Add support for other CVE sources

Example: ./lookup -s UBUNTU


git-svn-id: svn+ssh://svn.debian.org/svn/secure-testing@15704 e39458fd-73e7-0310-bf30-c45bca0a0e42

2 files changed, 46 insertions, 8 deletions

diff --git a/check-external/lookup.sh b/check-external/lookup.sh
index c33f4f5cd6..5cb738b00b 100755
--- a/check-external/lookup.sh
+++ b/check-external/lookup.sh
@@ -22,6 +22,7 @@ set -e
 
 regex=
 after=
+source=cve
 
 while [ $# -ge 1 ]; do
     case $1 in
@@ -33,15 +34,29 @@ while [ $# -ge 1 ]; do
 	    shift
 	    after="$1"
 	;;
+	--source|-s)
+	    [ $# -gt 1 ] || {
+		echo "Missing argument for --source" >&2
+		exit 1
+	    }
+	    shift
+	    source="$1"
+	;;
 	--help|-h)
-	    echo "Usage: $(basename "$0") [--after|-a per-year-id] [regex]"
-	    echo ; echo "Look for NFUs in our tracker but recognised by RH (for now)"
+	    echo "Usage: $(basename "$0") [--source|-s vendor] [--after|-a per-year-id] [regex]"
+	    echo ; echo "Look for NFUs in our tracker but recognised or fixed by a vendor"
 	    echo "(requires you to run ./update.sh every now and then)"
+	    echo ; echo "Possible vendors:"
+	    echo -e "\tcve (for checking against Red Hat's tracker)"
+	    echo "fixed issues only:"
+	    echo -e "\tUBUNTU\n\tFEDORA\n\tetc (uppercase vendor name; check ./update)"
 	    echo ; year="$(date +%Y)"
 	    echo "Example (check ids of $year):"
 	    echo -e "\t$(basename "$0") CVE-$year"
 	    echo "Example (check ids after CVE-$year-0100):"
 	    echo -e "\t$(basename "$0") --after 0100 CVE-$year"
+	    echo "Example (check ids of $year fixed at Fedora):"
+	    echo -e "\t$(basename "$0") --source FEDORA CVE-$year"
 	    echo ; echo "Note: this is a hackish and slow implementation."
 	    exit
 	;;
@@ -52,7 +67,15 @@ while [ $# -ge 1 ]; do
     shift
 done
 
-for cve in $(< cve.list); do
+source+=.list
+[ -f "$source" ] || {
+    echo "CVE source list $source doesn't exist" >&2
+    exit 1
+}
+
+for cve in $(< $source); do
+
+    [[ $cve ]] || continue
 
     if [[ $regex ]]; then
 	[[ $cve =~ $regex ]] || continue
@@ -66,5 +89,6 @@ for cve in $(< cve.list); do
     o=$(grep -m1 -A1 $cve ../data/CVE/list | grep NOT-FOR-US |
 	grep -vi redhat | grep -vi 'red hat' | grep -vi pre-dating |
 	grep -vi realplayer | grep -vi acroread | grep -vi acrobat |
-	grep -vi adobe | grep -vi 'real player') && echo "$cve: $o" || :
+	grep -viw opera | grep -vi adobe |
+	grep -vi 'real player') && echo "$cve: $o" || :
 done
diff --git a/check-external/update.sh b/check-external/update.sh
index cf75051fba..1bd5661e33 100755
--- a/check-external/update.sh
+++ b/check-external/update.sh
@@ -18,13 +18,27 @@
 #    along with this file.  If not, see <http://www.gnu.org/licenses/>.
 ####################
 
-# Note: The downloaded html files are Copyright by Red Hat, Inc.
-# or as specified at the individual html files or elsewhere on redhat.com's website
-
 set -e
 
+export LANG=C
+
+# Red Hat provides a complete dump of their tracker, which includes
+# unfixed issues.
+# Note: The downloaded html files are Copyright by Red Hat, Inc.
+# or as specified at the individual html files or elsewhere on redhat.com's website
 for year in $(seq 1999 $(date +%Y)); do
     wget -N https://www.redhat.com/security/data/cve/cve-$year.html
 done
+sed -rn '/CVE-[12][0-9]{3}-/{s/^.+>(CVE-[12][0-9]{3}-[0-9]{4})<.+$/\1/;p}' cve-*.html |
+    sort > cve.list
 
-sed -rn '/CVE-[12][0-9]{3}-/{s/^.+>(CVE-[12][0-9]{3}-[0-9]{4})<.+$/\1/;p}' cve-*.html > cve.list
+
+# List of issues fixed by each vendor, according to MITRE. Very
+# incomplete, but it doesn't hurt to double check (including our own list)
+# Note: The downloaded html files are Copyright by The MITRE Corporation
+# or as specified at the individual html files or elsewhere on cve.mitre.org's website
+for vendor in SUSE DEBIAN GENTOO FEDORA REDHAT UBUNTU; do
+    wget -N http://cve.mitre.org/data/refs/refmap/source-$vendor.html
+    sed -rn '/CVE-[12][0-9]{3}-/{s/^.+>(CVE-[12][0-9]{3}-[0-9]{4})<.+$/\1/;p}' source-$vendor.html |
+	sort > $vendor.list
+done