1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
|
#!/usr/bin/env python3
#
# generate bug report content/mail for a given package name and a
# number of CVE ids
#
# To invoke the mailer right away:
#
# $HOME/debian/git/security-tracker/bin/report-vuln -M <pkg> <CVE>
#
# export http_proxy if you need to use an http proxy to report bugs
import argparse
from tempfile import NamedTemporaryFile
import os
import re
import sys
from urllib.parse import urlencode
from urllib.request import urlopen
from textwrap import wrap
temp_id = re.compile('(?:CVE|cve)\-[0-9]{4}-XXXX')
def description_from_list(id, pkg='', skip_entries=0):
import setup_paths
import bugs
import debian_support
is_temp = temp_id.match(id)
skipped = 0
for bug in bugs.CVEFile(debian_support.findresource(
*"data CVE list".split())):
if bug.name == id or (is_temp and not bug.isFromCVE()):
if pkg != '':
matches = False
for n in bug.notes:
if n.package == pkg and str(n.urgency) != 'unimportant':
matches = True
break
if not matches:
continue
if skipped < skip_entries:
skipped += 1
continue
return bug.description
def gen_index(ids):
ret = ''
for cnt, id in enumerate(ids):
if temp_id.match(id):
continue
ret += '\n[' + str(cnt) + '] https://security-tracker.debian.org/tracker/' + id + '\n'
ret += ' https://cve.mitre.org/cgi-bin/cvename.cgi?name=' + id
return ret
def http_get(id):
param = urlencode({'name' : id})
resp = ''
try:
f = urlopen('https://cve.mitre.org/cgi-bin/cvename.cgi?%s' % param)
resp = f.read()
except Exception as e:
error('on doing HTTP request' + str(e))
f.close()
return resp
# this is a hack that parses the cve id description from mitre
def get_cve(id):
desc = False
r = re.compile('.*<th\ colspan=.*>Description<.*')
tag = re.compile('.*</?tr>.*')
reserved = re.compile(r'\*+\s+(<A HREF=.*>)?RESERVED(</A>)?\s+\*+')
ret = ''
resp = http_get(id)
for line in resp.decode('utf-8').rsplit('\n'):
if r.match(line):
desc = True
continue
if desc and reserved.search(line):
break
if tag.match(line) and desc:
continue
if desc and '<td colspan="2">' in line:
line = re.sub('.*<td colspan="2">', '', line)
for line in wrap(line):
ret += '| ' + line + '\n'
continue
if desc and '</td>' in line:
break
if desc and line != '':
ret = ret + '\n| ' + line
if ret == '':
ret = description_from_list(id)
if not ret:
ret = 'No description was found (try on a search engine)'
return ret + '\n'
def gen_text(pkg, cveid, blanks=False, severity=None, affected=None, cc=False, cclist=None, src=False, mh=False):
vuln_suff = 'y'
cve_suff = ''
time_w = 'was'
temp_id_cnt = 0
ret = ''
if mh:
ret += '''To: submit@bugs.debian.org
Subject: %s: %s
''' % (pkg, ' '.join(cveid))
if len(cveid) > 1:
cve_suff = 's'
vuln_suff = 'ies'
time_w = 'were'
if src:
ret += 'Source: %s\n' % (pkg)
else:
ret += 'Package: %s\n' % (pkg)
if affected is None:
if blanks:
ret += "Version: FILLINAFFECTEDVERSION\n"
else:
ret += "Version: %s\n" % affected
if cc and len(cclist) > 0:
ret += "X-Debbugs-CC: %s\n" % " ".join(cclist)
ret += '''Severity: %s
Tags: security
Hi,
The following vulnerabilit%s %s published for %s.\n
''' % (severity, vuln_suff, time_w, pkg)
for cnt, cve in enumerate(cveid):
if not temp_id.match(cve):
ret += cve + '[' + str(cnt) + ']:\n'
ret += get_cve(cve) + '\n'
else:
ret += 'Issue without CVE id #%d [%d]:\n' % (temp_id_cnt, cnt)
desc = description_from_list(cve, pkg, temp_id_cnt)
if desc:
ret += desc + '\n\n'
else:
ret += 'No description has been specified\n\n'
temp_id_cnt += 1
ret += '''If you fix the vulnerabilit%s please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id%s in your changelog entry.
For further information see:\n''' % (vuln_suff, cve_suff)
ret += gen_index(cveid) + '\n'
if temp_id_cnt > 0:
ret += '\nhttps://security-tracker.debian.org/tracker/source-package/%s\n' % (pkg)
ret += '(issues without CVE id are assigned a TEMP one, but it may change over time)\n'
if not blanks:
ret += '\nPlease adjust the affected versions in the BTS as needed.\n'
return ret
def error(msg):
print('error: ' + msg, file=sys.stderr)
sys.exit(1)
class NegateAction(argparse.Action):
'''add a toggle flag to argparse
this is similar to 'store_true' or 'store_false', but allows
arguments prefixed with --no to disable the default. the default
is set depending on the first argument - if it starts with the
negative form (define by default as '--no'), the default is False,
otherwise True.
'''
negative = '--no'
def __init__(self, option_strings, *args, **kwargs):
'''set default depending on the first argument'''
default = not option_strings[0].startswith(self.negative)
super(NegateAction, self).__init__(option_strings, *args,
default=default, nargs=0, **kwargs)
def __call__(self, parser, ns, values, option):
'''set the truth value depending on whether
it starts with the negative form'''
setattr(ns, self.dest, not option.startswith(self.negative))
def main():
parser = argparse.ArgumentParser()
parser.add_argument('--no-blanks', '--blanks', dest='blanks', action=NegateAction,
help='include blank fields to be filled (default: %(default)s)')
parser.add_argument('--affected', help='affected version (default: unspecified)')
parser.add_argument('--severity', default='grave', help='severity (default: %(default)s)')
parser.add_argument('--cc', '--no-cc', dest='cc', action=NegateAction,
help='add X-Debbugs-CC header to')
parser.add_argument('--cc-list', dest='cclist', default=['team@security.debian.org',],
help='list of addresses to add in CC (default: %(default)s)')
parser.add_argument('--src', action="store_true", help='report against source package')
parser.add_argument('-m', '--mail-header', action="store_true", help='generate a mail header')
parser.add_argument('-M', '--mail', action="store_true", help='invoke mailer right aways')
parser.add_argument('--mailer', action='store', default='mutt -H {}',
help='Command executed. Must contain {} to be replaced '
'by the filename of the draft bugreport')
parser.add_argument('pkg', help='affected package')
parser.add_argument('cve', nargs='+', help='relevant CVE for this source package, may be used multiple time if the issue has multiple CVEs')
args = parser.parse_args()
blanks = args.blanks
pkg = args.pkg
cve = args.cve
# check for valid parameters
p = re.compile('^[0-9a-z].*')
c = re.compile('(CVE|cve)\-[0-9]{4}-[0-9]{4,}')
if not p.match(pkg):
error(pkg + ' does not seem to be a valid source package name')
for arg in cve:
if not c.match(arg) and not temp_id.match(arg):
error(arg + ' does not seem to be a valid CVE id')
text = gen_text(pkg, cve,
affected=args.affected,
blanks=args.blanks,
severity=args.severity,
cc=args.cc,
cclist=args.cclist,
src=args.src,
mh=args.mail_header or args.mail)
if args.mail:
with NamedTemporaryFile(prefix='report-vuln', suffix='.txt') as bugmail:
bugmail.write(text)
bugmail.flush()
os.system(args.mailer.format(bugmail.name))
else:
print(text)
if __name__ == '__main__':
main()
|