-update-file \ + $(LTS_MIRROR)/$${archive}-lts/main/binary-$$arch/Packages \ + data/packages/$${archive}-lts__main_$${arch}_Packages ; \ + done ; \ + $(PYTHON) bin/apt-update-file \ + $(LTS_MIRROR)/$${archive}-lts/main/source/Sources \ + data/packages/$${archive}-lts__main_Sources ; \ + BACKPORTS_MIRROR = http://ftp.de.debian.org/debian-backports/dists update-backports: update-backports-$(STABLE) update-backports-$(OLDSTABLE) diff --git a/bin/check-syntax b/bin/check-syntax index 688ea39503..ee23752068 100755 --- a/bin/check-syntax +++ b/bin/check-syntax @@ -65,9 +65,13 @@ def parse_DSA(name): def parse_DTSA(name): do_parse(construct(bugs.DTSAFile, name)) +def parse_DLA(name): + do_parse(construct(bugs.DLAFile, name)) + file_types = {'CVE' : parse_CVE, 'DSA' : parse_DSA, - 'DTSA' : parse_DTSA} + 'DTSA' : parse_DTSA, + 'DLA' : parse_DLA} if len(sys.argv) <> 3 or not file_types.has_key(sys.argv[1]): l = file_types.keys() diff --git a/bin/tracker_service.py b/bin/tracker_service.py index 0f0dbc9363..9be7bd5cee 100644 --- a/bin/tracker_service.py +++ b/bin/tracker_service.py @@ -342,6 +342,8 @@ data source.""")], source_xref = self.make_dsa_ref(url, bug.name, 'Debian') elif source == 'DTSA': source_xref = 'Debian Testing Security Team' + elif source == 'DLA': + source_xref = 'Debian LTS Team' elif source == 'TEMP': source_xref = ( 'Automatically generated temporary name. Not for external reference.') diff --git a/bin/update b/bin/update index 22d50def14..79520153b7 100755 --- a/bin/update +++ b/bin/update @@ -10,5 +10,5 @@ cd CVE rm -f allitems.html wget --quiet https://cve.mitre.org/data/downloads/allitems.html.gz gunzip allitems.html.gz -../../bin/updatelist allitems.html ../DSA/list ../DTSA/list list > list.new +../../bin/updatelist allitems.html ../DSA/list ../DTSA/list ../DLA/list list > list.new mv -f list.new list diff --git a/bin/updatelist b/bin/updatelist index b103d8b872..e32b370f48 100755 --- a/bin/updatelist +++ b/bin/updatelist @@ -2,6 +2,7 @@ my $html=shift; my $dsa_list=shift; my $dtsa_list=shift; +my $dla_list=shift; my $our_list=shift; my %cves; @@ -28,6 +29,7 @@ sub read_dsa { } read_dsa($dsa_list); read_dsa($dtsa_list); +read_dsa($dla_list); my %listedcves; diff --git a/lib/python/bugs.py b/lib/python/bugs.py index 49ccf04ab4..70108ffb43 100644 --- a/lib/python/bugs.py +++ b/lib/python/bugs.py @@ -418,9 +418,9 @@ class FileBase(debian_support.PackageFile): re_whitespace = re.compile(r'\s+') re_xref_entry = re.compile('^(?:CVE-\d{4}-\d{4,}' + r'|VU#\d{6}' - + r'|DSA-\d+(?:-\d+)?|DTSA-\d+-\d+)$') + + r'|DSA-\d+(?:-\d+)?|DTSA-\d+-\d+|DLA-\d+-\d+)$') re_xref_entry_own = re.compile( - '^(?:CVE-\d{4}-\d{4,}|DSA-\d+(?:-\d+)?|DTSA-\d+-\d+)$') + '^(?:CVE-\d{4}-\d{4,}|DSA-\d+(?:-\d+)?|DTSA-\d+-\d+|DLA-\d+-\d+)$') re_package_required = re.compile(r'^(?:\[.*\]\s*)?-') re_package_version = re.compile( @@ -808,7 +808,48 @@ class DSAFile(FileBase): # Merge identical package notes, for historical reasons. bug.mergeNotes() return bug - + +class DLAFile(FileBase): + """A DLA file. + + Similar to a CVE file, only that it contains DLAs as its main + reference point, and release dates. + """ + + re_dsa = re.compile(r'^\[(\d\d) ([A-Z][a-z][a-z]) (\d{4})\] ' + + r'(DLA-\d+(?:-\d+)?)\s+' + + r'(.*?)\s*$') + + month_names = {'Jan': 1, + 'Feb': 2, + 'Mar': 3, + 'Apr': 4, + 'May': 5, + 'Jun': 6, + 'Jul': 7, + 'Aug': 8, + 'Sep': 9, + 'Oct': 10, + 'Nov': 11, + 'Dec': 12} + + def matchHeader(self, line): + match = self.re_dsa.match(line) + if not match: + self.raiseSyntaxError("expected DLA record, got: %s" % `line`) + (record_name, description) = match.groups() + (day, month, year, name, desc) = match.groups() + try: + month = self.month_names[month] + except KeyError: + self.raiseSyntaxError("invalid month name %s" % `month`) + return ("%s-%02d-%s" % (year, month, day), name, desc) + + def finishBug(self, bug): + # Merge identical package notes, for historical reasons. + bug.mergeNotes() + return bug + class DTSAFile(FileBase): """A DTSA file. diff --git a/lib/python/sectracker/parsers.py b/lib/python/sectracker/parsers.py index 6354dcccb6..518b6039a4 100644 --- a/lib/python/sectracker/parsers.py +++ b/lib/python/sectracker/parsers.py @@ -313,3 +313,20 @@ def dtsalist(path, f): _checkrelease(anns, diag, "DTSA") return Bug(path, Header(headerlineno, name, None), tuple(anns)) return _parselist(path, f, parseheader, finish) + +@_xpickle.loader("DLA" + FORMAT) +def dlalist(path, f): + re_header = re.compile( + r'^\[([A-Z][a-z]{2,}) (\d\d?)(?:st|nd|rd|th), (\d{4})\] ' + + r'(DLA-\d+-\d+)\s+' + + r'(.*?)\s*$') + def parseheader(line): + match = re_header.match(line) + if match is None: + return None + return match.groups() + def finish(header, headerlineno, anns, diag): + d, m, y, name, desc = header + _checkrelease(anns, diag, "DLA") + return Bug(path, Header(headerlineno, name, None), tuple(anns)) + return _parselist(path, f, parseheader, finish) diff --git a/lib/python/sectracker_test/test_analyzers.py b/lib/python/sectracker_test/test_analyzers.py index 880e58ad02..133c9386dd 100644 --- a/lib/python/sectracker_test/test_analyzers.py +++ b/lib/python/sectracker_test/test_analyzers.py @@ -26,6 +26,7 @@ from sectracker.repo import Config diag = Diagnostics() bugdb = mergelists((p.cvelist("../../data/CVE/list"), p.dsalist("../../data/DSA/list"), + p.dlalist("../../data/DLA/list"), p.dtsalist("../../data/DTSA/list")), diag) assert "CVE-1999-0001" in bugdb assert "DSA-135" in bugdb diff --git a/lib/python/sectracker_test/test_parsers.py b/lib/python/sectracker_test/test_parsers.py index 20a5f29712..436b2f027c 100644 --- a/lib/python/sectracker_test/test_parsers.py +++ b/lib/python/sectracker_test/test_parsers.py @@ -40,6 +40,11 @@ o = dtsalist("../../data/DTSA/list") for err in o.messages: print "%s:%d: %s: %s" % (err.file, err.line, err.level, err.message) +safeunlink("../../data/DLA/list" + EXTENSION) +o = dlalist("../../data/DLA/list") +for err in o.messages: + print "%s:%d: %s: %s" % (err.file, err.line, err.level, err.message) + Message = sectracker.diagnostics.Message for (line, res, xmsgs) in [ (' - foo <unfixed>', diff --git a/lib/python/security_db.py b/lib/python/security_db.py index f7e86fd9ca..2d362d239c 100644 --- a/lib/python/security_db.py +++ b/lib/python/security_db.py @@ -385,7 +385,7 @@ class DB: AND NOT COALESCE((SELECT NOT vulnerable FROM source_packages AS secp, source_package_status AS secst WHERE secp.name = sp.name - AND secp.release = '%s' AND secp.subrelease = 'security' + AND secp.release = '%s' AND ( secp.subrelease = 'security' OR secp.subrelease = 'lts' ) AND secp.archive = sp.archive AND secst.bug_name = st.bug_name AND secst.package = secp.rowid), 0) @@ -555,6 +555,9 @@ class DB: if unchanged: continue + if release == 'squeeze-lts': + release = 'squeeze' + subrelease = 'lts' cursor.execute( """DELETE FROM source_packages WHERE release = ? AND subrelease = ? AND archive = ?""", @@ -615,6 +618,9 @@ class DB: raise ValueError, "invalid file name: " + `filename` (release, subrelease, archive, architecture) = match.groups() + if release == 'squeeze-lts': + release = 'squeeze' + subrelease = 'lts' (unch, parsed) = self._parseFile(cursor, filename) unchanged = unchanged and unch for name in parsed.keys(): @@ -726,6 +732,7 @@ class DB: sources = ((bugs.CVEFile, '/CVE/list'), (bugs.DSAFile, '/DSA/list'), (bugs.DTSAFile, '/DTSA/list'), + (bugs.DLAFile, '/DLA/list'), (None, source_removed_packages)) unchanged = True @@ -773,12 +780,12 @@ class DB: if self.verbose: print " copy notes" - # Copy notes from DSA/DTSA to CVE. + # Copy notes from DSA/DTSA/DLA to CVE. old_source = '' for source, target in list(cursor.execute( """SELECT source, target FROM bugs_xref - WHERE (source LIKE 'DTSA-%' OR source LIKE 'DSA-%') + WHERE (source LIKE 'DTSA-%' OR source LIKE 'DSA-%' OR source LIKE 'DLA-%') AND target LIKE 'CVE-%'""")): if source <> old_source: source_bug = bugs.BugFromDB(cursor, source) @@ -1139,14 +1146,14 @@ class DB: # note/release/subrelease triple, but we should check that # here. - status = {'' : {}, 'security' : {}} + status = {'' : {}, 'security' : {}, 'lts' : {}} for (package, note, subrelease, vulnerable, urgency) in cursor.execute( """SELECT DISTINCT sp.name, n.id, sp.subrelease, st.vulnerable, n.urgency FROM source_package_status AS st, source_packages AS sp, package_notes AS n WHERE st.bug_name = ? AND sp.rowid = st.package - AND sp.release = ? AND sp.subrelease IN ('', 'security') + AND sp.release = ? AND sp.subrelease IN ('', 'security', 'lts') AND n.bug_name = st.bug_name AND n.package = sp.name ORDER BY sp.name""", (bug_name, nickname)): @@ -1166,6 +1173,8 @@ class DB: unfixed_pkgs[package] = True if status['security'].get((package, note), True): fixed_in_security = False + elif status['lts'].get((package, note), True): + fixed_in_security = False elif vulnerable == 2: undet_pkgs[package] = True @@ -1277,7 +1286,7 @@ class DB: FROM source_packages AS p, source_package_status AS st WHERE p.name = ? AND p.release = ? - AND p.subrelease IN ('', 'security') + AND p.subrelease IN ('', 'security', 'lts') AND st.bug_name = ? AND st.package = p.rowid ORDER BY p.version COLLATE version DESC""" @@ -1438,10 +1447,10 @@ class DB: # covers binary-only NMUs. for (v,) in c.execute("""SELECT version FROM source_packages WHERE name = ?1 - AND release = ?2 AND subrelease IN ('', 'security') + AND release = ?2 AND subrelease IN ('', 'security', 'lts') UNION ALL SELECT source_version FROM binary_packages WHERE source = ?1 - AND release = ?2 AND subrelease IN ('', 'security')""", + AND release = ?2 AND subrelease IN ('', 'security', 'lts')""", (package, release)): if debian_support.Version(v) >= v_ref: other_versions[v] = True @@ -1660,17 +1669,17 @@ class DB: AND COALESCE((SELECT st2.vulnerable FROM source_packages AS sp2, source_package_status AS st2 WHERE sp2.name = sp.name AND sp2.release = sp.release - AND sp2.subrelease = 'security' AND sp2.archive = sp.archive + AND ( sp2.subrelease = 'security' OR sp2.subrelease = 'lts' ) AND sp2.archive = sp.archive AND st2.package = sp2.rowid AND st2.bug_name = st.bug_name ORDER BY st2.vulnerable DESC), 1)) AS vulnerable, st.urgency = 'unimportant' OR NOT vulnerable AS unimportant FROM source_packages AS sp, source_package_status AS st, bugs WHERE sp.name = ? AND sp.release IN ('squeeze', 'wheezy', 'jessie', 'sid') - AND sp.subrelease <> 'security' + AND sp.subrelease <> 'security' AND sp.subrelease <> 'lts' AND st.package = sp.rowid AND bugs.name = st.bug_name - AND bugs.name NOT LIKE 'DSA-%' + AND bugs.name LIKE 'CVE-%' GROUP BY bugs.name, bugs.description, sp.name) WHERE vulnerable = ? AND unimportant = ? ORDER BY name""", (pkg, vulnerable, unimportant)) @@ -1680,9 +1689,10 @@ class DB: """SELECT bugs.name, bugs.description FROM bugs, package_notes as p WHERE p.bug_name = bugs.name - AND bugs.name LIKE 'DSA-%' + AND ( bugs.name LIKE 'DSA-%' OR bugs.name LIKE 'DLA-%') AND p.package = ?""", (package,)) + def getTODOs(self, cursor=None, hide_check=False): """Returns a list of pairs (BUG-NAME, DESCRIPTION).""" if cursor is None: @@ -1928,6 +1938,7 @@ def test(): assert not b.not_for_us assert 'DSA-800-1' in b.xref, b.xref assert 'DTSA-10-1' in b.xref, b.xref + assert 'DLA-23-1' in b.xref, b.xref assert tuple(b.comments) == (('NOTE', 'gnumeric/goffice includes one as well; according to upstream not exploitable in gnumeric,'), ('NOTE', 'new copy will be included any way')),\ b.comments |