[Fedora-security-commits] fedora-security/tools/scripts add-cve-bug, 1.1, 1.2 add-issue, 1.1, 1.2 add-tracking-bugs, 1.1, 1.2 check-updates, 1.1, 1.2 generate-manifest, 1.1, 1.2 get-cve, 1.1, 1.2 package-release, 1.1, 1.2 parse-announce, 1.1, 1.2 suidaudit, 1.1, 1.2 update-cve-cache, 1.1, 1.2
fedora-security-commits at redhat.com
fedora-security-commits at redhat.com
Mon Jan 14 16:04:49 UTC 2008
- Previous message (by thread): [Fedora-security-commits] fedora-security/tools Build.PL, 1.1, 1.2 MANIFEST, 1.1, 1.2 MANIFEST.SKIP, 1.1, 1.2 fedora-security.spec, 1.1, 1.2 generate-manifest, 1.4, NONE get-cve, 1.1, NONE package-release, 1.4, NONE parse-announce, 1.1, NONE suidaudit, 1.1, NONE
- Next message (by thread): [Fedora-security-commits] fedora-security/tools/lib/Libexig Audit.pm, 1.1, 1.2 Bodhi.pm, 1.1, 1.2 CVE.pm, 1.1, 1.2 Fedora.pm, 1.1, 1.2 Util.pm, 1.1, 1.2
- Messages sorted by:
[ date ]
[ thread ]
[ subject ]
[ author ]
Author: lkundrak
Update of /cvs/fedora/fedora-security/tools/scripts
In directory cvs-int.fedora.redhat.com:/tmp/cvs-serv17363/scripts
Added Files:
add-cve-bug add-issue add-tracking-bugs check-updates
generate-manifest get-cve package-release parse-announce
suidaudit update-cve-cache
Log Message:
Merging (hopefully) stable from my branch
Index: add-cve-bug
===================================================================
RCS file: add-cve-bug
diff -N add-cve-bug
--- /dev/null 1 Jan 1970 00:00:00 -0000
+++ add-cve-bug 14 Jan 2008 16:04:47 -0000 1.2
@@ -0,0 +1,102 @@
+#!/usr/bin/env perl
+
+# $Id$
+# Create a bugzilla from a CVE entry
+# Lubomir Kundrak <lkundrak at redhat.com>
+
+# Typical use:
+#$ ./add-cve-bug \
+# --cve=CVE-2007-4251 \
+# --component=openoffice.org \
+# --summary="OpenOffice crashes upon opening certain files" \
+# --impact=low
+# (Was used to create #251717)
+
+my $usage = 'add-cve-bug [options...]
+ --cve=<cve> CVE ID (mandatory)
+ --username=<username> Bugzilla login (defaults to $LOGNAME at redhat.com)
+ --password=<password> Bugzilla passwords (asks for it, if not supplied)
+ --component=<pkg[,<pkg>...] Affected package, to find owner to CC (mandatory)
+ --summary=<summary> Text to follow CVE ID in bugzilla (mandatory)
+ --impact=<impact> Impact: critical, important, moderate, low
+ --interactive Launch editor to edit the description
+ --dryrun Do not write anything, usable with --debug
+ --debug Dump interesting info
+ --help This text
+';
+
+use Getopt::Long;
+use Data::Dumper;
+
+use Libexig::Fedora;
+use Libexig::CVE;
+use Libexig::Bugzilla;
+use Libexig::Util;
+
+use warnings;
+use strict;
+
+# Command line options
+my ($cve, $interactive, $dryrun, $debug,
+ $username, $password, $component, $summary, $impact);
+
+# Parse command line options
+my %options;
+GetOptions(\%options,
+ 'cve=s',
+ 'username=s',
+ 'password=s',
+ 'component=s',
+ 'summary=s',
+ 'impact=s',
+ 'interactive',
+ 'dryrun',
+ 'debug',
+ 'help',
+) or die 'Incorrect arguments. Try --help.';
+
+if ($options{'help'}) {
+ print $usage;
+ exit;
+}
+
+$dryrun = ($options{'dryrun'} or 0);
+$debug = ($options{'debug'} or 0);
+$interactive = ($options{'interactive'} or 0);
+
+$cve = $options{'cve'} or die 'cve argument is mandatory';
+$component = $options{'component'} or die 'component argument is mandatory';
+$summary = $options{'summary'} or die 'summary argument is mandatory';
+$impact = ($options{'impact'} or 'low');
+defined $Libexig::Fedora::srt_bz_map{$impact} or die 'specified unrecognized impact value';
+
+$username = ($options{'username'} or $ENV{'LOGNAME'}.'@redhat.com');
+$password = ($options{'password'} or $dryrun or
+ read_noecho ("Bugzilla password for $username: "));
+ # TODO: add whiteboard option to fill in and get impact from it
+
+# Get CVE details from NVD or user
+
+print "Getting a bug description from CVE\n" if $debug;
+my ($desc, $refs) = cve ($cve);
+
+die 'Cannot fetch CVE description; re-run with --interactive'
+ unless $desc or $interactive;
+
+my $bug_desc = Libexig::Fedora::cve_bug_desc ($cve, $desc, $refs);
+$bug_desc = edit_string ($bug_desc) if $interactive;
+
+# File it in Bugzilla
+
+my $bugzilla = new Libexig::Bugzilla ({
+ 'username' => $username,
+ 'password' => $password,
+ 'dryrun' => $dryrun,
+ 'debug' => $debug,
+});
+
+my %bug = Libexig::Fedora::cve_bug ($cve, $component, $summary, $bug_desc, $impact, $bugzilla);
+print 'About to add this bug: '.Dumper(\%bug) if $debug;
+my $bug_id = $bugzilla->file_bug (\%bug);
+
+print STDERR "Created bug #$bug_id\n";
Index: add-issue
===================================================================
RCS file: add-issue
diff -N add-issue
--- /dev/null 1 Jan 1970 00:00:00 -0000
+++ add-issue 14 Jan 2008 16:04:47 -0000 1.2
@@ -0,0 +1,90 @@
+#!/usr/bin/env perl
+
+# $Id$
+# File a bugs for specified versions and add dependencies
+# Lubomir Kundrak <lkundrak at redhat.com>
+
+# XXX: debug, dryrun
+my $usage = 'add-cve-bug [options...]
+ --versions=<ver>[,...] Affected Fedora versions
+ --bugs=<bug>[,...]] Tracking bugs for respective versions
+ --need_verif Needs verification (**)
+ --cve=<cve> CVE name
+ --status=<status> Either "fixed" or "ignore" or implied "VULNERABLE"
+ --component=<pkg> Affected package, to find owner to CC (mandatory)
+ --fixed=<version> "fixed ..." or "not fixed ..."
+ --since=<update> Fedora update or NVR this was fixed in
+ --comment=<comment> Free-form comment string
+';
+
+use Getopt::Long;
+use Libexig::Audit;
+
+use warnings;
+use strict;
+
+my %versions = (
+ '7' => '../audit/fc7',
+ '8' => '../audit/f8',
+ '9' => '../audit/f9',
+);
+
+# Command line options
+my (@versions, @bugs, $need_verif, $cve, $status, $component,
+ $fixed, $since, $comment);
+
+# Parse command line options
+
+my %options;
+GetOptions(\%options,
+ 'versions=s',
+ 'bugs=s',
+ 'need_verif',
+ 'cve=s',
+ 'status=s',
+ 'component=s',
+ 'fixed=s',
+ 'since=s',
+ 'comment=s',
+ 'help',
+) or die 'Incorrect arguments. Try --help.';
+
+if ($options{help}) {
+ print $usage;
+ exit;
+}
+
+ at versions = $options{versions}
+ ? split (/,/, $options{versions}) # versions were specified
+ : keys %versions; # all known versions
+
+ at bugs = $options{bugs}
+ ? split (/,/, $options{bugs})
+ : ();
+
+$need_verif = ($options{need_verif} ? '**' : '');
+$cve = ($options{cve} or 'GENERIC-MAP-NOMATCH');
+$status = ($options{status} or 'VULNERABLE');
+$component = ($options{component}) or die 'component argument is mandatory';
+$fixed = ($options{fixed} or '');
+$since = ($options{since} or '');
+$comment = ($options{comment} or '');
+
+# Add a line for each version
+
+foreach my $version (@versions) {
+ my $entry = {
+ need_verif => $need_verif,
+ cve => $cve,
+ status => $status,
+ component => $component,
+ fixed => $fixed,
+ bug => shift @bugs,
+ since => $since,
+ comment => $comment,
+ };
+
+ my $audit = new Libexig::Audit ({file => $versions{$version}});
+ $audit->add ($entry);
+ $audit->save;
+}
Index: add-tracking-bugs
===================================================================
RCS file: add-tracking-bugs
diff -N add-tracking-bugs
--- /dev/null 1 Jan 1970 00:00:00 -0000
+++ add-tracking-bugs 14 Jan 2008 16:04:47 -0000 1.2
@@ -0,0 +1,81 @@
+#!/usr/bin/env perl
+
+# $Id$
+# File a bugs for specified versions and add dependencies
+# Lubomir Kundrak <lkundrak at redhat.com>
+
+my $usage = 'add-tracking-bugs [options...]
+ --bugs=<bug>[,...] Parent bugs
+ --versions=<ver>[,...] Affected Fedora versions
+ --component=<pkg> Affected package, to find owner to CC (mandatory)
+ --username=<username> Bugzilla login (defaults to $LOGNAME at redhat.com)
+ --password=<password> Bugzilla passwords (asks for it, if not supplied)
+ --dryrun Do not write anything, usable with --debug
+ --debug Dump more or less interesting info
+ --help This text
+';
+
+use XMLRPC::Lite;
+use Getopt::Long;
+use Data::Dumper;
+
+use Libexig::Util;
+use Libexig::Bugzilla;
+use Libexig::Fedora;
+
+use warnings;
+use strict;
+
+# Command line options
+my (@bugs, @versions, $dryrun, $debug,
+ $username, $password, $component);
+
+# Parse command line options:
+
+my %options;
+GetOptions(\%options,
+ 'bugs=s',
+ 'component=s',
+ 'versions=s',
+ 'username=s',
+ 'password=s',
+ 'dryrun',
+ 'debug',
+ 'help',
+) or die 'Incorrect arguments. Try --help.';
+
+if ($options{'help'}) {
+ print $usage;
+ exit;
+}
+
+$options{'bugs'} or die 'bugs argument is mandatory';
+ at bugs = split (/,/, $options{'bugs'});
+
+$options{'versions'} or die 'versions argument is mandatory';
+ at versions = split (/,/, $options{'versions'});
+#XXX
+##$versions{$_} or die "Invalid version: $_" foreach (@versions);
+
+$component = $options{'component'} or die 'component argument is mandatory';
+$dryrun = ($options{'dryrun'} or 0);
+$debug = ($options{'debug'} or 0);
+$username = ($options{'username'} or $ENV{'LOGNAME'}.'@redhat.com');
+$password = ($options{'password'} or read_noecho ("Bugzilla password for $username: "))
+ unless $dryrun;
+
+
+my $bugzilla = new Libexig::Bugzilla ({
+ 'username' => $username,
+ 'password' => $password,
+ 'dryrun' => $dryrun,
+ 'debug' => $debug,
+});
+
+# All the work (not the one that makes Jack a dull boy)
+my $parent_bugs = $bugzilla->get_bugs (\@bugs,
+ ['alias','keywords','priority','bug_id', 'bug_severity', 'short_short_desc']);
+my $tracking_bugs = Libexig::Fedora::tracking_bugs ($parent_bugs, $component, @versions);
+
+print STDERR Libexig::Fedora::file_tracking_bugs (\@bugs, $tracking_bugs, $bugzilla, $component);
+
Index: check-updates
===================================================================
RCS file: check-updates
diff -N check-updates
--- /dev/null 1 Jan 1970 00:00:00 -0000
+++ check-updates 14 Jan 2008 16:04:47 -0000 1.2
@@ -0,0 +1,32 @@
+#!/usr/bin/env perl
+
+# $Id$
+# Dump what's VULNERABLE, but been subject to an update
+# Lubomir Kundrak <lkundrak at redhat.com>
+
+#use warnings;
+use strict;
+
+use Libexig::Audit;
+use Libexig::Bodhi;
+
+# Parse the audit file
+my $audit = new Libexig::Audit ({file => $ARGV[0]});
+
+foreach my $entry (@{$audit->{audit}}) {
+ $entry->{'status'} eq 'VULNERABLE' or next;
+
+ # See if the VULNERABLE bug was referenced by an update
+ foreach my $u (Libexig::Bodhi::get_updates ($entry->{component})) {
+ $u->{'_Bugs'}->{$entry->{bug}} or next;
+
+ # Modify the line accordingly
+ $entry->{since} = $u->{'Update ID'};
+ $u->{'Status'} eq 'stable' and $entry->{status} = 'fixed';
+ Libexig::Audit::update_entry ($entry);
+
+ last;
+ };
+}
+
+$audit->save;
Index: generate-manifest
===================================================================
RCS file: generate-manifest
diff -N generate-manifest
--- /dev/null 1 Jan 1970 00:00:00 -0000
+++ generate-manifest 14 Jan 2008 16:04:47 -0000 1.2
@@ -0,0 +1,28 @@
+#!/bin/sh
+
+# $Id$
+# List generate list of latest versions of all packages in a brew tag
+# Lubomir Kundrak <lkundrak at redhat.com>
+
+if [ -z "$KOJI" ]
+then
+ KOJI="koji"
+fi
+
+if [ -z "$@" ]
+then
+ export TAGS="
+ dist-fc7-updates
+ dist-f8-updates
+ dist-f9-build
+ "
+else
+ export TAGS="$@"
+fi
+
+for TAG in $TAGS
+do
+ echo -n "Generating manifest for $TAG..."
+ "$KOJI" list-tagged --inherit --latest "$TAG" >"$TAG"
+ echo " done"
+done
Index: get-cve
===================================================================
RCS file: get-cve
diff -N get-cve
--- /dev/null 1 Jan 1970 00:00:00 -0000
+++ get-cve 14 Jan 2008 16:04:47 -0000 1.2
@@ -0,0 +1,18 @@
+#!/usr/bin/env perl
+
+# $Id$
+# Get CVE information from NVD
+# Lubomir Kundrak <lkundrak at redhat.com>
+
+
+use warnings;
+use strict;
+
+use Libexig::CVE;
+use Data::Dumper;
+
+ at ARGV or die 'Usage: get-cve <cve> [...]';
+
+foreach my $cve (@ARGV) {
+ print Dumper ($cve, Libexig::CVE::cve ($cve));
+}
Index: package-release
===================================================================
RCS file: package-release
diff -N package-release
--- /dev/null 1 Jan 1970 00:00:00 -0000
+++ package-release 14 Jan 2008 16:04:47 -0000 1.2
@@ -0,0 +1,96 @@
+#!/usr/bin/perl -w
+
+# $Id$
+
+# Script for querying which release we ship a package in, and what the
+# version of said package is.
+#
+# This script was originally writeen by Jason L Tibbitts III
+
+# TODO: Use getopt (add options at that time)
+# TODO: Allow for fuzzy matching (partial searching)
+
+use LWP::Simple;
+use Net::FTP;
+use strict;
+
+# Global variables
+my ($owner_file, $mirror_host, $mirror_path, @releases);
+
+
+$owner_file='http://cvs.fedora.redhat.com/viewcvs/*checkout*/owners/owners.list?root=extras';
+$mirror_host='download.fedora.redhat.com';
+$mirror_path='/pub/fedora/linux/releases/%s/Everything/source/SRPMS';
+ at releases=qw( 7 );
+
+sub get_owner_content {
+ my $match = pop;
+
+ my ($distro, $package, $desc, $owner, $qa, $cc);
+
+ my %owner;
+
+ my $owner_content = get($owner_file)
+ or die "Couldn't get $owner_file";
+
+ foreach (split(/\n/, $owner_content)) {
+ next if /^#/;
+ chomp;
+
+ ($distro, $package, $desc, $owner, $qa, $cc) = split(/\|/, $_);
+
+ next if ( $package !~ m/$match/i);
+
+ $owner{$package} = {};
+ $owner{$package}->{'product'} = $distro;
+ $owner{$package}->{'package'} = $package;
+ $owner{$package}->{'description'} = $desc;
+ $owner{$package}->{'owner'} = $owner;
+ $owner{$package}->{'qacontact'} = $qa;
+ $owner{$package}->{'cclist'} = $cc;
+ }
+
+ return %owner;
+
+}
+
+my $package = $ARGV[0];
+
+my %owner = get_owner_content($package);
+
+if (!keys(%owner) or $package eq '') {
+ print "Could not find package \"$package\" in $owner_file\n";
+ exit 1;
+}
+
+foreach (keys(%owner)) {
+print "Found package $_ in owners.list:\n";
+}
+
+my $ftp = Net::FTP->new($mirror_host, Debug => 0)
+ or die "Cannot connect to $mirror_host: $@";
+$ftp->login("anonymous",'-anonymous@')
+ or die "Cannot login ", $ftp->message;
+
+
+foreach my $release (@releases) {
+ my ($f, $dir, $files, $rev, $ver, $name);
+
+ $dir = sprintf($mirror_path, $release);
+ $release eq "development" && ($release = "dev");
+ $files = $ftp->ls($dir)
+ or die "Cannot list directory ", $ftp->message;
+
+ foreach my $f (@$files) {
+ chomp($f);
+ $f =~ s/$dir\///;
+ next unless $f =~ /^(.*$package.*)-([^\-]*)-([^\-]*)\.src\.rpm$/i;
+ $name = $1;
+ $ver = $2;
+ $rev = $3;
+
+ print " $release\t$name\t$ver\t$rev\t$f\n";
+ }
+}
+
+$ftp->quit;
Index: parse-announce
===================================================================
RCS file: parse-announce
diff -N parse-announce
--- /dev/null 1 Jan 1970 00:00:00 -0000
+++ parse-announce 14 Jan 2008 16:04:47 -0000 1.2
@@ -0,0 +1,99 @@
+#!/usr/bin/perl -w
+
+# $Id$
+
+use strict;
+use Mail::Mbox::MessageParser;
+use Email::Simple;
+
+die "\nUsage: parse-announce mbox-file audit-file\n\n" if not defined($ARGV[1]);
+
+my $mbox_filename = $ARGV[0];
+my $audit_filename = $ARGV[1];
+my (@file, %cve_id, $audit_version);
+
+$ARGV[1] =~ /(\d+)$/;
+$audit_version = $1;
+
+# Suck in the audit file
+open(FH, $ARGV[1]);
+while (<FH>) {
+ my ($temp_cve, $temp_text, $temp_line, $temp_package);
+ chomp;
+ $temp_line = $_;
+ push @file, $temp_line;
+
+ if ($temp_line =~ /^(CVE-\d{4}-\d{4}) (.*)/) {
+ $temp_cve = $1;
+ $temp_text = $2;
+ if ($temp_text =~ /\(([\w\-\_\.]+)[\,\)]/) {
+ $temp_package = $1;
+ } elsif ($temp_text =~ /\*\* (\w+)/) {
+ $temp_package = $1;
+ } else {
+ die "Couldn't determine the package name from the audit file";
+ }
+
+ $cve_id{$temp_cve} = {} if not $cve_id{$temp_cve};
+ $cve_id{$temp_cve}->{$temp_package} = [$#file, $temp_line];
+ }
+}
+
+close(FH);
+
+my $folder_reader = new Mail::Mbox::MessageParser({
+ 'file_name' => $mbox_filename,
+ 'enable_cache' => 0,
+});
+
+die $folder_reader unless ref $folder_reader;
+
+while (!$folder_reader->end_of_file()) {
+ my (@cves, $errata_id, $temp_cve);
+ my ($product, $package);
+
+
+ my $email = $folder_reader->read_next_email();
+ my $mail = Email::Simple->new($$email);
+ my $subject = $mail->header('Subject');
+ my $body = $mail->body;
+
+ if ($body =~ m/Product\s*:\s+Fedora Core (\d+)/) {
+ $product = $1;
+ } else {
+ # Add support for fedora extras here
+ warn "Product name couldn't be found";
+ next;
+ }
+
+ if ($body =~ m/Name\s*:\s+(\w+)/) {
+ $package = $1;
+ } else {
+ warn "Package Name couldn't be found";
+ next;
+ }
+
+ if ($body =~ m/(FEDORA-\d{4}-\d+)/) {
+ $errata_id = $1;
+ } else {
+ warn "Errata ID couldn't be found";
+ next;
+ }
+
+ while ($body =~ m/(CVE-\d{4}-\d{4})/g) {
+ if ($cve_id{$1}) {
+ if ($cve_id{$1}->{$package} and $product eq $audit_version) {
+ $cve_id{$1}->{$package}->[1] .= "[since $errata_id]";
+ my $file_line = $cve_id{$1}->{$package}->[0];
+ next if $file[$file_line] =~ /\[since FEDORA/;
+ $file[$file_line] = $file[$file_line] . " [since $errata_id]"
+ }
+ } else {
+ print "$1 **FIXME** ($package) [since $errata_id]\n";
+ }
+ }
+}
+
+foreach (@file) {
+ print $_, "\n";
+}
Index: suidaudit
===================================================================
RCS file: suidaudit
diff -N suidaudit
--- /dev/null 1 Jan 1970 00:00:00 -0000
+++ suidaudit 14 Jan 2008 16:04:47 -0000 1.2
@@ -0,0 +1,47 @@
+#!/usr/bin/env perl
+
+# $Id$
+# Audit RPM files for setuid and setgid files
+# Lubomir Kundrak <lkundrak at redhat.com>
+
+use strict;
+use warnings;
+
+use RPM2;
+use Fcntl ':mode';
+
+foreach my $rpm (@ARGV) {
+
+ my $hdr = RPM2->open_package ($rpm)
+ or die $!;
+
+ my $pkgname = $hdr->tag('Name');
+
+ my $name; my @names = $hdr->tag('BASENAMES');
+ my $mode; my @modes = $hdr->tag('FILEMODES');
+ my $class; my @classes = $hdr->tag('FILECLASS');
+ my $dirindex; my @dirindexes = $hdr->tag('DIRINDEXES');
+ my $username; my @usernames = $hdr->tag('FILEUSERNAME');
+ my $groupname; my @groupnames = $hdr->tag('FILEGROUPNAME');
+
+ my @classdict = $hdr->tag('CLASSDICT');
+ my @dirnames = $hdr->tag('DIRNAMES');
+
+ while (
+ $mode = shift @modes,
+ $username = shift @usernames,
+ $groupname = shift @groupnames,
+ $class = shift @classes,
+ $dirindex = shift @dirindexes,
+ $name = shift @names
+ ) {
+ if ($mode & S_IFREG and $mode & (S_ISUID | S_ISGID)) {
+ printf "%-25s %06o %8s:%-8s %-30s %-.50s...\n",
+ $pkgname, $mode,
+ (($mode & S_ISUID) ? $username : '-'),
+ (($mode & S_ISGID) ? $groupname : '-'),
+ $dirnames[$dirindex].$name,
+ $classdict[$class];
+ }
+ }
+}
Index: update-cve-cache
===================================================================
RCS file: update-cve-cache
diff -N update-cve-cache
--- /dev/null 1 Jan 1970 00:00:00 -0000
+++ update-cve-cache 14 Jan 2008 16:04:47 -0000 1.2
@@ -0,0 +1,14 @@
+#!/usr/bin/env perl
+
+# $Id$
+# Generate CVE cache so that tools utilizing Libexig::CVE run smoothly
+# Lubomir Kundrak <lkundrak at redhat.com>
+
+use warnings;
+use strict;
+
+use Libexig::CVE;
+
+#Libexig::CVE::nvdcache ('nvdcve-modified.xml');
+#Libexig::CVE::nvdcache ('nvdcve-recent.xml');
+Libexig::CVE::nvdcache ('nvdcve-'.$_.'.xml') foreach (2002..`date +%Y`);
- Previous message (by thread): [Fedora-security-commits] fedora-security/tools Build.PL, 1.1, 1.2 MANIFEST, 1.1, 1.2 MANIFEST.SKIP, 1.1, 1.2 fedora-security.spec, 1.1, 1.2 generate-manifest, 1.4, NONE get-cve, 1.1, NONE package-release, 1.4, NONE parse-announce, 1.1, NONE suidaudit, 1.1, NONE
- Next message (by thread): [Fedora-security-commits] fedora-security/tools/lib/Libexig Audit.pm, 1.1, 1.2 Bodhi.pm, 1.1, 1.2 CVE.pm, 1.1, 1.2 Fedora.pm, 1.1, 1.2 Util.pm, 1.1, 1.2
- Messages sorted by:
[ date ]
[ thread ]
[ subject ]
[ author ]
More information about the Fedora-security-commits
mailing list