Merge ~alexmurray/ubuntu-cve-tracker:import-rhel8oval into ubuntu-cve-tracker:master
- Git
- lp:~alexmurray/ubuntu-cve-tracker
- import-rhel8oval
- Merge into master
Proposed by
Alex Murray
Status: | Merged |
---|---|
Merged at revision: | 8fc85035e0f28ef84a37fb6e7912a948b62a7a7f |
Proposed branch: | ~alexmurray/ubuntu-cve-tracker:import-rhel8oval |
Merge into: | ubuntu-cve-tracker:master |
Diff against target: |
389 lines (+148/-29) 13 files modified
active/CVE-2019-13616 (+1/-1) active/CVE-2019-20433 (+2/-0) active/CVE-2020-5209 (+3/-2) active/CVE-2020-5210 (+3/-2) active/CVE-2020-5211 (+7/-6) active/CVE-2020-5212 (+3/-2) active/CVE-2020-5213 (+3/-2) active/CVE-2020-5214 (+3/-2) active/CVE-2020-7969 (+1/-1) active/CVE-2020-8002 (+4/-4) active/CVE-2020-8003 (+4/-4) scripts/check-cves (+93/-0) scripts/process_cves (+21/-3) |
Related bugs: |
Reviewer | Review Type | Date Requested | Status |
---|---|---|---|
Steve Beattie | Approve | ||
Review via email: mp+378556@code.launchpad.net |
Commit message
Description of the change
To post a comment you must log in.
Revision history for this message
Alex Murray (alexmurray) wrote : | # |
Revision history for this message
Steve Beattie (sbeattie) wrote : | # |
Looks good to me, merged. I fixed in a follow up commit the xml tag used to identify reference URLs; the relevant XML is:
<reference ref_id=
Thanks!
review:
Approve
Revision history for this message
Alex Murray (alexmurray) wrote : | # |
Ah, thanks Steve.
Preview Diff
[H/L] Next/Prev Comment, [J/K] Next/Prev File, [N/P] Next/Prev Hunk
1 | diff --git a/active/CVE-2019-13616 b/active/CVE-2019-13616 |
2 | index e3fa4d2..44f1cea 100644 |
3 | --- a/active/CVE-2019-13616 |
4 | +++ b/active/CVE-2019-13616 |
5 | @@ -55,7 +55,7 @@ xenial_libsdl2-image: needed |
6 | bionic_libsdl2-image: needed |
7 | disco_libsdl2-image: ignored (reached end-of-life) |
8 | eoan_libsdl2-image: needed |
9 | -devel_libsdl2-image: needed |
10 | +devel_libsdl2-image: not-affected (2.0.5+dfsg1-2) |
11 | |
12 | Patches_sdl-image1.2: |
13 | upstream: https://hg.libsdl.org/SDL_image/rev/a59bfe382008 |
14 | diff --git a/active/CVE-2019-20433 b/active/CVE-2019-20433 |
15 | index 5d7bbcf..e9fa25e 100644 |
16 | --- a/active/CVE-2019-20433 |
17 | +++ b/active/CVE-2019-20433 |
18 | @@ -10,6 +10,8 @@ Description: |
19 | variable. |
20 | Ubuntu-Description: |
21 | Notes: |
22 | + leosilva> the fix proposed can potentially break applications |
23 | + leosilva> that depends on it. |
24 | Mitigation: |
25 | Bugs: |
26 | http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=935128 |
27 | diff --git a/active/CVE-2020-5209 b/active/CVE-2020-5209 |
28 | index c3c32b9..a9f4a71 100644 |
29 | --- a/active/CVE-2020-5209 |
30 | +++ b/active/CVE-2020-5209 |
31 | @@ -12,15 +12,16 @@ Description: |
32 | options. Users should upgrade to NetHack 3.6.5. |
33 | Ubuntu-Description: |
34 | Notes: |
35 | + msalvatore> Nethack is installed sgid games, but not suid or sgid root. |
36 | Mitigation: |
37 | Bugs: |
38 | -Priority: untriaged |
39 | +Priority: low |
40 | Discovered-by: |
41 | Assigned-to: |
42 | |
43 | |
44 | Patches_nethack: |
45 | -upstream_nethack: needs-triage |
46 | +upstream_nethack: released (2.6.5) |
47 | precise/esm_nethack: DNE |
48 | trusty_nethack: ignored (out of standard support) |
49 | trusty/esm_nethack: DNE |
50 | diff --git a/active/CVE-2020-5210 b/active/CVE-2020-5210 |
51 | index 3f7cd5d..638c80a 100644 |
52 | --- a/active/CVE-2020-5210 |
53 | +++ b/active/CVE-2020-5210 |
54 | @@ -12,15 +12,16 @@ Description: |
55 | influence command line options. Users should upgrade to NetHack 3.6.5. |
56 | Ubuntu-Description: |
57 | Notes: |
58 | + msalvatore> Nethack is installed sgid games, but not suid or sgid root. |
59 | Mitigation: |
60 | Bugs: |
61 | -Priority: untriaged |
62 | +Priority: low |
63 | Discovered-by: |
64 | Assigned-to: |
65 | |
66 | |
67 | Patches_nethack: |
68 | -upstream_nethack: needs-triage |
69 | +upstream_nethack: released (2.6.5) |
70 | precise/esm_nethack: DNE |
71 | trusty_nethack: ignored (out of standard support) |
72 | trusty/esm_nethack: DNE |
73 | diff --git a/active/CVE-2020-5211 b/active/CVE-2020-5211 |
74 | index 9f3a8aa..3b099c2 100644 |
75 | --- a/active/CVE-2020-5211 |
76 | +++ b/active/CVE-2020-5211 |
77 | @@ -12,19 +12,20 @@ Description: |
78 | Users should upgrade to NetHack 3.6.5. |
79 | Ubuntu-Description: |
80 | Notes: |
81 | + msalvatore> Nethack is installed sgid games, but not suid or sgid root. |
82 | Mitigation: |
83 | Bugs: |
84 | -Priority: untriaged |
85 | +Priority: low |
86 | Discovered-by: |
87 | Assigned-to: |
88 | |
89 | |
90 | Patches_nethack: |
91 | -upstream_nethack: needs-triage |
92 | +upstream_nethack: released (2.6.5) |
93 | precise/esm_nethack: DNE |
94 | trusty_nethack: ignored (out of standard support) |
95 | trusty/esm_nethack: DNE |
96 | -xenial_nethack: needs-triage |
97 | -bionic_nethack: needs-triage |
98 | -eoan_nethack: needs-triage |
99 | -devel_nethack: needs-triage |
100 | +xenial_nethack: needed |
101 | +bionic_nethack: needed |
102 | +eoan_nethack: needed |
103 | +devel_nethack: needed |
104 | diff --git a/active/CVE-2020-5212 b/active/CVE-2020-5212 |
105 | index 5323e39..0565cbe 100644 |
106 | --- a/active/CVE-2020-5212 |
107 | +++ b/active/CVE-2020-5212 |
108 | @@ -12,15 +12,16 @@ Description: |
109 | NetHack 3.6.5. |
110 | Ubuntu-Description: |
111 | Notes: |
112 | + msalvatore> Nethack is installed sgid games, but not suid or sgid root. |
113 | Mitigation: |
114 | Bugs: |
115 | -Priority: untriaged |
116 | +Priority: low |
117 | Discovered-by: |
118 | Assigned-to: |
119 | |
120 | |
121 | Patches_nethack: |
122 | -upstream_nethack: needs-triage |
123 | +upstream_nethack: released (2.6.5) |
124 | precise/esm_nethack: DNE |
125 | trusty_nethack: ignored (out of standard support) |
126 | trusty/esm_nethack: DNE |
127 | diff --git a/active/CVE-2020-5213 b/active/CVE-2020-5213 |
128 | index 0679c33..74b6bea 100644 |
129 | --- a/active/CVE-2020-5213 |
130 | +++ b/active/CVE-2020-5213 |
131 | @@ -12,15 +12,16 @@ Description: |
132 | 3.6.5. |
133 | Ubuntu-Description: |
134 | Notes: |
135 | + msalvatore> Nethack is installed sgid games, but not suid or sgid root. |
136 | Mitigation: |
137 | Bugs: |
138 | -Priority: untriaged |
139 | +Priority: low |
140 | Discovered-by: |
141 | Assigned-to: |
142 | |
143 | |
144 | Patches_nethack: |
145 | -upstream_nethack: needs-triage |
146 | +upstream_nethack: released (2.6.5) |
147 | precise/esm_nethack: DNE |
148 | trusty_nethack: ignored (out of standard support) |
149 | trusty/esm_nethack: DNE |
150 | diff --git a/active/CVE-2020-5214 b/active/CVE-2020-5214 |
151 | index e0fa344..3b82e91 100644 |
152 | --- a/active/CVE-2020-5214 |
153 | +++ b/active/CVE-2020-5214 |
154 | @@ -12,15 +12,16 @@ Description: |
155 | 3.6.5. |
156 | Ubuntu-Description: |
157 | Notes: |
158 | + msalvatore> Nethack is installed sgid games, but not suid or sgid root. |
159 | Mitigation: |
160 | Bugs: |
161 | -Priority: untriaged |
162 | +Priority: low |
163 | Discovered-by: |
164 | Assigned-to: |
165 | |
166 | |
167 | Patches_nethack: |
168 | -upstream_nethack: needs-triage |
169 | +upstream_nethack: released (2.6.5) |
170 | precise/esm_nethack: DNE |
171 | trusty_nethack: ignored (out of standard support) |
172 | trusty/esm_nethack: DNE |
173 | diff --git a/active/CVE-2020-7969 b/active/CVE-2020-7969 |
174 | index faf087e..d9108b9 100644 |
175 | --- a/active/CVE-2020-7969 |
176 | +++ b/active/CVE-2020-7969 |
177 | @@ -19,7 +19,7 @@ upstream_gitlab: not-affected (debian: Only affects Gitlab EE 8.0 and later) |
178 | precise/esm_gitlab: DNE |
179 | trusty_gitlab: ignored (out of standard support) |
180 | trusty/esm_gitlab: DNE |
181 | -xenial_gitlab: needs-triage |
182 | +xenial_gitlab: not-affected (code not present) |
183 | bionic_gitlab: DNE |
184 | eoan_gitlab: DNE |
185 | devel_gitlab: DNE |
186 | diff --git a/active/CVE-2020-8002 b/active/CVE-2020-8002 |
187 | index 3b3baea..68b1499 100644 |
188 | --- a/active/CVE-2020-8002 |
189 | +++ b/active/CVE-2020-8002 |
190 | @@ -22,11 +22,11 @@ Assigned-to: |
191 | |
192 | |
193 | Patches_virglrenderer: |
194 | -upstream_virglrenderer: needs-triage |
195 | +upstream_virglrenderer: needed |
196 | precise/esm_virglrenderer: DNE |
197 | trusty_virglrenderer: ignored (out of standard support) |
198 | trusty/esm_virglrenderer: DNE |
199 | xenial_virglrenderer: DNE |
200 | -bionic_virglrenderer: needs-triage |
201 | -eoan_virglrenderer: needs-triage |
202 | -devel_virglrenderer: needs-triage |
203 | +bionic_virglrenderer: not-affected (code not present) |
204 | +eoan_virglrenderer: needed |
205 | +devel_virglrenderer: needed |
206 | diff --git a/active/CVE-2020-8003 b/active/CVE-2020-8003 |
207 | index 257c734..8a39f3d 100644 |
208 | --- a/active/CVE-2020-8003 |
209 | +++ b/active/CVE-2020-8003 |
210 | @@ -23,11 +23,11 @@ Assigned-to: |
211 | |
212 | |
213 | Patches_virglrenderer: |
214 | -upstream_virglrenderer: needs-triage |
215 | +upstream_virglrenderer: needed |
216 | precise/esm_virglrenderer: DNE |
217 | trusty_virglrenderer: ignored (out of standard support) |
218 | trusty/esm_virglrenderer: DNE |
219 | xenial_virglrenderer: DNE |
220 | -bionic_virglrenderer: needs-triage |
221 | -eoan_virglrenderer: needs-triage |
222 | -devel_virglrenderer: needs-triage |
223 | +bionic_virglrenderer: needed |
224 | +eoan_virglrenderer: needed |
225 | +devel_virglrenderer: needed |
226 | diff --git a/scripts/check-cves b/scripts/check-cves |
227 | index cbf1631..7c9b47e 100755 |
228 | --- a/scripts/check-cves |
229 | +++ b/scripts/check-cves |
230 | @@ -50,6 +50,7 @@ parser.add_option("-R", "--refresh", help="Refresh CVE descriptions", action="st |
231 | parser.add_option("", "--test", help="Run regression tests", action="store_true") |
232 | parser.add_option("--untriaged", help="Process untriaged CVEs from output of locate_cves.py", metavar="FILE") |
233 | parser.add_option("--mbox", help="Process untriaged CVEs from mbox file", metavar="FILE") |
234 | +parser.add_option("--rhel8oval", help="Process untriaged RHEL8 CVEs", metavar="FILE") |
235 | parser.add_option("--import-missing-debian", help="Process missing Debian CVEs", action="store_true") |
236 | parser.add_option("--debug", help="Report debugging information", action="store_true") |
237 | (opt, args) = parser.parse_args() |
238 | @@ -382,6 +383,93 @@ def import_debian(handler): |
239 | return tmpname |
240 | |
241 | |
242 | +class RHEL8OVALHandler(xml.sax.handler.ContentHandler): |
243 | + """SAX handler for processing rhel8 OVAL XML.""" |
244 | + |
245 | + def __init__(self, ignore=[]): |
246 | + # For per-hit processing |
247 | + self._curr_vuln = None |
248 | + self._curr_cve = None |
249 | + self._curr_pkgs = [] |
250 | + self._curr_url = [] |
251 | + self._curr_source = None |
252 | + |
253 | + self._curr_chars_collect = False |
254 | + self._curr_chars = "" |
255 | + |
256 | + self._timestamp = None |
257 | + self._cves = dict() |
258 | + |
259 | + def startElement(self, name, attrs): |
260 | + if name == 'oval:timestamp': |
261 | + if opt.verbose: |
262 | + print("Parsing RHEL8 OVAL schema", file=sys.stderr) |
263 | + self._curr_chars_collect = True |
264 | + self._curr_chars = "" |
265 | + if name == "definition" and attrs['class'] == 'vulnerability': |
266 | + self._curr_vuln = attrs['id'] |
267 | + self._curr_desc = None |
268 | + self._curr_cve = None |
269 | + self._curr_url = None |
270 | + if name == "title": |
271 | + self._curr_chars_collect = True |
272 | + self._curr_chars = "" |
273 | + if name == "reference": |
274 | + self._curr_cve = attrs['ref_id'] |
275 | + if 'url' in attrs: |
276 | + self._curr_url = attrs['url'] |
277 | + |
278 | + def characters(self, content): |
279 | + if self._curr_chars_collect: |
280 | + self._curr_chars += content |
281 | + |
282 | + def endElement(self, name): |
283 | + self._curr_chars_collect = False |
284 | + if name == 'oval:timestamp': |
285 | + self._timestamp = datetime.datetime.strptime(self._curr_chars, "%Y-%m-%dT%H:%M:%S") |
286 | + if name == "title": |
287 | + title = self._curr_chars |
288 | + # rhel oval titles are of form "CVE-XXXX-XXXX Name: Description |
289 | + # here (priority)" - we want to keep "Name: Description here" |
290 | + self._curr_desc = ' '.join(title.split(' ')[1:-1]) |
291 | + if name == "definition": |
292 | + self._cves.setdefault(self._curr_cve, dict()) |
293 | + self._cves[self._curr_cve].setdefault('desc', self._curr_desc) |
294 | + self._cves[self._curr_cve].setdefault('refs', [self._curr_url]) |
295 | + self._cves[self._curr_cve].setdefault('date', self._timestamp) |
296 | + |
297 | + def cves(self): |
298 | + return self._cves |
299 | + |
300 | + |
301 | +def read_rhel8oval_file(f): |
302 | + '''Read in rhel8 oval |
303 | + This is sneaky because we read in the oval and then output a fake JSON |
304 | + file for processing. |
305 | + ''' |
306 | + if not os.path.isfile(f): |
307 | + print("'%s' not a file" % f, file=sys.stderr) |
308 | + sys.exit(1) |
309 | + |
310 | + name = os.path.abspath(f + ".json") |
311 | + if os.path.exists(name): |
312 | + print("'%s' already exists" % name, file=sys.stderr) |
313 | + sys.exit(1) |
314 | + |
315 | + parser = xml.sax.make_parser() |
316 | + handler = RHEL8OVALHandler() |
317 | + parser.setContentHandler(handler) |
318 | + parser.parse(f) |
319 | + |
320 | + cves = handler.cves() |
321 | + nvd = convert_to_nvd(cves, lambda cve: cves[cve]['desc']) |
322 | + tmp = tempfile.NamedTemporaryFile(mode='w', prefix='rhel8oval-import_', suffix='.json', delete=False) |
323 | + tmpname = tmp.name |
324 | + tmp.file.write(json.dumps(nvd)) |
325 | + tmp.close() |
326 | + |
327 | + return tmpname |
328 | + |
329 | def read_locate_cves_output(f): |
330 | '''Read in output of UCT/scripts/locate_cves.py |
331 | This is sneaky because we read in the output and then output a fake JSON |
332 | @@ -1367,6 +1455,11 @@ if opt.mbox: |
333 | untriaged_json = read_mbox_file(opt.mbox) |
334 | args.append(untriaged_json) |
335 | |
336 | +rhel8oval_import_json = "" |
337 | +if opt.rhel8oval: |
338 | + untriaged_json = read_rhel8oval_file(opt.rhel8oval) |
339 | + args.append(untriaged_json) |
340 | + |
341 | debian_import_json = "" |
342 | if opt.import_missing_debian and handler.debian is not None: |
343 | debian_import_json = import_debian(handler) |
344 | diff --git a/scripts/process_cves b/scripts/process_cves |
345 | index 752e255..3152b0f 100755 |
346 | --- a/scripts/process_cves |
347 | +++ b/scripts/process_cves |
348 | @@ -126,7 +126,7 @@ process_missing_debian() { |
349 | ./scripts/check-cves --import-missing-debian |
350 | } |
351 | |
352 | -download_missing_redhat() { |
353 | +download_missing_rhsa() { |
354 | tmpdir="$1" |
355 | archive="$2.txt" |
356 | fn="$tmpdir/$archive" |
357 | @@ -148,12 +148,30 @@ download_missing_redhat() { |
358 | ./scripts/locate_cves.py "$fn" >> "$tmpdir/redhat.mbox" |
359 | } |
360 | |
361 | +download_rhel8oval() { |
362 | + tmpdir="$1" |
363 | + archive="$2" |
364 | + fn="$tmpdir/$archive" |
365 | + url="https://www.redhat.com/security/data/oval/v2/RHEL8/$archive.bz2" |
366 | + |
367 | + echo "Downloading $url..." |
368 | + # curl and wget fail with redhat's web proxy |
369 | + w3m -dump_source "$url" > "$fn.bz2" |
370 | + echo "Unzipping $fn.bz2..." |
371 | + bzip2 -d "$fn.bz2" |
372 | +} |
373 | + |
374 | process_missing_redhat() { |
375 | tmpdir=$(mktemp -d) |
376 | - download_missing_redhat "$tmpdir" "$(date +%Y-%B)" |
377 | - download_missing_redhat "$tmpdir" "$(date --date="$(date +%Y-%m-15) -1 month" +%Y-%B)" |
378 | + download_missing_rhsa "$tmpdir" "$(date +%Y-%B)" |
379 | + download_missing_rhsa "$tmpdir" "$(date --date="$(date +%Y-%m-15) -1 month" +%Y-%B)" |
380 | ./scripts/check-cves --untriaged "$tmpdir/redhat.mbox" |
381 | rm -rf "$tmpdir" |
382 | + |
383 | + tmpdir=$(mktemp -d) |
384 | + download_rhel8oval "$tmpdir" "rhel-8-including-unpatched.oval.xml" |
385 | + ./scripts/check-cves --rhel8oval "$tmpdir/rhel-8-including-unpatched.oval.xml" |
386 | + rm -rf "$tmpdir" |
387 | } |
388 | |
389 | check_syntax() { |
Hmm launchpad seems to have messed up in generation of the diff for review - this is only the following 2 commits:
https:/ /git.launchpad. net/~alexmurray /ubuntu- cve-tracker/ commit/ ?id=1d2f6cb8641 2081333d6c55fc4 ba8ba4ca6e9242
https:/ /git.launchpad. net/~alexmurray /ubuntu- cve-tracker/ commit/ ?id=5d3252d6bb6 631d0c391720e5b 3aa2b19a483378