[Secure-testing-commits] r1763 - bin

Neil McGovern neilm at costa.debian.org
Thu Sep 1 17:50:07 UTC 2005 

Author: neilm
Date: 2005-09-01 17:50:06 +0000 (Thu, 01 Sep 2005)
New Revision: 1763

Modified:
   bin/checklist
Log:
Now it actually dows work with DTSAs.


Modified: bin/checklist
===================================================================
--- bin/checklist	2005-09-01 17:15:43 UTC (rev 1762)
+++ bin/checklist	2005-09-01 17:50:06 UTC (rev 1763)
@@ -15,21 +15,28 @@
 		"html" => \$html,
 		"debug" => \$debug,
 		"suite=s" => \$suite,
+		"sta=s" => \$sta,
 		"output=s", \$output)
     || ! @ARGV) {
-	die "usage: $0 [--suite suite] [--html] [--output=file] [--debug] advisorylist dtsalist...\n";
+	die "usage: $0 [--suite suite] [--sta sta-mirror] [--html] [--output=file] [--debug] list ...\n";
 }
 
+my $sta = "http://secure-testing.debian.net/debian-security-updates/dists/testing/security-updates/main/source/Sources.gz";
+
+system("wget -q -O /tmp/Sources.sta.gz $sta");
+
 if (defined $output) {
-	open (OUT, ">$output.tmp.$$") || die "output.tmp.$$: $!";
+	open (OUT, ">$output.tmp.$$") || die "output.tmp.$$: $!"; # Set the output to a file
 }
 else {
-	open (OUT, ">&STDOUT");
+	open (OUT, ">&STDOUT"); # Set the output to stdout
 }
 
-if ($html) {
+if ($html) { # It's HTML, so we need a header
 	print OUT "<html><title>$suite security issues</title>\n";
-	if ($suite ne 'testing' && $suite ne 'unstable') {
+	
+	# This is being run against something it's not meant to be, so print a warning
+	if ($suite ne 'testing' && $suite ne 'unstable') { 
 		print OUT <<"EOF";
 <p>
 <em>Warning:</em> This page is the result of running the testing security
@@ -45,11 +52,13 @@
 
 
 my %data;
+my %advlist;
 my %needkernel=qw/2.4.27 0 2.6.11 0/;
 my $list_unknown=1; #set to 1 to display kernel images with unknown source version
 my $sources=$ENV{SOURCES_FILE};
 my $need_rebuild=0;
 
+# Set some colours for the urgency types
 my @urgencies=("high", "medium", "low", "unknown");
 my %colormap=(
 	high => "#FF0000",
@@ -58,8 +67,9 @@
 	unknown => "#FFFF00"
 );
 
-my $unprop = my $unprop_all = my $unfixed = my $todos = 0;
+my $unprop = my $unprop_all = my $unfixed = my $todos = my $fixedsta = 0;
 
+# Add an item into the data array.
 sub record {
 	my ($package, $condition, $item, $urgency)=@_;
 		
@@ -72,9 +82,10 @@
 	push @{$data{$package}{$condition}}, {item => $item, urgency => $urgency};
 }
 
-die ("No DTSA list specified") if (! length @ARGV[1]);
-my $dtsalist = @ARGV[1];
-foreach my $list (@ARGV[0]) {
+foreach my $list (@ARGV) {
+	# Each of the @ARGVs we've got passed need parsing. So lets do that
+	
+	# If it's a directory, set the file to list, cause we need that.
 	if (-d $list) {
 		$list="$list/list";
 	}
@@ -83,15 +94,18 @@
 	while (<IN>) {
 		print STDERR "line: $_" if $debug;
 		chomp;
-		if (/^\[/) {
+		if (/\s+TODO/) { # It's a todo item. Add it to the count, and ignore it
+			$todos++;
+		}
+		elsif (/^\[/) { # Checking adv. number for a line starting with [ : Set $id to it
 			($id)=m/((?:DSA|DTSA|CAN|CVE)-[^\s]+) /;
 		}
-		elsif (/^((?:DSA|DTSA|CAN|CVE)-[^\s]+)/) {
+		elsif (/^((?:DSA|DTSA|CAN|CVE)-[^\s]+)/) { # Check for a line with an advisory at the start : Set $id to it
 			$id=$1;
 		}
-		elsif (/^\s+[!-]\s+(\S+)\s+(.*?)\s*$/) {
-			my $package=$1;
-			my $rest=$2;
+		elsif (/^\s+[!-]\s+(\S+)\s+(.*?)\s*$/) { # Deal with the rest of the lines
+			my $package=$1; # We know which package it is.
+			my $rest=$2; 
 			my $version;
 			my $notes;
 			if ($rest=~/([^\(\s]+)\s+\((.*)\)/) {
@@ -106,8 +120,13 @@
 				$version=$rest;
 				$notes="";
 			}
+
+			# by now, we also have the version that's affected by the security problem.
+			# This is stored in $version
+		
 			my @notes=split(/\s*;\s+/, $notes);
 
+			# Fetch the urgency, if we can.
 			my $urgency="unknown";
 			foreach my $u (@urgencies) {
 				if (grep { $_ eq $u } @notes) {
@@ -116,7 +135,8 @@
 					last;
 				}
 			}
-			
+		
+			# It's a kernel. Add it to the list of kernels that need to be looked at.
 			if ($package=~/kernel-source-([0-9.]+)/) {
 			 	my $kernversion=$1;
 				if (exists $needkernel{$kernversion} &&
@@ -126,6 +146,7 @@
 				}
 			}
 
+			# Fire up madison.
 			my @maddy;
 			for (1..5) {
 				@maddy=`madison -s '$suite' '$package'`;
@@ -149,41 +170,47 @@
 			if (grep { $_ eq 'unfixed' || $_ eq 'pending' } @notes) {
 				record($package, '('.join("; ", @notes).')', $id, $urgency);
 				$unfixed++;
+				# It's not been fixed!
 			}
 			else {
 				foreach my $maddy (@maddy) {
 					my @fields = split(/\s*\|\s*/, $maddy);
-					my $havver=$fields[1];
+					my $havver=$fields[1]; # It's this version in the archive I'm checking.
 					my $arches=$fields[3];
-					my $dtsacmp=1;
 					$version=~s/\s+//; # strip whitespace
 					$arches=~s/\s+$//;
-					my $cmp=system("dpkg --compare-versions '$havver' '>=' '$version'");
-
-					my $dtsaver = `grep "\\- $package" $dtsalist|awk '{print \$3}'`;
-					chomp $dtsaver;
-					if (length($dtsaver)) {
-						my $hdcmp=system("dpkg --compare-versions '$havver' '>=' '$dtsaver'");
-						if ($hdcmp != 0 && $vdcmp == 0) {
-							record($package, "have $dtsaver in secure-testing archive, but $havver is in main archive",$id, $urgency);
+					my $starchive = "";
+					
+					# Is the version in the archive greater than the version that's vulnerable?
+					my $cmp=system("dpkg --compare-versions '$havver' '>=' '$version'"); 
+					if ($cmp != 0){ # No, so the archive is vulnerable.
+					
+						# Does the version exist in the secure-testing archive?
+						my $staversion = `zcat /tmp/Sources.sta.gz |grep-dctrl -F Package -e ^$package\$ -s Version -`;
+						chomp $staversion;
+						$staversion=~s/Version: //;
+						$staversion=~s/\s+//;
+						if (length ($staversion)) {
+							# Yes, but what version is in s-t?
+							my $stacmp = system("dpkg --compare-versions '$staversion' '>=' '$version'");
+							if ($stacmp == 0){
+								# Well, the version in the s-t archive fixes the issue
+								# but it's still vulnerable in the main archive
+								$starchive = " (fixed in $staversion in the secure-testing archive)";
+								$fixedsta++;
+							}
 						}
-						$dtsacmp = 0;
-					}
-					
-					if ($cmp != 0 && $dtsacmp !=0) {
+						
 						if ($html && $suite eq 'testing') {
 							$havver='<a href="http://bjorn.haxx.se/debian/testing.pl?package='.uri_escape($package).'">'.$havver.'</a>';
 						}
-						record($package, "$version needed, have $havver".(@maddy > 1 ? " [$arches]" : ""), $id, $urgency);
+						record($package, "$version needed, have $havver".(@maddy > 1 ? " [$arches]" : "").$starchive, $id, $urgency);
 						$unprop++;
 						$unprop_all++ unless @maddy > 1;
 					}
 				}
 			}
 		}
-		elsif (/\s+TODO/) {
-			$todos++;
-		}
 	}
 }
 
@@ -265,8 +292,13 @@
 if ($html) {
 	print OUT "</ul>\n";
 	print OUT "<hr>\n";
+	print OUT "Key: ";
+	foreach $keyline (@urgencies) {
+		print OUT "<span style=\"border: 1px dashed; background:".$colormap{$keyline}."\">&nbsp;$keyline&nbsp;</span> ";
+	}
+	print OUT "<br>";
 	print OUT "Total holes unfixed: $unfixed<br>\n";
-	print OUT "Total holes fixed in unstable but not $suite: $unprop_all";
+	print OUT "Total holes fixed in unstable but not $suite: $unprop_all ($fixedsta fixed in secure-testing archive)";
 	if ($unprop_all != $unprop) {
 		print OUT " (+".($unprop - $unprop_all)." on some arches)";
 	}

More information about the Secure-testing-commits mailing list