1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
|
#!/usr/bin/env python
#
# generate bug report content for a given package name
# and a number of CVE ids
#
# you could use it for example in combination with the
# following shell function:
#
# report-vuln(){
# TMPFILE="$HOME/reportbug.tmp"
# $HOME/debian/svn/secure-testing/bin/report-vuln "$@" > $TMPFILE
# mutt -i $TMPFILE submit@bugs.debian.org
# rm $TMPFILE
# }
#
# in bash, this can be simply:
#
# mutt -i <($HOME/debian/svn/secure-testing/bin/report-vuln) submit@bugs.debian.org
#
# export http_proxy if you need to use an http proxy to report bugs
import argparse
import sys, re, urllib, os
temp_id = re.compile('(?:CVE|cve)\-[0-9]{4}-XXXX')
def setup_path():
dirname = os.path.dirname
base = dirname(dirname(os.path.realpath(sys.argv[0])))
sys.path.insert(0, os.path.join(base, "lib", "python"))
def description_from_list(id, pkg='', skip_entries=0):
setup_path()
import bugs
import debian_support
is_temp = temp_id.match(id)
skipped = 0
for bug in bugs.CVEFile(debian_support.findresource(
*"data CVE list".split())):
if bug.name == id or (is_temp and not bug.isFromCVE()):
if pkg != '':
matches = False
for n in bug.notes:
if n.package == pkg and str(n.urgency) != 'unimportant':
matches = True
break
if not matches:
continue
if skipped < skip_entries:
skipped += 1
continue
return bug.description
def gen_index(ids):
ret = ''
for cnt, id in enumerate(ids):
if temp_id.match(id):
continue
ret += '\n[' + str(cnt) + '] https://security-tracker.debian.org/tracker/' + id + '\n'
ret += ' https://cve.mitre.org/cgi-bin/cvename.cgi?name=' + id
return ret
def http_get(id):
param = urllib.urlencode({'name' : id})
resp = ''
try:
f = urllib.urlopen('https://cve.mitre.org/cgi-bin/cvename.cgi?%s' % param)
resp = f.read()
except Exception, e:
error('on doing HTTP request' + str(e))
f.close()
return resp
# this is a hack that parses the cve id description from mitre
def get_cve(id):
desc = False
r = re.compile('.*<th\ colspan=.*>Description<.*')
tag = re.compile('.*</?tr>.*')
reserved = re.compile(r'\*+\s+(<A HREF=.*>)?RESERVED(</A>)?\s+\*+')
ret = ''
resp = http_get(id)
for line in resp.rsplit('\n'):
if r.match(line):
desc = True
continue
if desc and reserved.search(line):
break
if tag.match(line) and desc:
continue
if desc and '<td colspan="2">' in line:
ret += '| ' + re.sub('.*<td colspan="2">', '', line)
continue
if desc and '</td>' in line:
break
if desc and line != '':
ret = ret + '\n| ' + line
if ret == '':
ret = description_from_list(id)
if ret == '':
ret = 'No description was found (try on a search engine)'
return ret + '\n'
def gen_text(pkg, cveid, blanks=False, severity=None, affected=None, cc=False, cclist=None, src=False):
vuln_suff = 'y'
cve_suff = ''
time_w = 'was'
temp_id_cnt = 0
if len(cveid) > 1:
cve_suff = 's'
vuln_suff = 'ies'
time_w = 'were'
if src:
header = '''Source: %s\n''' % (pkg)
else:
header = '''Package: %s\n''' % (pkg)
if affected is None:
if blanks:
header += "Version: FILLINAFFECTEDVERSION\n"
else:
header += "Version: %s\n" % affected
if cc and len(cclist) > 0:
header += "X-Debbugs-CC: %s\n" % " ".join(cclist)
header += '''Severity: %s
Tags: security
Hi,
the following vulnerabilit%s %s published for %s.
''' % (severity, vuln_suff, time_w, pkg)
footer = '''If you fix the vulnerabilit%s please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id%s in your changelog entry.
For further information see:''' % (vuln_suff, cve_suff)
print header
for cnt, cve in enumerate(cveid):
if not temp_id.match(cve):
print cve + '[' + str(cnt) + ']:'
print get_cve(cve)
else:
print '''Issue without CVE id #%d [%d]:''' % (temp_id_cnt, cnt)
desc = description_from_list(cve, pkg, temp_id_cnt)
if desc:
print desc + '\n'
else:
print 'No description has been specified\n'
temp_id_cnt += 1
print footer
print gen_index(cveid)
if temp_id_cnt > 0:
print '\nhttps://security-tracker.debian.org/tracker/source-package/%s' % (pkg)
print '(issues without CVE id are assigned a TEMP one, but it may change over time)\n'
if not blanks:
print '''\nPlease adjust the affected versions in the BTS as needed.\n'''
def error(msg):
print 'error: ' + msg
sys.exit(1)
class NegateAction(argparse.Action):
'''add a toggle flag to argparse
this is similar to 'store_true' or 'store_false', but allows
arguments prefixed with --no to disable the default. the default
is set depending on the first argument - if it starts with the
negative form (define by default as '--no'), the default is False,
otherwise True.
'''
negative = '--no'
def __init__(self, option_strings, *args, **kwargs):
'''set default depending on the first argument'''
default = not option_strings[0].startswith(self.negative)
super(NegateAction, self).__init__(option_strings, *args,
default=default, nargs=0, **kwargs)
def __call__(self, parser, ns, values, option):
'''set the truth value depending on whether
it starts with the negative form'''
setattr(ns, self.dest, not option.startswith(self.negative))
def main():
parser = argparse.ArgumentParser()
parser.add_argument('--no-blanks', '--blanks', dest='blanks', action=NegateAction,
help='include blank fields to be filled (default: %(default)s)')
parser.add_argument('--affected', help='affected version (default: unspecified)')
parser.add_argument('--severity', default='grave', help='severity (default: %(default)s)')
parser.add_argument('--cc', '--no-cc', dest='cc', action=NegateAction,
help='add X-Debbugs-CC header to')
parser.add_argument('--cc-list', dest='cclist', default=['team@security.debian.org', 'secure-testing-team@lists.alioth.debian.org'],
help='list of addresses to add in CC (default: %(default)s)')
parser.add_argument('--src', action="store_true", help='report against source package')
parser.add_argument('pkg', help='affected package')
parser.add_argument('cve', nargs='+', help='relevant CVE for this source package, may be used multiple time if the issue has multiple CVEs')
args = parser.parse_args()
blanks = args.blanks
pkg = args.pkg
cve = args.cve
# check for valid parameters
p = re.compile('^[0-9a-z].*')
c = re.compile('(CVE|cve)\-[0-9]{4}-[0-9]{4,}')
if not p.match(pkg):
error(pkg + ' does not seem to be a valid source package name')
for arg in cve:
if not c.match(arg) and not temp_id.match(arg):
error(arg + ' does not seem to be a valid CVE id')
gen_text(pkg, cve, affected=args.affected, blanks=args.blanks, severity=args.severity, cc=args.cc, cclist=args.cclist, src=args.src)
if __name__ == '__main__':
main()
|