adding report-vuln script

git-svn-id: svn+ssh://svn.debian.org/svn/secure-testing@8437 e39458fd-73e7-0310-bf30-c45bca0a0e42

1 files changed, 121 insertions, 0 deletions

diff --git a/bin/report-vuln b/bin/report-vuln
new file mode 100755
index 0000000000..fb42e7713f
--- /dev/null
+++ b/bin/report-vuln
@@ -0,0 +1,121 @@
+#!/usr/bin/env python
+#
+# generate bug report content for a given package name
+# and a number of CVE ids
+#
+# you could use it for example in combination with the
+# following shell function:
+# report-vuln(){
+#     TMPFILE="$HOME/reportbug.tmp"
+#     $HOME/debian/svn/secure-testing/bin/report-vuln "$@" > $TMPFILE
+#     mutt -i $TMPFILE submit@bugs.debian.org
+#     rm $TMPFILE
+# }
+
+import sys, re, httplib
+
+def gen_index(ids):
+	ret = ''
+	for cnt, id in enumerate(ids):
+		ret += '\n[' + str(cnt) + '] http://cve.mitre.org/cgi-bin/cvename.cgi?name=' + id + '\n'
+		ret += '    http://security-tracker.debian.net/tracker/' + id
+
+	return ret
+
+# this is a hack that parses the cve id description from mitre
+def get_cve(id):
+	desc = False
+	r = re.compile('.*<th\ colspan=.*>Description<.*')
+	tag = re.compile('.*</?tr>.*')
+	try:
+		conn = httplib.HTTPConnection('cve.mitre.org')
+		conn.request('GET', '/cgi-bin/cvename.cgi?name=' + id)
+		resp = conn.getresponse()
+		ret = ''
+	except Exception, e:
+		error('on doing HTTP request' + str(e))
+
+	for line in resp.read().rsplit('\n'):
+		if r.match(line):
+			desc = True
+			continue
+
+		if tag.match(line) and desc:
+			continue
+
+		if desc and '<td colspan="2">' in line:
+			ret += '| ' + re.sub('.*<td colspan="2">', '', line)
+			continue
+
+		if desc and '</td>' in line:
+			break
+
+		if desc and line != '':
+			ret = ret + '\n| ' + line
+
+	return ret + '\n'
+
+def gen_text(pkg, cveid):
+	vuln_suff = 'y'
+	cve_suff = ''
+	time_w = 'was'
+
+	if len(cveid) > 1:
+		cve_suff = 's'
+		vuln_suff = 'ies'
+		time_w = 'were'
+	
+	header = '''Package: %s
+Version: FILLINAFFECTEDVERSION
+Severity: FILLINSEVERITY
+Tags: security
+
+Hi,
+the following CVE (Common Vulnerabilities & Exposures) id%s %s
+published for %s.
+
+''' % (pkg, cve_suff, time_w, pkg)
+
+	footer = '''If you fix the vulnerabilit%s please also make sure to include the
+CVE id%s in your changelog entry.
+
+For further information see:''' % (vuln_suff, cve_suff)
+
+	print header
+	for cnt, cve in enumerate(cveid):
+		print cve + '[' + str(cnt) + ']:'
+		print get_cve(cve)
+
+	print footer
+	print gen_index(cveid)
+
+def error(msg):
+	print 'error: ' + msg
+	sys.exit(1)
+
+def usage():
+	print sys.argv[0], '<pkg> <cve id(s)>'
+	sys.exit(0)
+
+def main():
+	if len(sys.argv) < 3:
+		usage()
+
+	pkg = sys.argv[1]
+	cve = sys.argv[2:]
+
+	# check for valid parameters
+	p = re.compile('^[a-z].*')
+	c = re.compile('(CVE|cve)\-[0-9]{4}-[0-9]{4}')
+
+	if not p.match(pkg):
+		error(pkg + ' does not seem to be a valid source package name')
+
+	for arg in cve:
+		if not c.match(arg):
+			error(arg + ' does not seem to be a valid CVE id')
+
+	gen_text(pkg, cve)
+
+if __name__ == '__main__':
+	main()