[Fedora-security-commits] fedora-security/tools/scripts add-cve-bug, 1.1, 1.2 add-issue, 1.1, 1.2 add-tracking-bugs, 1.1, 1.2 check-updates, 1.1, 1.2 generate-manifest, 1.1, 1.2 get-cve, 1.1, 1.2 package-release, 1.1, 1.2 parse-announce, 1.1, 1.2 suidaudit, 1.1, 1.2 update-cve-cache, 1.1, 1.2

Mon Jan 14 16:04:49 UTC 2008

Author: lkundrak

Update of /cvs/fedora/fedora-security/tools/scripts
In directory cvs-int.fedora.redhat.com:/tmp/cvs-serv17363/scripts

Added Files:
	add-cve-bug add-issue add-tracking-bugs check-updates 
	generate-manifest get-cve package-release parse-announce 
	suidaudit update-cve-cache 
Log Message:
Merging (hopefully) stable from my branch



Index: add-cve-bug
===================================================================
RCS file: add-cve-bug
diff -N add-cve-bug

--- /dev/null	1 Jan 1970 00:00:00 -0000
+++ add-cve-bug	14 Jan 2008 16:04:47 -0000	1.2
@@ -0,0 +1,102 @@
+#!/usr/bin/env perl
+
+# $Id$
+# Create a bugzilla from a CVE entry
+# Lubomir Kundrak <lkundrak at redhat.com>
+
+# Typical use:
+#$ ./add-cve-bug			\
+#	--cve=CVE-2007-4251		\
+#	--component=openoffice.org	\
+#	--summary="OpenOffice crashes upon opening certain files" \
+#	--impact=low
+# (Was used to create #251717)
+
+my $usage = 'add-cve-bug [options...]
+	--cve=<cve>		CVE ID (mandatory)
+	--username=<username>	Bugzilla login (defaults to $LOGNAME at redhat.com)
+	--password=<password>	Bugzilla passwords (asks for it, if not supplied)
+	--component=<pkg[,<pkg>...] Affected package, to find owner to CC (mandatory)
+	--summary=<summary>	Text to follow CVE ID in bugzilla (mandatory)
+	--impact=<impact>	Impact: critical, important, moderate, low
+	--interactive		Launch editor to edit the description
+	--dryrun		Do not write anything, usable with --debug
+	--debug			Dump interesting info
+	--help			This text
+';
+
+use Getopt::Long;
+use Data::Dumper;
+
+use Libexig::Fedora;
+use Libexig::CVE;
+use Libexig::Bugzilla;
+use Libexig::Util;
+
+use warnings;
+use strict;
+
+# Command line options
+my ($cve, $interactive, $dryrun, $debug,
+	$username, $password, $component, $summary, $impact);
+
+# Parse command line options
+my %options;
+GetOptions(\%options,
+	'cve=s',
+	'username=s',
+	'password=s',
+	'component=s',
+	'summary=s',
+	'impact=s',
+	'interactive',
+	'dryrun',
+	'debug',
+	'help',
+) or die 'Incorrect arguments. Try --help.';
+
+if ($options{'help'}) {
+	print $usage;
+	exit;
+}
+
+$dryrun		= ($options{'dryrun'}	or 0);
+$debug		= ($options{'debug'}	or 0);
+$interactive	= ($options{'interactive'} or 0);
+
+$cve		= $options{'cve'}	or die 'cve argument is mandatory';
+$component	= $options{'component'}	or die 'component argument is mandatory';
+$summary	= $options{'summary'}	or die 'summary argument is mandatory';
+$impact		= ($options{'impact'}	or 'low');
+defined $Libexig::Fedora::srt_bz_map{$impact} or die 'specified unrecognized impact value';
+
+$username	= ($options{'username'}	or $ENV{'LOGNAME'}.'@redhat.com');
+$password	= ($options{'password'}	or $dryrun or
+	read_noecho ("Bugzilla password for $username: "));
+	# TODO: add whiteboard option to fill in and get impact from it
+
+# Get CVE details from NVD or user
+
+print "Getting a bug description from CVE\n" if $debug;
+my ($desc, $refs) = cve ($cve);
+
+die 'Cannot fetch CVE description; re-run with --interactive'
+	unless $desc or $interactive;
+
+my $bug_desc = Libexig::Fedora::cve_bug_desc ($cve, $desc, $refs);
+$bug_desc = edit_string ($bug_desc) if $interactive;
+
+# File it in Bugzilla
+
+my $bugzilla = new Libexig::Bugzilla ({
+	'username'	=> $username,
+	'password'	=> $password,
+	'dryrun'	=> $dryrun,
+	'debug'		=> $debug,
+});
+
+my %bug = Libexig::Fedora::cve_bug ($cve, $component, $summary, $bug_desc, $impact, $bugzilla);
+print 'About to add this bug: '.Dumper(\%bug) if $debug;
+my $bug_id = $bugzilla->file_bug (\%bug);
+
+print STDERR "Created bug #$bug_id\n";


Index: add-issue
===================================================================
RCS file: add-issue
diff -N add-issue
--- /dev/null	1 Jan 1970 00:00:00 -0000
+++ add-issue	14 Jan 2008 16:04:47 -0000	1.2
@@ -0,0 +1,90 @@
+#!/usr/bin/env perl
+
+# $Id$
+# File a bugs for specified versions and add dependencies
+# Lubomir Kundrak <lkundrak at redhat.com>
+
+# XXX: debug, dryrun
+my $usage = 'add-cve-bug [options...]
+	--versions=<ver>[,...]	Affected Fedora versions
+	--bugs=<bug>[,...]]	Tracking bugs for respective versions
+	--need_verif		Needs verification (**)
+	--cve=<cve>		CVE name
+	--status=<status>	Either "fixed" or "ignore" or implied "VULNERABLE"
+	--component=<pkg>	Affected package, to find owner to CC (mandatory)
+	--fixed=<version>	"fixed ..." or "not fixed ..."
+	--since=<update>	Fedora update or NVR this was fixed in
+	--comment=<comment>	Free-form comment string
+';
+
+use Getopt::Long;
+use Libexig::Audit;
+
+use warnings;
+use strict;
+
+my %versions = (
+	'7'	=> '../audit/fc7',
+	'8'	=> '../audit/f8',
+	'9'	=> '../audit/f9',
+);
+
+# Command line options
+my (@versions, @bugs, $need_verif, $cve, $status, $component,
+	$fixed, $since, $comment);
+
+# Parse command line options
+
+my %options;
+GetOptions(\%options,
+	'versions=s',
+	'bugs=s',
+	'need_verif',
+	'cve=s',
+	'status=s',
+	'component=s',
+	'fixed=s',
+	'since=s',
+	'comment=s',
+	'help',
+) or die 'Incorrect arguments. Try --help.';
+
+if ($options{help}) {
+	print $usage;
+	exit;
+}
+
+ at versions = $options{versions}
+	? split (/,/, $options{versions})	# versions were specified
+	: keys %versions;			# all known versions
+
+ at bugs = $options{bugs}
+	? split (/,/, $options{bugs})
+	: ();
+
+$need_verif	= ($options{need_verif} ? '**' : '');
+$cve		= ($options{cve}	or 'GENERIC-MAP-NOMATCH');
+$status		= ($options{status}	or 'VULNERABLE');
+$component	= ($options{component}) or die 'component argument is mandatory';
+$fixed		= ($options{fixed}	or '');
+$since		= ($options{since}	or '');
+$comment	= ($options{comment}	or '');
+
+# Add a line for each version
+
+foreach my $version (@versions) {
+	my $entry = {
+		need_verif	=> $need_verif,
+		cve		=> $cve,
+		status		=> $status,
+		component	=> $component,
+		fixed		=> $fixed,
+		bug		=> shift @bugs,
+		since		=> $since,
+		comment		=> $comment,
+	};
+
+	my $audit = new Libexig::Audit ({file => $versions{$version}});
+	$audit->add ($entry);
+	$audit->save;
+}


Index: add-tracking-bugs
===================================================================
RCS file: add-tracking-bugs
diff -N add-tracking-bugs
--- /dev/null	1 Jan 1970 00:00:00 -0000
+++ add-tracking-bugs	14 Jan 2008 16:04:47 -0000	1.2
@@ -0,0 +1,81 @@
+#!/usr/bin/env perl
+
+# $Id$
+# File a bugs for specified versions and add dependencies
+# Lubomir Kundrak <lkundrak at redhat.com>
+
+my $usage = 'add-tracking-bugs [options...]
+	--bugs=<bug>[,...]	Parent bugs
+	--versions=<ver>[,...]	Affected Fedora versions
+	--component=<pkg>	Affected package, to find owner to CC (mandatory)
+	--username=<username>	Bugzilla login (defaults to $LOGNAME at redhat.com)
+	--password=<password>	Bugzilla passwords (asks for it, if not supplied)
+	--dryrun		Do not write anything, usable with --debug
+	--debug			Dump more or less interesting info
+	--help			This text
+';
+
+use XMLRPC::Lite;
+use Getopt::Long;
+use Data::Dumper;
+
+use Libexig::Util;
+use Libexig::Bugzilla;
+use Libexig::Fedora;
+
+use warnings;
+use strict;
+
+# Command line options
+my (@bugs, @versions, $dryrun, $debug,
+	$username, $password, $component);
+
+# Parse command line options:
+
+my %options;
+GetOptions(\%options,
+	'bugs=s',
+	'component=s',
+	'versions=s',
+	'username=s',
+	'password=s',
+	'dryrun',
+	'debug',
+	'help',
+) or die 'Incorrect arguments. Try --help.';
+
+if ($options{'help'}) {
+	print $usage;
+	exit;
+}
+
+$options{'bugs'} or die 'bugs argument is mandatory';
+ at bugs = split (/,/, $options{'bugs'});
+
+$options{'versions'} or die 'versions argument is mandatory';
+ at versions = split (/,/, $options{'versions'});
+#XXX
+##$versions{$_} or die "Invalid version: $_" foreach (@versions);
+
+$component	= $options{'component'}	or die 'component argument is mandatory';
+$dryrun		= ($options{'dryrun'}	or 0);
+$debug		= ($options{'debug'}	or 0);
+$username	= ($options{'username'}	or $ENV{'LOGNAME'}.'@redhat.com');
+$password	= ($options{'password'}	or read_noecho ("Bugzilla password for $username: "))
+	unless $dryrun;
+
+
+my $bugzilla = new Libexig::Bugzilla ({
+	'username'	=> $username,
+	'password'	=> $password,
+	'dryrun'	=> $dryrun,
+	'debug'		=> $debug,
+});
+
+# All the work (not the one that makes Jack a dull boy)
+my $parent_bugs = $bugzilla->get_bugs (\@bugs,
+		['alias','keywords','priority','bug_id', 'bug_severity', 'short_short_desc']);
+my $tracking_bugs = Libexig::Fedora::tracking_bugs ($parent_bugs, $component, @versions);
+
+print STDERR Libexig::Fedora::file_tracking_bugs (\@bugs, $tracking_bugs, $bugzilla, $component);
+


Index: check-updates
===================================================================
RCS file: check-updates
diff -N check-updates
--- /dev/null	1 Jan 1970 00:00:00 -0000
+++ check-updates	14 Jan 2008 16:04:47 -0000	1.2
@@ -0,0 +1,32 @@
+#!/usr/bin/env perl
+
+# $Id$
+# Dump what's VULNERABLE, but been subject to an update
+# Lubomir Kundrak <lkundrak at redhat.com>
+
+#use warnings;
+use strict;
+
+use Libexig::Audit;
+use Libexig::Bodhi;
+
+# Parse the audit file
+my $audit = new Libexig::Audit ({file => $ARGV[0]});
+
+foreach my $entry (@{$audit->{audit}}) {
+	$entry->{'status'} eq 'VULNERABLE' or next;
+
+	# See if the VULNERABLE bug was referenced by an update	
+	foreach my $u (Libexig::Bodhi::get_updates ($entry->{component})) {
+		$u->{'_Bugs'}->{$entry->{bug}} or next;
+
+		# Modify the line accordingly
+		$entry->{since} = $u->{'Update ID'};
+		$u->{'Status'} eq 'stable' and $entry->{status} = 'fixed';
+		Libexig::Audit::update_entry ($entry);
+
+		last;
+	};
+}
+
+$audit->save;


Index: generate-manifest
===================================================================
RCS file: generate-manifest
diff -N generate-manifest
--- /dev/null	1 Jan 1970 00:00:00 -0000
+++ generate-manifest	14 Jan 2008 16:04:47 -0000	1.2
@@ -0,0 +1,28 @@
+#!/bin/sh
+
+# $Id$
+# List generate list of latest versions of all packages in a brew tag
+# Lubomir Kundrak <lkundrak at redhat.com>
+
+if [ -z "$KOJI" ]
+then
+	KOJI="koji"
+fi
+
+if [ -z "$@" ]
+then
+	export TAGS="
+		dist-fc7-updates
+		dist-f8-updates
+		dist-f9-build
+	"
+else
+	export TAGS="$@"
+fi
+
+for TAG in $TAGS
+do
+	echo -n "Generating manifest for $TAG..."
+	"$KOJI" list-tagged --inherit --latest "$TAG" >"$TAG"
+	echo " done"
+done


Index: get-cve
===================================================================
RCS file: get-cve
diff -N get-cve
--- /dev/null	1 Jan 1970 00:00:00 -0000
+++ get-cve	14 Jan 2008 16:04:47 -0000	1.2
@@ -0,0 +1,18 @@
+#!/usr/bin/env perl
+
+# $Id$
+# Get CVE information from NVD
+# Lubomir Kundrak <lkundrak at redhat.com>
+
+
+use warnings;
+use strict;
+
+use Libexig::CVE;
+use Data::Dumper;
+
+ at ARGV or die 'Usage: get-cve <cve> [...]';
+
+foreach my $cve (@ARGV) {
+	print Dumper ($cve, Libexig::CVE::cve ($cve));
+}


Index: package-release
===================================================================
RCS file: package-release
diff -N package-release
--- /dev/null	1 Jan 1970 00:00:00 -0000
+++ package-release	14 Jan 2008 16:04:47 -0000	1.2
@@ -0,0 +1,96 @@
+#!/usr/bin/perl -w
+
+# $Id$
+
+# Script for querying which release we ship a package in, and what the
+# version of said package is.
+#
+# This script was originally writeen by Jason L Tibbitts III
+
+# TODO: Use getopt (add options at that time)
+# TODO: Allow for fuzzy matching (partial searching)
+
+use LWP::Simple;
+use Net::FTP;
+use strict;
+
+# Global variables
+my ($owner_file, $mirror_host, $mirror_path, @releases);
+
+
+$owner_file='http://cvs.fedora.redhat.com/viewcvs/*checkout*/owners/owners.list?root=extras';
+$mirror_host='download.fedora.redhat.com';
+$mirror_path='/pub/fedora/linux/releases/%s/Everything/source/SRPMS';
+ at releases=qw( 7 );
+
+sub get_owner_content {
+    my $match = pop;
+
+    my ($distro, $package, $desc, $owner, $qa, $cc);
+
+    my %owner;
+
+    my $owner_content = get($owner_file)
+        or die "Couldn't get $owner_file";
+
+    foreach (split(/\n/, $owner_content)) {
+        next if /^#/;
+        chomp;
+
+        ($distro, $package, $desc, $owner, $qa, $cc) = split(/\|/, $_);
+
+        next if ( $package !~ m/$match/i);
+
+        $owner{$package} = {};
+        $owner{$package}->{'product'} = $distro;
+        $owner{$package}->{'package'} = $package;
+        $owner{$package}->{'description'} = $desc;
+        $owner{$package}->{'owner'} = $owner;
+        $owner{$package}->{'qacontact'} = $qa;
+        $owner{$package}->{'cclist'} = $cc;
+    }
+
+    return %owner;
+
+}
+
+my $package = $ARGV[0];
+
+my %owner = get_owner_content($package);
+
+if (!keys(%owner) or $package eq '') {
+    print "Could not find package \"$package\" in $owner_file\n";
+    exit 1;
+}
+
+foreach (keys(%owner)) {
+print "Found package $_ in owners.list:\n";
+}
+
+my $ftp = Net::FTP->new($mirror_host, Debug => 0)
+    or die "Cannot connect to $mirror_host: $@";
+$ftp->login("anonymous",'-anonymous@')
+    or die "Cannot login ", $ftp->message;
+
+
+foreach my $release (@releases) {
+    my ($f, $dir, $files, $rev, $ver, $name);
+
+    $dir = sprintf($mirror_path, $release);
+    $release eq "development" && ($release = "dev");
+    $files = $ftp->ls($dir)
+        or die "Cannot list directory ", $ftp->message;
+
+    foreach my $f (@$files) {
+        chomp($f);
+        $f =~ s/$dir\///;
+        next unless $f =~ /^(.*$package.*)-([^\-]*)-([^\-]*)\.src\.rpm$/i;
+        $name = $1;
+        $ver = $2;
+        $rev = $3;
+
+        print "    $release\t$name\t$ver\t$rev\t$f\n";
+  }
+}
+
+$ftp->quit;


Index: parse-announce
===================================================================
RCS file: parse-announce
diff -N parse-announce
--- /dev/null	1 Jan 1970 00:00:00 -0000
+++ parse-announce	14 Jan 2008 16:04:47 -0000	1.2
@@ -0,0 +1,99 @@
+#!/usr/bin/perl -w
+
+# $Id$
+
+use strict;
+use Mail::Mbox::MessageParser;
+use Email::Simple;
+
+die "\nUsage: parse-announce mbox-file audit-file\n\n" if not defined($ARGV[1]);
+
+my $mbox_filename = $ARGV[0];
+my $audit_filename = $ARGV[1];
+my (@file, %cve_id, $audit_version);
+
+$ARGV[1] =~ /(\d+)$/;
+$audit_version = $1;
+
+# Suck in the audit file
+open(FH, $ARGV[1]);
+while (<FH>) {
+    my ($temp_cve, $temp_text, $temp_line, $temp_package);
+    chomp;
+    $temp_line = $_;
+    push @file, $temp_line;
+
+    if ($temp_line =~ /^(CVE-\d{4}-\d{4}) (.*)/) {
+        $temp_cve = $1;
+        $temp_text = $2;
+        if ($temp_text =~ /\(([\w\-\_\.]+)[\,\)]/) {
+            $temp_package = $1;
+        } elsif ($temp_text =~ /\*\* (\w+)/) {
+            $temp_package = $1;
+        } else {
+            die "Couldn't determine the package name from the audit file";
+        }
+
+        $cve_id{$temp_cve} = {} if not $cve_id{$temp_cve};
+        $cve_id{$temp_cve}->{$temp_package} = [$#file, $temp_line];
+    }
+}
+
+close(FH);
+
+my $folder_reader = new Mail::Mbox::MessageParser({
+    'file_name' => $mbox_filename,
+    'enable_cache' => 0,
+});
+
+die $folder_reader unless ref $folder_reader;
+
+while (!$folder_reader->end_of_file()) {
+    my (@cves, $errata_id, $temp_cve);
+    my ($product, $package);
+
+
+    my $email = $folder_reader->read_next_email();
+    my $mail = Email::Simple->new($$email);
+    my $subject = $mail->header('Subject');
+    my $body = $mail->body;
+
+    if ($body =~ m/Product\s*:\s+Fedora Core (\d+)/) {
+        $product = $1;
+    } else {
+        # Add support for fedora extras here
+        warn "Product name couldn't be found";
+        next;
+    }
+
+    if ($body =~ m/Name\s*:\s+(\w+)/) {
+        $package = $1;
+    } else {
+        warn "Package Name couldn't be found";
+        next;
+    }
+
+    if ($body =~ m/(FEDORA-\d{4}-\d+)/) {
+        $errata_id = $1;
+    } else {
+        warn "Errata ID couldn't be found";
+        next;
+    }
+
+    while ($body =~ m/(CVE-\d{4}-\d{4})/g) {
+        if ($cve_id{$1}) {
+            if ($cve_id{$1}->{$package} and $product eq $audit_version) {
+                $cve_id{$1}->{$package}->[1] .= "[since $errata_id]";
+                my $file_line = $cve_id{$1}->{$package}->[0];
+                next if $file[$file_line] =~ /\[since FEDORA/;
+                $file[$file_line] = $file[$file_line] . " [since $errata_id]"
+            }
+        } else {
+            print "$1 **FIXME** ($package) [since $errata_id]\n";
+        }
+    }
+}
+
+foreach (@file) {
+    print $_, "\n";
+}


Index: suidaudit
===================================================================
RCS file: suidaudit
diff -N suidaudit
--- /dev/null	1 Jan 1970 00:00:00 -0000
+++ suidaudit	14 Jan 2008 16:04:47 -0000	1.2
@@ -0,0 +1,47 @@
+#!/usr/bin/env perl
+
+# $Id$
+# Audit RPM files for setuid and setgid files
+# Lubomir Kundrak <lkundrak at redhat.com>
+
+use strict;
+use warnings;
+
+use RPM2;
+use Fcntl ':mode';
+
+foreach my $rpm (@ARGV) {
+
+	my $hdr = RPM2->open_package ($rpm)
+		or die $!;
+
+	my $pkgname = $hdr->tag('Name');
+
+	my $name;	my @names	= $hdr->tag('BASENAMES');
+	my $mode;	my @modes	= $hdr->tag('FILEMODES');
+	my $class;	my @classes	= $hdr->tag('FILECLASS');
+	my $dirindex;	my @dirindexes	= $hdr->tag('DIRINDEXES');
+	my $username;	my @usernames	= $hdr->tag('FILEUSERNAME');
+	my $groupname;	my @groupnames	= $hdr->tag('FILEGROUPNAME');
+
+	my @classdict	= $hdr->tag('CLASSDICT');
+	my @dirnames	= $hdr->tag('DIRNAMES');
+
+	while (
+		$mode		= shift @modes,
+		$username	= shift @usernames,
+		$groupname	= shift @groupnames,
+		$class		= shift @classes,
+		$dirindex	= shift @dirindexes,
+		$name		= shift @names
+	) {
+		if ($mode & S_IFREG and $mode & (S_ISUID | S_ISGID)) {
+			printf "%-25s %06o %8s:%-8s %-30s %-.50s...\n",
+				$pkgname, $mode,
+				(($mode & S_ISUID) ? $username : '-'),
+				(($mode & S_ISGID) ? $groupname : '-'),
+				$dirnames[$dirindex].$name,
+				$classdict[$class];
+		}
+	}
+}


Index: update-cve-cache
===================================================================
RCS file: update-cve-cache
diff -N update-cve-cache
--- /dev/null	1 Jan 1970 00:00:00 -0000
+++ update-cve-cache	14 Jan 2008 16:04:47 -0000	1.2
@@ -0,0 +1,14 @@
+#!/usr/bin/env perl
+
+# $Id$
+# Generate CVE cache so that tools utilizing Libexig::CVE run smoothly
+# Lubomir Kundrak <lkundrak at redhat.com>
+
+use warnings;
+use strict;
+
+use Libexig::CVE;
+
+#Libexig::CVE::nvdcache ('nvdcve-modified.xml');
+#Libexig::CVE::nvdcache ('nvdcve-recent.xml');
+Libexig::CVE::nvdcache ('nvdcve-'.$_.'.xml') foreach (2002..`date +%Y`);


