Ubuntu CVE Tracker

Merge ~alexmurray/ubuntu-cve-tracker:import-rhel8oval into ubuntu-cve-tracker:master

  1. Git
  2. lp:~alexmurray/ubuntu-cve-tracker
  3. import-rhel8oval
  4. Merge into master
Proposed by Alex Murray
Status: Merged
Merged at revision: 8fc85035e0f28ef84a37fb6e7912a948b62a7a7f
Proposed branch: ~alexmurray/ubuntu-cve-tracker:import-rhel8oval
Merge into: ubuntu-cve-tracker:master
Diff against target: 389 lines (+148/-29)
13 files modified
active/CVE-2019-13616 (+1/-1)
active/CVE-2019-20433 (+2/-0)
active/CVE-2020-5209 (+3/-2)
active/CVE-2020-5210 (+3/-2)
active/CVE-2020-5211 (+7/-6)
active/CVE-2020-5212 (+3/-2)
active/CVE-2020-5213 (+3/-2)
active/CVE-2020-5214 (+3/-2)
active/CVE-2020-7969 (+1/-1)
active/CVE-2020-8002 (+4/-4)
active/CVE-2020-8003 (+4/-4)
scripts/check-cves (+93/-0)
scripts/process_cves (+21/-3)
Reviewer Review Type Date Requested Status
Steve Beattie Approve
Review via email: mp+378556@code.launchpad.net
To post a comment you must log in.
Revision history for this message
Alex Murray (alexmurray) wrote :

Hmm launchpad seems to have messed up in generation of the diff for review - this is only the following 2 commits:

https://git.launchpad.net/~alexmurray/ubuntu-cve-tracker/commit/?id=1d2f6cb86412081333d6c55fc4ba8ba4ca6e9242

https://git.launchpad.net/~alexmurray/ubuntu-cve-tracker/commit/?id=5d3252d6bb6631d0c391720e5b3aa2b19a483378

Revision history for this message
Steve Beattie (sbeattie) wrote :

Looks good to me, merged. I fixed in a follow up commit the xml tag used to identify reference URLs; the relevant XML is:

  <reference ref_id="CVE-2019-10218" ref_url="https://access.redhat.com/security/cve/CVE-2019-10218" source="CVE"/>

Thanks!

review: Approve
Revision history for this message
Alex Murray (alexmurray) wrote :

Ah, thanks Steve.

Preview Diff

[H/L] Next/Prev Comment, [J/K] Next/Prev File, [N/P] Next/Prev Hunk
1diff --git a/active/CVE-2019-13616 b/active/CVE-2019-13616
2index e3fa4d2..44f1cea 100644
3--- a/active/CVE-2019-13616
4+++ b/active/CVE-2019-13616
5@@ -55,7 +55,7 @@ xenial_libsdl2-image: needed
6 bionic_libsdl2-image: needed
7 disco_libsdl2-image: ignored (reached end-of-life)
8 eoan_libsdl2-image: needed
9-devel_libsdl2-image: needed
10+devel_libsdl2-image: not-affected (2.0.5+dfsg1-2)
11
12 Patches_sdl-image1.2:
13 upstream: https://hg.libsdl.org/SDL_image/rev/a59bfe382008
14diff --git a/active/CVE-2019-20433 b/active/CVE-2019-20433
15index 5d7bbcf..e9fa25e 100644
16--- a/active/CVE-2019-20433
17+++ b/active/CVE-2019-20433
18@@ -10,6 +10,8 @@ Description:
19 variable.
20 Ubuntu-Description:
21 Notes:
22+ leosilva> the fix proposed can potentially break applications
23+ leosilva> that depends on it.
24 Mitigation:
25 Bugs:
26 http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=935128
27diff --git a/active/CVE-2020-5209 b/active/CVE-2020-5209
28index c3c32b9..a9f4a71 100644
29--- a/active/CVE-2020-5209
30+++ b/active/CVE-2020-5209
31@@ -12,15 +12,16 @@ Description:
32 options. Users should upgrade to NetHack 3.6.5.
33 Ubuntu-Description:
34 Notes:
35+ msalvatore> Nethack is installed sgid games, but not suid or sgid root.
36 Mitigation:
37 Bugs:
38-Priority: untriaged
39+Priority: low
40 Discovered-by:
41 Assigned-to:
42
43
44 Patches_nethack:
45-upstream_nethack: needs-triage
46+upstream_nethack: released (2.6.5)
47 precise/esm_nethack: DNE
48 trusty_nethack: ignored (out of standard support)
49 trusty/esm_nethack: DNE
50diff --git a/active/CVE-2020-5210 b/active/CVE-2020-5210
51index 3f7cd5d..638c80a 100644
52--- a/active/CVE-2020-5210
53+++ b/active/CVE-2020-5210
54@@ -12,15 +12,16 @@ Description:
55 influence command line options. Users should upgrade to NetHack 3.6.5.
56 Ubuntu-Description:
57 Notes:
58+ msalvatore> Nethack is installed sgid games, but not suid or sgid root.
59 Mitigation:
60 Bugs:
61-Priority: untriaged
62+Priority: low
63 Discovered-by:
64 Assigned-to:
65
66
67 Patches_nethack:
68-upstream_nethack: needs-triage
69+upstream_nethack: released (2.6.5)
70 precise/esm_nethack: DNE
71 trusty_nethack: ignored (out of standard support)
72 trusty/esm_nethack: DNE
73diff --git a/active/CVE-2020-5211 b/active/CVE-2020-5211
74index 9f3a8aa..3b099c2 100644
75--- a/active/CVE-2020-5211
76+++ b/active/CVE-2020-5211
77@@ -12,19 +12,20 @@ Description:
78 Users should upgrade to NetHack 3.6.5.
79 Ubuntu-Description:
80 Notes:
81+ msalvatore> Nethack is installed sgid games, but not suid or sgid root.
82 Mitigation:
83 Bugs:
84-Priority: untriaged
85+Priority: low
86 Discovered-by:
87 Assigned-to:
88
89
90 Patches_nethack:
91-upstream_nethack: needs-triage
92+upstream_nethack: released (2.6.5)
93 precise/esm_nethack: DNE
94 trusty_nethack: ignored (out of standard support)
95 trusty/esm_nethack: DNE
96-xenial_nethack: needs-triage
97-bionic_nethack: needs-triage
98-eoan_nethack: needs-triage
99-devel_nethack: needs-triage
100+xenial_nethack: needed
101+bionic_nethack: needed
102+eoan_nethack: needed
103+devel_nethack: needed
104diff --git a/active/CVE-2020-5212 b/active/CVE-2020-5212
105index 5323e39..0565cbe 100644
106--- a/active/CVE-2020-5212
107+++ b/active/CVE-2020-5212
108@@ -12,15 +12,16 @@ Description:
109 NetHack 3.6.5.
110 Ubuntu-Description:
111 Notes:
112+ msalvatore> Nethack is installed sgid games, but not suid or sgid root.
113 Mitigation:
114 Bugs:
115-Priority: untriaged
116+Priority: low
117 Discovered-by:
118 Assigned-to:
119
120
121 Patches_nethack:
122-upstream_nethack: needs-triage
123+upstream_nethack: released (2.6.5)
124 precise/esm_nethack: DNE
125 trusty_nethack: ignored (out of standard support)
126 trusty/esm_nethack: DNE
127diff --git a/active/CVE-2020-5213 b/active/CVE-2020-5213
128index 0679c33..74b6bea 100644
129--- a/active/CVE-2020-5213
130+++ b/active/CVE-2020-5213
131@@ -12,15 +12,16 @@ Description:
132 3.6.5.
133 Ubuntu-Description:
134 Notes:
135+ msalvatore> Nethack is installed sgid games, but not suid or sgid root.
136 Mitigation:
137 Bugs:
138-Priority: untriaged
139+Priority: low
140 Discovered-by:
141 Assigned-to:
142
143
144 Patches_nethack:
145-upstream_nethack: needs-triage
146+upstream_nethack: released (2.6.5)
147 precise/esm_nethack: DNE
148 trusty_nethack: ignored (out of standard support)
149 trusty/esm_nethack: DNE
150diff --git a/active/CVE-2020-5214 b/active/CVE-2020-5214
151index e0fa344..3b82e91 100644
152--- a/active/CVE-2020-5214
153+++ b/active/CVE-2020-5214
154@@ -12,15 +12,16 @@ Description:
155 3.6.5.
156 Ubuntu-Description:
157 Notes:
158+ msalvatore> Nethack is installed sgid games, but not suid or sgid root.
159 Mitigation:
160 Bugs:
161-Priority: untriaged
162+Priority: low
163 Discovered-by:
164 Assigned-to:
165
166
167 Patches_nethack:
168-upstream_nethack: needs-triage
169+upstream_nethack: released (2.6.5)
170 precise/esm_nethack: DNE
171 trusty_nethack: ignored (out of standard support)
172 trusty/esm_nethack: DNE
173diff --git a/active/CVE-2020-7969 b/active/CVE-2020-7969
174index faf087e..d9108b9 100644
175--- a/active/CVE-2020-7969
176+++ b/active/CVE-2020-7969
177@@ -19,7 +19,7 @@ upstream_gitlab: not-affected (debian: Only affects Gitlab EE 8.0 and later)
178 precise/esm_gitlab: DNE
179 trusty_gitlab: ignored (out of standard support)
180 trusty/esm_gitlab: DNE
181-xenial_gitlab: needs-triage
182+xenial_gitlab: not-affected (code not present)
183 bionic_gitlab: DNE
184 eoan_gitlab: DNE
185 devel_gitlab: DNE
186diff --git a/active/CVE-2020-8002 b/active/CVE-2020-8002
187index 3b3baea..68b1499 100644
188--- a/active/CVE-2020-8002
189+++ b/active/CVE-2020-8002
190@@ -22,11 +22,11 @@ Assigned-to:
191
192
193 Patches_virglrenderer:
194-upstream_virglrenderer: needs-triage
195+upstream_virglrenderer: needed
196 precise/esm_virglrenderer: DNE
197 trusty_virglrenderer: ignored (out of standard support)
198 trusty/esm_virglrenderer: DNE
199 xenial_virglrenderer: DNE
200-bionic_virglrenderer: needs-triage
201-eoan_virglrenderer: needs-triage
202-devel_virglrenderer: needs-triage
203+bionic_virglrenderer: not-affected (code not present)
204+eoan_virglrenderer: needed
205+devel_virglrenderer: needed
206diff --git a/active/CVE-2020-8003 b/active/CVE-2020-8003
207index 257c734..8a39f3d 100644
208--- a/active/CVE-2020-8003
209+++ b/active/CVE-2020-8003
210@@ -23,11 +23,11 @@ Assigned-to:
211
212
213 Patches_virglrenderer:
214-upstream_virglrenderer: needs-triage
215+upstream_virglrenderer: needed
216 precise/esm_virglrenderer: DNE
217 trusty_virglrenderer: ignored (out of standard support)
218 trusty/esm_virglrenderer: DNE
219 xenial_virglrenderer: DNE
220-bionic_virglrenderer: needs-triage
221-eoan_virglrenderer: needs-triage
222-devel_virglrenderer: needs-triage
223+bionic_virglrenderer: needed
224+eoan_virglrenderer: needed
225+devel_virglrenderer: needed
226diff --git a/scripts/check-cves b/scripts/check-cves
227index cbf1631..7c9b47e 100755
228--- a/scripts/check-cves
229+++ b/scripts/check-cves
230@@ -50,6 +50,7 @@ parser.add_option("-R", "--refresh", help="Refresh CVE descriptions", action="st
231 parser.add_option("", "--test", help="Run regression tests", action="store_true")
232 parser.add_option("--untriaged", help="Process untriaged CVEs from output of locate_cves.py", metavar="FILE")
233 parser.add_option("--mbox", help="Process untriaged CVEs from mbox file", metavar="FILE")
234+parser.add_option("--rhel8oval", help="Process untriaged RHEL8 CVEs", metavar="FILE")
235 parser.add_option("--import-missing-debian", help="Process missing Debian CVEs", action="store_true")
236 parser.add_option("--debug", help="Report debugging information", action="store_true")
237 (opt, args) = parser.parse_args()
238@@ -382,6 +383,93 @@ def import_debian(handler):
239 return tmpname
240
241
242+class RHEL8OVALHandler(xml.sax.handler.ContentHandler):
243+ """SAX handler for processing rhel8 OVAL XML."""
244+
245+ def __init__(self, ignore=[]):
246+ # For per-hit processing
247+ self._curr_vuln = None
248+ self._curr_cve = None
249+ self._curr_pkgs = []
250+ self._curr_url = []
251+ self._curr_source = None
252+
253+ self._curr_chars_collect = False
254+ self._curr_chars = ""
255+
256+ self._timestamp = None
257+ self._cves = dict()
258+
259+ def startElement(self, name, attrs):
260+ if name == 'oval:timestamp':
261+ if opt.verbose:
262+ print("Parsing RHEL8 OVAL schema", file=sys.stderr)
263+ self._curr_chars_collect = True
264+ self._curr_chars = ""
265+ if name == "definition" and attrs['class'] == 'vulnerability':
266+ self._curr_vuln = attrs['id']
267+ self._curr_desc = None
268+ self._curr_cve = None
269+ self._curr_url = None
270+ if name == "title":
271+ self._curr_chars_collect = True
272+ self._curr_chars = ""
273+ if name == "reference":
274+ self._curr_cve = attrs['ref_id']
275+ if 'url' in attrs:
276+ self._curr_url = attrs['url']
277+
278+ def characters(self, content):
279+ if self._curr_chars_collect:
280+ self._curr_chars += content
281+
282+ def endElement(self, name):
283+ self._curr_chars_collect = False
284+ if name == 'oval:timestamp':
285+ self._timestamp = datetime.datetime.strptime(self._curr_chars, "%Y-%m-%dT%H:%M:%S")
286+ if name == "title":
287+ title = self._curr_chars
288+ # rhel oval titles are of form "CVE-XXXX-XXXX Name: Description
289+ # here (priority)" - we want to keep "Name: Description here"
290+ self._curr_desc = ' '.join(title.split(' ')[1:-1])
291+ if name == "definition":
292+ self._cves.setdefault(self._curr_cve, dict())
293+ self._cves[self._curr_cve].setdefault('desc', self._curr_desc)
294+ self._cves[self._curr_cve].setdefault('refs', [self._curr_url])
295+ self._cves[self._curr_cve].setdefault('date', self._timestamp)
296+
297+ def cves(self):
298+ return self._cves
299+
300+
301+def read_rhel8oval_file(f):
302+ '''Read in rhel8 oval
303+ This is sneaky because we read in the oval and then output a fake JSON
304+ file for processing.
305+ '''
306+ if not os.path.isfile(f):
307+ print("'%s' not a file" % f, file=sys.stderr)
308+ sys.exit(1)
309+
310+ name = os.path.abspath(f + ".json")
311+ if os.path.exists(name):
312+ print("'%s' already exists" % name, file=sys.stderr)
313+ sys.exit(1)
314+
315+ parser = xml.sax.make_parser()
316+ handler = RHEL8OVALHandler()
317+ parser.setContentHandler(handler)
318+ parser.parse(f)
319+
320+ cves = handler.cves()
321+ nvd = convert_to_nvd(cves, lambda cve: cves[cve]['desc'])
322+ tmp = tempfile.NamedTemporaryFile(mode='w', prefix='rhel8oval-import_', suffix='.json', delete=False)
323+ tmpname = tmp.name
324+ tmp.file.write(json.dumps(nvd))
325+ tmp.close()
326+
327+ return tmpname
328+
329 def read_locate_cves_output(f):
330 '''Read in output of UCT/scripts/locate_cves.py
331 This is sneaky because we read in the output and then output a fake JSON
332@@ -1367,6 +1455,11 @@ if opt.mbox:
333 untriaged_json = read_mbox_file(opt.mbox)
334 args.append(untriaged_json)
335
336+rhel8oval_import_json = ""
337+if opt.rhel8oval:
338+ untriaged_json = read_rhel8oval_file(opt.rhel8oval)
339+ args.append(untriaged_json)
340+
341 debian_import_json = ""
342 if opt.import_missing_debian and handler.debian is not None:
343 debian_import_json = import_debian(handler)
344diff --git a/scripts/process_cves b/scripts/process_cves
345index 752e255..3152b0f 100755
346--- a/scripts/process_cves
347+++ b/scripts/process_cves
348@@ -126,7 +126,7 @@ process_missing_debian() {
349 ./scripts/check-cves --import-missing-debian
350 }
351
352-download_missing_redhat() {
353+download_missing_rhsa() {
354 tmpdir="$1"
355 archive="$2.txt"
356 fn="$tmpdir/$archive"
357@@ -148,12 +148,30 @@ download_missing_redhat() {
358 ./scripts/locate_cves.py "$fn" >> "$tmpdir/redhat.mbox"
359 }
360
361+download_rhel8oval() {
362+ tmpdir="$1"
363+ archive="$2"
364+ fn="$tmpdir/$archive"
365+ url="https://www.redhat.com/security/data/oval/v2/RHEL8/$archive.bz2"
366+
367+ echo "Downloading $url..."
368+ # curl and wget fail with redhat's web proxy
369+ w3m -dump_source "$url" > "$fn.bz2"
370+ echo "Unzipping $fn.bz2..."
371+ bzip2 -d "$fn.bz2"
372+}
373+
374 process_missing_redhat() {
375 tmpdir=$(mktemp -d)
376- download_missing_redhat "$tmpdir" "$(date +%Y-%B)"
377- download_missing_redhat "$tmpdir" "$(date --date="$(date +%Y-%m-15) -1 month" +%Y-%B)"
378+ download_missing_rhsa "$tmpdir" "$(date +%Y-%B)"
379+ download_missing_rhsa "$tmpdir" "$(date --date="$(date +%Y-%m-15) -1 month" +%Y-%B)"
380 ./scripts/check-cves --untriaged "$tmpdir/redhat.mbox"
381 rm -rf "$tmpdir"
382+
383+ tmpdir=$(mktemp -d)
384+ download_rhel8oval "$tmpdir" "rhel-8-including-unpatched.oval.xml"
385+ ./scripts/check-cves --rhel8oval "$tmpdir/rhel-8-including-unpatched.oval.xml"
386+ rm -rf "$tmpdir"
387 }
388
389 check_syntax() {

Subscribers

People subscribed via source and target branches