1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
|
#!/usr/bin/env python
#
# generate bug report content for a given package name
# and a number of CVE ids
#
# you could use it for example in combination with the
# following shell function:
# report-vuln(){
# TMPFILE="$HOME/reportbug.tmp"
# $HOME/debian/svn/secure-testing/bin/report-vuln "$@" > $TMPFILE
# mutt -i $TMPFILE submit@bugs.debian.org
# rm $TMPFILE
# }
# export http_proxy if you need to use an http proxy to report bugs
import sys, re, urllib, os
temp_id = re.compile('(?:CVE|cve)\-[0-9]{4}-XXXX')
def setup_path():
dirname = os.path.dirname
base = dirname(dirname(os.path.realpath(sys.argv[0])))
sys.path.insert(0, os.path.join(base, "lib", "python"))
def description_from_list(id, pkg = '', skip_entries = 0):
setup_path()
import bugs
import debian_support
is_temp = temp_id.match(id)
skipped = 0
for bug in bugs.CVEFile(debian_support.findresource(
*"data CVE list".split())):
if bug.name == id or (is_temp and not bug.isFromCVE()):
if pkg != '':
matches = False
for n in bug.notes:
if n.package == pkg and str(n.urgency) != 'unimportant':
matches = True
break
if not matches:
continue
if skipped < skip_entries:
skipped += 1
continue
return bug.description
def gen_index(ids):
ret = ''
for cnt, id in enumerate(ids):
if temp_id.match(id):
continue
ret += '\n[' + str(cnt) + '] https://security-tracker.debian.org/tracker/' + id + '\n'
ret += ' http://cve.mitre.org/cgi-bin/cvename.cgi?name=' + id
return ret
def http_get(id):
param = urllib.urlencode({'name' : id})
resp = ''
try:
f = urllib.urlopen('http://cve.mitre.org/cgi-bin/cvename.cgi?%s' % param)
resp = f.read()
except Exception, e:
error('on doing HTTP request' + str(e))
f.close()
return resp
# this is a hack that parses the cve id description from mitre
def get_cve(id):
desc = False
r = re.compile('.*<th\ colspan=.*>Description<.*')
tag = re.compile('.*</?tr>.*')
reserved = re.compile(r'\*+\s+RESERVED\s+\*+')
ret = ''
resp = http_get(id)
for line in resp.rsplit('\n'):
if r.match(line):
desc = True
continue
if desc and reserved.search(line):
break
if tag.match(line) and desc:
continue
if desc and '<td colspan="2">' in line:
ret += '| ' + re.sub('.*<td colspan="2">', '', line)
continue
if desc and '</td>' in line:
break
if desc and line != '':
ret = ret + '\n| ' + line
if ret == '':
ret = description_from_list(id)
if ret == '':
ret = 'No description was found (try on a search engine)'
return ret + '\n'
def gen_text(pkg, cveid, include_version = False, severity = 'FILLINSEVERITY'):
vuln_suff = 'y'
cve_suff = ''
time_w = 'was'
temp_id_cnt = 0
if len(cveid) > 1:
cve_suff = 's'
vuln_suff = 'ies'
time_w = 'were'
header = '''Package: %s\n''' % (pkg)
if include_version:
header += 'Version: FILLINAFFECTEDVERSION\n'
header += '''Severity: %s
Tags: security
Hi,
the following vulnerabilit%s %s published for %s.
''' % (severity, vuln_suff, time_w, pkg)
footer = '''If you fix the vulnerabilit%s please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id%s in your changelog entry.
For further information see:''' % (vuln_suff, cve_suff)
print header
for cnt, cve in enumerate(cveid):
if not temp_id.match(cve):
print cve + '[' + str(cnt) + ']:'
print get_cve(cve)
else:
print '''Issue without CVE id #%d [%d]:''' % (temp_id_cnt, cnt)
desc = description_from_list(cve, pkg, temp_id_cnt)
if desc:
print desc + '\n'
else:
print 'No description has been specified\n'
temp_id_cnt += 1
print footer
print gen_index(cveid)
if temp_id_cnt > 0:
print '\nhttps://security-tracker.debian.org/tracker/source-package/%s' % (pkg)
print '(issues without CVE id are assigned a TEMP one, but it may change over time)\n'
if not include_version:
print '''Please adjust the affected versions in the BTS as needed.\n'''
def error(msg):
print 'error: ' + msg
sys.exit(1)
def usage():
print sys.argv[0], '[--no-blanks] <pkg> <cve id(s)>'
sys.exit(0)
def main():
if len(sys.argv) < 3:
usage()
blanks = True
if sys.argv[1] == '--no-blanks':
if len(sys.argv) < 4:
usage()
blanks = False
pkg = sys.argv[2]
cve = sys.argv[3:]
else:
pkg = sys.argv[1]
cve = sys.argv[2:]
# check for valid parameters
p = re.compile('^[0-9a-z].*')
c = re.compile('(CVE|cve)\-[0-9]{4}-[0-9]{4,}')
if not p.match(pkg):
error(pkg + ' does not seem to be a valid source package name')
for arg in cve:
if not c.match(arg) and not temp_id.match(arg):
error(arg + ' does not seem to be a valid CVE id')
if blanks:
gen_text(pkg, cve)
else:
gen_text(pkg, cve, False, 'grave')
if __name__ == '__main__':
main()
|