[Secure-testing-commits] r1505 - / tsck

Moritz Muehlenhoff jmm-guest at costa.debian.org
Sun Jul 31 12:51:50 UTC 2005 

Author: jmm-guest
Date: 2005-07-31 12:51:50 +0000 (Sun, 31 Jul 2005)
New Revision: 1505

Added:
   tsck/
   tsck/tsck.py
Log:
Initial version of tsck, to check the list of currently installed
packages against the currently tracked vulnerabilities. I hacked
this yesterday night when I had no internet access against an old
local copy of testing-security.html that didn't yet have the severity
coloring, which triggers some malparsing. I'll fix this up tomorrow.
There are also some dupe bugs and the output is not complete, it's
more of a WIP.
Once all the testing-security infrastructure has stabilised I'll
rework it against a non-HTML version, which should be generated
against sid as well, so it should suffice as a quick hack for now.


Added: tsck/tsck.py
===================================================================
--- tsck/tsck.py	2005-07-30 21:14:15 UTC (rev 1504)
+++ tsck/tsck.py	2005-07-31 12:51:50 UTC (rev 1505)
@@ -0,0 +1,71 @@
+#!/usr/bin/python
+
+import os, re
+
+status = open("/var/lib/dpkg/status", "r")
+statlines = status.readlines()
+
+source_packages = {}
+
+package = ""
+source = ""
+version = ""
+
+for i in statlines:
+    if i.startswith("Package:"):
+        package = i.split(": ")[1][0:-1]
+    if i.startswith("Source:"):
+        source = i.split(": ")[1][0:-1]
+    if i.startswith("Version:"):
+        version = i.split(": ")[1][0:-1]
+    if i == "\n":
+        if source == "":
+            source_packages[package] = version
+        else:
+            source_packages[source] = version
+        package = ""
+        source = ""
+        version = ""
+
+raw_vulns = open("testing-security.html", "r")
+vulns = raw_vulns.readlines()
+
+unfixed = [] # (pkgname, deb#, cve-id)
+fixed = []   # 
+
+for i in vulns:
+    debbug = ""
+    cve = ""
+    src = ""
+    required = ""
+    if i.startswith("<li>"):
+
+        cves = re.findall(r'CAN\-[0-9]{4}\-[0-9]{4}', i)
+        if len(cves) > 0:
+            cve = cves[0]
+        else:
+            if i.find("CAN-2005-XXXX") > -1:
+                cve = "to be assigned"
+
+        for j in re.findall(r'.*?unfixed', i):
+            src = j.replace("<li>", "").replace(" (<b>unfixed", "")
+
+            for j in re.findall(r'\<.*?\>', i):
+                if j.find("bugs.debian") > -1:
+                    debbug = j.replace('<a href="', '').replace('">', '')
+            required = "unfixed"
+
+
+        if source_packages.has_key(src):
+            print src, "is vulnerable to", cve
+
+        if required != "unfixed":
+            for j in re.findall(r'.*?needed', i):
+                src = j.replace("<li>", "").replace(" needed", "").split(" ")[0]
+                required = j.replace("<li>", "").replace(" needed", "").split(" ")[1]
+
+        if source_packages.has_key(src):
+            installed = source_packages[src]
+            print src,"dpkg --compare-versions " + installed + " ge " + required
+            if os.system("dpkg --compare-versions " + installed + " ge " + required) > 0:
+                print src, "is vulnerable to", cve


Property changes on: tsck/tsck.py
___________________________________________________________________
Name: svn:executable
   + *

More information about the Secure-testing-commits mailing list