From e6ae9507250889dee26426e682776da6cfd0f309 Mon Sep 17 00:00:00 2001 From: Raphael Geissert Date: Tue, 14 Dec 2010 17:56:22 +0000 Subject: Add support for other CVE sources Example: ./lookup -s UBUNTU git-svn-id: svn+ssh://svn.debian.org/svn/secure-testing@15704 e39458fd-73e7-0310-bf30-c45bca0a0e42 --- check-external/lookup.sh | 32 ++++++++++++++++++++++++++++---- check-external/update.sh | 22 ++++++++++++++++++---- 2 files changed, 46 insertions(+), 8 deletions(-) (limited to 'check-external') diff --git a/check-external/lookup.sh b/check-external/lookup.sh index c33f4f5cd6..5cb738b00b 100755 --- a/check-external/lookup.sh +++ b/check-external/lookup.sh @@ -22,6 +22,7 @@ set -e regex= after= +source=cve while [ $# -ge 1 ]; do case $1 in @@ -33,15 +34,29 @@ while [ $# -ge 1 ]; do shift after="$1" ;; + --source|-s) + [ $# -gt 1 ] || { + echo "Missing argument for --source" >&2 + exit 1 + } + shift + source="$1" + ;; --help|-h) - echo "Usage: $(basename "$0") [--after|-a per-year-id] [regex]" - echo ; echo "Look for NFUs in our tracker but recognised by RH (for now)" + echo "Usage: $(basename "$0") [--source|-s vendor] [--after|-a per-year-id] [regex]" + echo ; echo "Look for NFUs in our tracker but recognised or fixed by a vendor" echo "(requires you to run ./update.sh every now and then)" + echo ; echo "Possible vendors:" + echo -e "\tcve (for checking against Red Hat's tracker)" + echo "fixed issues only:" + echo -e "\tUBUNTU\n\tFEDORA\n\tetc (uppercase vendor name; check ./update)" echo ; year="$(date +%Y)" echo "Example (check ids of $year):" echo -e "\t$(basename "$0") CVE-$year" echo "Example (check ids after CVE-$year-0100):" echo -e "\t$(basename "$0") --after 0100 CVE-$year" + echo "Example (check ids of $year fixed at Fedora):" + echo -e "\t$(basename "$0") --source FEDORA CVE-$year" echo ; echo "Note: this is a hackish and slow implementation." exit ;; @@ -52,7 +67,15 @@ while [ $# -ge 1 ]; do shift done -for cve in $(< cve.list); do +source+=.list +[ -f "$source" ] || { + echo "CVE source list $source doesn't exist" >&2 + exit 1 +} + +for cve in $(< $source); do + + [[ $cve ]] || continue if [[ $regex ]]; then [[ $cve =~ $regex ]] || continue @@ -66,5 +89,6 @@ for cve in $(< cve.list); do o=$(grep -m1 -A1 $cve ../data/CVE/list | grep NOT-FOR-US | grep -vi redhat | grep -vi 'red hat' | grep -vi pre-dating | grep -vi realplayer | grep -vi acroread | grep -vi acrobat | - grep -vi adobe | grep -vi 'real player') && echo "$cve: $o" || : + grep -viw opera | grep -vi adobe | + grep -vi 'real player') && echo "$cve: $o" || : done diff --git a/check-external/update.sh b/check-external/update.sh index cf75051fba..1bd5661e33 100755 --- a/check-external/update.sh +++ b/check-external/update.sh @@ -18,13 +18,27 @@ # along with this file. If not, see . #################### -# Note: The downloaded html files are Copyright by Red Hat, Inc. -# or as specified at the individual html files or elsewhere on redhat.com's website - set -e +export LANG=C + +# Red Hat provides a complete dump of their tracker, which includes +# unfixed issues. +# Note: The downloaded html files are Copyright by Red Hat, Inc. +# or as specified at the individual html files or elsewhere on redhat.com's website for year in $(seq 1999 $(date +%Y)); do wget -N https://www.redhat.com/security/data/cve/cve-$year.html done +sed -rn '/CVE-[12][0-9]{3}-/{s/^.+>(CVE-[12][0-9]{3}-[0-9]{4})<.+$/\1/;p}' cve-*.html | + sort > cve.list -sed -rn '/CVE-[12][0-9]{3}-/{s/^.+>(CVE-[12][0-9]{3}-[0-9]{4})<.+$/\1/;p}' cve-*.html > cve.list + +# List of issues fixed by each vendor, according to MITRE. Very +# incomplete, but it doesn't hurt to double check (including our own list) +# Note: The downloaded html files are Copyright by The MITRE Corporation +# or as specified at the individual html files or elsewhere on cve.mitre.org's website +for vendor in SUSE DEBIAN GENTOO FEDORA REDHAT UBUNTU; do + wget -N http://cve.mitre.org/data/refs/refmap/source-$vendor.html + sed -rn '/CVE-[12][0-9]{3}-/{s/^.+>(CVE-[12][0-9]{3}-[0-9]{4})<.+$/\1/;p}' source-$vendor.html | + sort > $vendor.list +done -- cgit v1.2.3