From ee615967842797c7d9fe74f87d9e01ef05d838d7 Mon Sep 17 00:00:00 2001 From: Carles Pina i Estany Date: Mon, 15 Feb 2021 09:14:47 +0000 Subject: Fix CVE10k problem for CVE with more than 4 numbers It had no consequences in security-tracker: the next-oldstable-point-update.txt file is empty and the next-point-update.txt CVEs are not used yet for what I can see via this code path. --- bin/tracker_data.py | 22 +++------------------- bin/tracker_service.py | 19 ++++++++++++++++--- lib/python/debian_support.py | 40 ++++++++++++++++++++++++++++++++++++++++ lib/python/security_db.py | 39 ++++++++++++++++++++++++++++++++++++++- 4 files changed, 97 insertions(+), 23 deletions(-) diff --git a/bin/tracker_data.py b/bin/tracker_data.py index f0bbb0de70..15d173ad6e 100644 --- a/bin/tracker_data.py +++ b/bin/tracker_data.py @@ -20,6 +20,7 @@ import subprocess import requests import six +from debian_support import PointUpdateParser class TrackerData(object): @@ -125,26 +126,9 @@ class TrackerData(object): with open(os.path.join(self.DATA_DIR, 'dla-needed.txt'), 'r') as f: self.dla_needed = self.parse_needed_file(f) - @classmethod - def parse_point_update_file(self, inputfile): - CVE_RE = 'CVE-[0-9]{4}-[0-9X]{4}' - result = {} - for line in inputfile: - res = re.match(CVE_RE, line) - if res: - cve = res.group(0) - result[cve] = {} - continue - elif line.startswith('\t['): - dist, _, pkg, ver = line.split() - result[cve][pkg] = ver - return result - def load_point_updates(self): - with open(os.path.join(self.DATA_DIR, 'next-oldstable-point-update.txt'), 'r') as f: - self.oldstable_point_update = self.parse_point_update_file(f) - with open(os.path.join(self.DATA_DIR, 'next-point-update.txt'), 'r') as f: - self.stable_point_update = self.parse_point_update_file(f) + self.oldstable_point_update = PointUpdateParser.parseNextOldstablePointUpdate() + self.stable_point_update = PointUpdateParser.parseNextPointUpdateStable() def iterate_packages(self): """Iterate over known packages""" diff --git a/bin/tracker_service.py b/bin/tracker_service.py index 42394f0f1d..2686bc4c24 100755 --- a/bin/tracker_service.py +++ b/bin/tracker_service.py @@ -1314,8 +1314,9 @@ Debian bug number.'''), urgency = defaultdict(lambda: defaultdict(dict)) nodsa = defaultdict(lambda: defaultdict(dict)) nodsa_reason = defaultdict(lambda: defaultdict(dict)) + next_point_update = defaultdict(lambda: defaultdict(set)) supported_releases = config.get_supported_releases() - for (pkg, issue, desc, debianbug, release, subrelease, db_version, db_fixed_version, db_status, db_urgency, db_remote, db_nodsa, db_nodsa_reason) in self.db.cursor().execute( + for (pkg, issue, desc, debianbug, release, subrelease, db_version, db_fixed_version, db_status, db_urgency, db_remote, db_nodsa, db_nodsa_reason, db_next_point_update) in self.db.cursor().execute( """SELECT sp.name, st.bug_name, (SELECT cve_desc FROM nvd_data WHERE cve_name = st.bug_name), @@ -1335,7 +1336,9 @@ Debian bug number.'''), AND nd.bug_name = st.bug_name) AS nodsa, (SELECT reason FROM package_notes_nodsa AS nd WHERE nd.package = sp.name AND nd.release = sp.release - AND nd.bug_name = st.bug_name) AS nodsa_reason + AND nd.bug_name = st.bug_name) AS nodsa_reason, + (SELECT next_point_update.release as next_point_update_release FROM next_point_update + WHERE st.bug_name=next_point_update.cve_name) AS next_point_update_release FROM source_package_status AS st, source_packages AS sp, bugs WHERE sp.rowid = st.package AND st.bug_name = bugs.name AND ( st.bug_name LIKE 'CVE-%' OR st.bug_name LIKE 'TEMP-%' ) @@ -1365,6 +1368,8 @@ Debian bug number.'''), fixed_version[pkg][issue][repository] = db_fixed_version status[pkg][issue][repository] = db_status urgency[pkg][issue][repository] = db_urgency + if db_next_point_update: + next_point_update[pkg][issue].add(db_next_point_update) if str(db_nodsa) != 'None': nodsa[pkg][issue][repository] = db_nodsa if str(db_nodsa_reason) != 'None': @@ -1422,6 +1427,12 @@ Debian bug number.'''), suite_nodsa = nodsa[pkg][issue][repository] if repository in nodsa_reason[pkg][issue]: suite_nodsa_reason = nodsa_reason[pkg][issue][repository] + if pkg in next_point_update and \ + issue in next_point_update[pkg] and \ + release in next_point_update[pkg][issue]: + suite_next_point_update = True + else: + suite_next_point_update = None for repository in repositories[pkg][issue]: for suffix in ('','-security','-lts'): subrelease=release+suffix @@ -1432,7 +1443,9 @@ Debian bug number.'''), "fixed_version" : suite_fixed_version, "urgency": suite_urgency, "nodsa": suite_nodsa, - "nodsa_reason": suite_nodsa_reason} + "nodsa_reason": suite_nodsa_reason, + "next_point_update": suite_next_point_update + } clean_dict(suites[release]) pkg_issue = { "description": description, "debianbug": debianbug, diff --git a/lib/python/debian_support.py b/lib/python/debian_support.py index 4c8cff5b38..59d68a8865 100644 --- a/lib/python/debian_support.py +++ b/lib/python/debian_support.py @@ -577,6 +577,46 @@ def getconfig(): _config = json.load(open(findresource("data", "config.json"))) return _config +class PointUpdateParser: + @staticmethod + def parseNextPointUpdateStable(): + """ Reads data/next-point-update.txt and returns a dictionary such as: + + {'CVE-2014-10402': {'libdbi-perl': '1.642-1+deb10u2'}, + 'CVE-2019-10203': {'pdns': '4.1.6-3+deb10u1'} + } + """ + return PointUpdateParser._parsePointUpdateFile( + findresource("data", "next-point-update.txt") + ) + + @staticmethod + def parseNextOldstablePointUpdate(): + """ Returns a dictionary with the same structure as + PointUpdateParser.parseNextPointUpdateStable() for the file + data/next-oldstable-point-update.txt + """ + return PointUpdateParser._parsePointUpdateFile( + findresource("data", "next-oldstable-point-update.txt") + ) + + @staticmethod + def _parsePointUpdateFile(file_path): + CVE_RE = 'CVE-[0-9]{4}-[0-9X]{4,}' + result = {} + + with open(file_path) as f: + for line in f: + res = re.match(CVE_RE, line) + if res: + cve = res.group(0) + result[cve] = {} + continue + elif line.startswith('\t['): + dist, _, pkg, ver = line.split() + result[cve][pkg] = ver + return result + _releasecodename = None def releasecodename(dist): """Converts a release name to the code name. diff --git a/lib/python/security_db.py b/lib/python/security_db.py index e8167f3187..d501feefda 100644 --- a/lib/python/security_db.py +++ b/lib/python/security_db.py @@ -43,6 +43,7 @@ import zlib import config import debian_support +from debian_support import PointUpdateParser from helpers import isstring @@ -250,7 +251,7 @@ class DB: # Enable WAL. This means that updates will not block readers. c.execute("PRAGMA journal_mode = WAL") - self.schema_version = 22 + self.schema_version = 23 self._initFunctions() for (v,) in c.execute("PRAGMA user_version"): @@ -267,6 +268,8 @@ class DB: except apsw.SQLError: pass c.execute("PRAGMA user_version = 22") + elif v == 22: + self._initSchema22() elif v != self.schema_version: if self.verbose: print("DB: schema version mismatch: expected %d, got %d" @@ -463,6 +466,21 @@ class DB: PRIMARY KEY (bug_name, package, release)) """) + def _initSchema22(self): + cursor = self.db.cursor() + + cursor.execute("PRAGMA user_version = 1") + self._initNextPointRelease(cursor) + cursor.execute("PRAGMA user_version = %d" % self.schema_version) + + def _initNextPointRelease(self, cursor): + cursor.execute( + """CREATE TABLE next_point_update + (cve_name TEXT NOT NULL, + release TEXT NOT NULL, + PRIMARY KEY (cve_name, release)) + """) + def _initViews(self, cursor): testing = config.get_release_codename('testing') cursor.execute( @@ -896,6 +914,7 @@ class DB: cursor.execute("DELETE FROM bugs_xref") cursor.execute("DELETE FROM package_notes_nodsa") cursor.execute("DELETE FROM removed_packages") + cursor.execute("DELETE FROM next_point_update") # The *_status tables are regenerated anyway, no need to # delete them here. @@ -1033,6 +1052,24 @@ class DB: if not present: n.writeDB(cursor, target, bug_origin=source) + def insert_next_point_update(cve_names, code_name): + for cve_name in cve_names: + cursor.execute( + """INSERT OR REPLACE INTO next_point_update (cve_name, release) + VALUES (?, ?)""", (cve_name, code_name)) + + def read_next_point_update(): + if self.verbose: + print(" insert next-point-update.txt/next-oldstable-point-update.txt") + + insert_next_point_update(PointUpdateParser.parseNextPointUpdateStable(), + config.get_release_codename('stable')) + + insert_next_point_update(PointUpdateParser.parseNextOldstablePointUpdate(), + config.get_release_codename('oldstable')) + + read_next_point_update() + if errors: raise InsertError(errors) -- cgit v1.2.3