update-intel-microcode does not find latest available microcode update

cf. https://lists.ubuntu.com/archives/kernel-team/2010-March/009496.html

This very dirty bash snippet works (currently):

#!/bin/sh
JSON=$(wget -qO- 'http://downloadcenter.intel.com/JSONDataProvider.aspx?sort=Date&sortDir=descending&Hits=1&keyword="Linux microcode "&lang=eng&refresh=filters&dataType=json')
VERSION=$(echo $JSON | sed 's/^.*,"version":"\([^"]*\).*$/\1/')
DOWNLOADID=$(echo $JSON |sed 's/^.*,"downloadid":"\([^"]*\).*$/\1/')
wget "http://downloadmirror.intel.com/${DOWNLOADID}/eng/microcode-${VERSION}.tgz"

It's obviously incorrect to run sed on serialized data, though. And this example will fail on marginal changes.

Better ways of parsing JSON (such as using python) are discussed at
http://stackoverflow.com/questions/1955505/parsing-json-with-sed-and-awk

I can't say I'm mad about eval()ing data from a web site, as root.
Also, rename won't work across mounts, why not just use the Python tarfile module?
Lintian threw a remote_fs error on build.

How's this patch?

Hi Stefano - your changes are indeed good and resolve the potential security problem of using eval, which I don't like either.

Thanks for the help! Daniel

Uploaded. Seems like a reasonable candidate for an SRU (if we care about multiverse that much)

This bug was fixed in the package microcode.ctl - 1.17-13ubuntu1

---------------
microcode.ctl (1.17-13ubuntu1) maverick; urgency=low

  [ Daniel J Blueman ]
  * Rewrote update-intel-microcode script to robustly parse and
    download updated microcode correctly (LP: #569488)

  [ Stefano Rivera ]
  * update-intel-microcode: Do not eval() code from the Internet, and use
    Python's built in tarfile library rather than a temporary directory.
  * debian/microcode.ctl.init: Depend on $remote_fs.
 -- Daniel J Blueman <email address hidden> Wed, 12 May 2010 14:10:06 +0100

Since this package is currently broken in Lucid (10.04), which is a https://wiki.ubuntu.com/LTS release, and since this update also fixes a possible security issue (as Stefano pointed out in his 'Do not eval() code from the Internet' changelog statement), I would assume this qualifies for https://wiki.ubuntu.com/StableReleaseUpdates and would appreciate one taking place.

Actually the 'Do not eval() code from the Internet' changelog statement refers to a previous version of this patch, not to the version currently in Lucid, sorry.

On 11.08.2010 09:27, Moritz Naumann wrote:
> Since this package is currently broken in Lucid (10.04), which is a
> https://wiki.ubuntu.com/LTS release, and since this update also fixes a
> possible security issue (as Stefano pointed out in his 'Do not eval()
> code from the Internet' changelog statement), I would assume this
> qualifies for https://wiki.ubuntu.com/StableReleaseUpdates and would
> appreciate one taking place.

I've heard about 'Do not eval() code from the Internet'", but there are
not such eval and unsecure things.
The shell code was designed to be safe, and I've not yet seen problems.
It do the same things as the python code, probably using the same code
(C library to do the core things), with the same security.

BTW I plan to push the ubuntu python code also in Debian package, and
asking for a unblock (python code is somewhat more manageable
than shell, considering that Intel cannot really have a stable
method to release new firmware).

PS: and done correctly, e.g. the ubuntu patch lacked of python
dependency.

ciao
 cate

> I've heard about 'Do not eval() code from the Internet'", but there are
> not such eval and unsecure things.

Those were modifications I made to the first python version of this script, which used eval instead of a json parser. See the patch above.