[Secure-testing-commits] r8437 - bin doc

Fri Mar 28 17:08:09 UTC 2008

Author: nion
Date: 2008-03-28 17:08:08 +0000 (Fri, 28 Mar 2008)
New Revision: 8437

Added:
   bin/report-vuln
Modified:
   doc/narrative_introduction
Log:
adding report-vuln script

Added: bin/report-vuln
===================================================================

--- bin/report-vuln	                        (rev 0)
+++ bin/report-vuln	2008-03-28 17:08:08 UTC (rev 8437)
@@ -0,0 +1,121 @@
+#!/usr/bin/env python
+#
+# generate bug report content for a given package name
+# and a number of CVE ids
+#
+# you could use it for example in combination with the
+# following shell function:
+# report-vuln(){
+#     TMPFILE="$HOME/reportbug.tmp"
+#     $HOME/debian/svn/secure-testing/bin/report-vuln "$@" > $TMPFILE
+#     mutt -i $TMPFILE submit at bugs.debian.org
+#     rm $TMPFILE
+# }
+
+import sys, re, httplib
+
+def gen_index(ids):
+	ret = ''
+	for cnt, id in enumerate(ids):
+		ret += '\n[' + str(cnt) + '] http://cve.mitre.org/cgi-bin/cvename.cgi?name=' + id + '\n'
+		ret += '    http://security-tracker.debian.net/tracker/' + id
+
+	return ret
+
+# this is a hack that parses the cve id description from mitre
+def get_cve(id):
+	desc = False
+	r = re.compile('.*<th\ colspan=.*>Description<.*')
+	tag = re.compile('.*</?tr>.*')
+	try:
+		conn = httplib.HTTPConnection('cve.mitre.org')
+		conn.request('GET', '/cgi-bin/cvename.cgi?name=' + id)
+		resp = conn.getresponse()
+		ret = ''
+	except Exception, e:
+		error('on doing HTTP request' + str(e))
+
+	for line in resp.read().rsplit('\n'):
+		if r.match(line):
+			desc = True
+			continue
+
+		if tag.match(line) and desc:
+			continue
+
+		if desc and '<td colspan="2">' in line:
+			ret += '| ' + re.sub('.*<td colspan="2">', '', line)
+			continue
+
+		if desc and '</td>' in line:
+			break
+
+		if desc and line != '':
+			ret = ret + '\n| ' + line
+
+	return ret + '\n'
+
+def gen_text(pkg, cveid):
+	vuln_suff = 'y'
+	cve_suff = ''
+	time_w = 'was'
+
+	if len(cveid) > 1:
+		cve_suff = 's'
+		vuln_suff = 'ies'
+		time_w = 'were'
+	
+	header = '''Package: %s
+Version: FILLINAFFECTEDVERSION
+Severity: FILLINSEVERITY
+Tags: security
+
+Hi,
+the following CVE (Common Vulnerabilities & Exposures) id%s %s
+published for %s.
+
+''' % (pkg, cve_suff, time_w, pkg)
+
+	footer = '''If you fix the vulnerabilit%s please also make sure to include the
+CVE id%s in your changelog entry.
+
+For further information see:''' % (vuln_suff, cve_suff)
+
+	print header
+	for cnt, cve in enumerate(cveid):
+		print cve + '[' + str(cnt) + ']:'
+		print get_cve(cve)
+
+	print footer
+	print gen_index(cveid)
+
+def error(msg):
+	print 'error: ' + msg
+	sys.exit(1)
+
+def usage():
+	print sys.argv[0], '<pkg> <cve id(s)>'
+	sys.exit(0)
+
+def main():
+	if len(sys.argv) < 3:
+		usage()
+
+	pkg = sys.argv[1]
+	cve = sys.argv[2:]
+
+	# check for valid parameters
+	p = re.compile('^[a-z].*')
+	c = re.compile('(CVE|cve)\-[0-9]{4}-[0-9]{4}')
+
+	if not p.match(pkg):
+		error(pkg + ' does not seem to be a valid source package name')
+
+	for arg in cve:
+		if not c.match(arg):
+			error(arg + ' does not seem to be a valid CVE id')
+
+	gen_text(pkg, cve)
+
+if __name__ == '__main__':
+	main()


Property changes on: bin/report-vuln
___________________________________________________________________
Name: svn:executable
   + *

Modified: doc/narrative_introduction
===================================================================
--- doc/narrative_introduction	2008-03-28 15:29:29 UTC (rev 8436)
+++ doc/narrative_introduction	2008-03-28 17:08:08 UTC (rev 8437)
@@ -198,6 +198,9 @@
 A special exception is made for kernel related issues. The kernel-sec
 group will take care of them and file bugs if needed.
 
+If you wan't to report a bug, bin/report-vuln might be helpful in creating
+the bug report.
+
 If a vulnerability does not affect Debian, e.g. because the vulnerable
 code is not contained, it is marked as <not-affected>:
 


