def fixed_map(priority=None):
fixed = []
for usn in sorted(db.keys()):
if not db[usn].has_key('cves'):
continue
for cve in db[usn]['cves']:
if not cve.startswith('CVE-'):
continue
if not release or db[usn]['releases'].has_key(release):
# Load CVE if it isn't already cached
if not info.has_key(cve):
try:
info.setdefault(
cve, cve_lib.load_cve(cve_lib.find_cve(cve)))
except Exception, e:
print >> sys.stderr, "Skipping %s: %s" % (cve, str(e))
continue
# Skip those without PublicDates for the moment
if info[cve]['PublicDate'].strip() == "":
print >> sys.stderr, "%s: empty PublicDate" % (cve)
continue
# Check priority
# from the all releases or a specific release, find the
# mapping of CVE priority based on the package that was
# fixed in the USN. In the case of multiple match, first
# most specific wins.
max_specificity = -1
cve_priority = info[cve]['Priority']
tried = []
for rel in db[usn]['releases']:
if not release or release == rel:
if db[usn]['releases'][rel].has_key('sources'):
for pkg in db[usn]['releases'][rel]['sources']:
specificity, specific_priority = cve_lib.contextual_priority(
info[cve], pkg, rel)
if specificity > max_specificity:
cve_priority = specific_priority
max_specificity = specificity
if not priority or cve_priority == priority:
oldest = None
if release:
oldest = cve_lib.release_stamps[release]
fixed.append([
cve,
cve_lib.cve_age(cve, info[cve]['PublicDate'],
db[usn]['timestamp'], oldest), usn,
cve_priority
])
def fixed_map(priority=None):
fixed = dict()
for usn in sorted(db.keys()):
if 'cves' not in db[usn]:
continue
for cve in db[usn]['cves']:
if not cve.startswith('CVE-'):
continue
if not release or release in db[usn]['releases']:
# Load CVE if it isn't already cached
if cve not in info:
try:
info.setdefault(
cve, cve_lib.load_cve(cve_lib.find_cve(cve)))
except Exception as e:
print("Skipping %s: %s" % (cve, str(e)),
file=sys.stderr)
continue
# Skip those without PublicDates for the moment
if info[cve]['PublicDate'].strip() == "":
print("%s: empty PublicDate" % (cve), file=sys.stderr)
continue
# Check priority
# from the all releases or a specific release, find the
# mapping of CVE priority based on the package that was
# fixed in the USN. In the case of multiple match, first
# most specific wins.
for rel in db[usn]['releases']:
if not release or release == rel:
if 'sources' in db[usn]['releases'][rel]:
for pkg in db[usn]['releases'][rel]['sources']:
# For now, hard-code list of source packages
# we're ignoring. This will need to be dealt
# with in a better way once we have a fuller
# understanding of the ramifications of having
# multiple source packages for the kernel.
if pkg in [
'linux-mvl-dove', 'linux-fsl-imx51',
'linux-ec2', 'linux-qcm-msm',
'linux-ti-omap', 'linux-armadaxp'
] and 'linux' in db[usn]['releases'][rel][
'sources']:
continue
# Skip updates duplicated in firefox
if pkg in ['xulrunner-1.9.2', 'thunderbird'
] and 'firefox' in db[usn][
'releases'][rel]['sources']:
continue
specificity, cve_priority = cve_lib.contextual_priority(
info[cve], pkg, rel)
if not priority or cve_priority == priority:
report_pkg = pkg
if pkg in cve_lib.pkg_alternates:
report_pkg = cve_lib.pkg_alternates[
pkg]
fixed.setdefault(report_pkg, dict())
fixed[report_pkg].setdefault(
cve_priority, set())
fixed[report_pkg][cve_priority].add(cve)
return fixed
def htmlize_package(outfd, pkg, cvefiles, commit=None):
html_header('%s CVEs in Ubuntu' % pkg,
'Ubuntu Package CVE Entry for %s' % pkg, outfd)
print('<h2 class="card-header">Package: %s</h2>' % (quote(pkg)),
file=outfd)
print('<div class="card-body text-left">', file=outfd)
notes = set()
# Loading the source map is expensive, which is unfortunate. We will
# do it only for pkg html output, since the generate-pkg-makefile script
# is already trying to minimize how much we run this function.
global map
if not map:
import source_map
map = source_map.load()
# Merged package reports (linux-source-2.6.15 should appear in
# linux) only work when a package (linux) does not exist in a given
# release (dapper) but the replacement does (linux-source-2.6.15).
# So, figure out which pkg should be used for lookups in each in release:
pkgname = dict()
for rel in releases:
rel_orig = rel
if rel == cve_lib.devel_release:
rel = 'devel'
pkgname[rel_orig] = pkg
if pkg not in map[rel_orig] and pkg in cve_lib.pkg_aliases:
# Aliases: 'linux-source-2.6.15' should appear in 'linux' output
for alias in cve_lib.pkg_aliases[pkg]:
if alias in map[rel_orig]:
#print >>sys.stderr, "\tfound alias '%s' for '%s'" % (alias, pkg)
pkgname[rel_orig] = alias
notes.add(
'CVEs from <a href="%s.html">%s</a> in %s have been merged into this report'
% (quote(alias), escape(alias), escape(rel_orig)))
break
# For a given source package, if it is supported for a release, but
# there is a CVE that is marked as affecting a universe binary only,
# we need to mark it as "community supported". Start by building up
# a map of supportability per-release for the source package.
starred = False
src_supported = dict()
headings = []
entire_release_starred = set()
for rel in releases:
heading = rel
if '/' in rel:
(base, ppa) = rel.split('/')
heading = "%s/" % (base)
if ppa == "ubuntu-core":
heading += "Core"
elif ppa == "stable-phone-overlay":
heading += "Touch"
else: # abbreviate the ppa name if we don't know about it
for i in ppa.split('-'):
heading += i[0]
src_supported[rel] = False
if pkgname[rel] and pkgname[rel] in map[rel]:
src_supported[rel] = cve_lib.is_supported(map, pkgname[rel], rel)
if not src_supported[rel]:
starred = True
entire_release_starred.add(rel)
heading += "*"
headings.append(heading)
if len(cvefiles) == 0:
print(
'<div class="item text-center"><h3>Status</h3> <div class="value">No known vulnerable public CVEs</div></div>',
file=outfd)
else:
cvefiles.sort(cve_lib.cve_sort)
print(
'<div class="item text-center"><h3>Status</h3> <div class="value">%d known public CVEs</div></div>'
% (len(cvefiles)),
file=outfd)
if len(notes) > 0:
print('<div class="item text-center"><h3>Notes</h3>', file=outfd)
for note in sorted(notes):
print('<div class="value">%s</div>' % (note), file=outfd)
print('</div>', file=outfd)
print('<h3 class="text-center">CVEs</h3>', file=outfd)
print(
'<table id="cves" class="table table-bordered table-hover text-center">'
+ htmlTableHeader(headings),
file=outfd)
for cvefile in cvefiles:
data = cve_lib.load_cve(cvefile)
# Sort out priority
priority = cve_lib.contextual_priority(data)[1]
print('<tr class="%s">' % (quote(priority)), end=' ', file=outfd)
# fields...
# 'pkgs' -> dict( pkg -> dict( release -> (state, notes) ) )
cve = data['Candidate']
#print >>sys.stderr, 'cve: %s' % (cve)
print('<td class="cve"><a href="../%s">%s</a></td>' %
(quote(cve), escape(cve)),
end=' ',
file=outfd)
for rel in releases:
rel_orig = rel
if rel == cve_lib.devel_release:
rel = 'devel'
report_pkg = pkgname[rel_orig]
# Sort out priority override
priority_override = cve_lib.contextual_priority(data,
pkg=report_pkg,
rel=rel)[1]
#print >>sys.stderr, '\tlooking for %s' % (report_pkg)
if report_pkg in data['pkgs'] and rel in data['pkgs'][
report_pkg]:
pkgstatus = data['pkgs'][report_pkg][rel][0]
pkgnotes = data['pkgs'][report_pkg][rel][1]
pkgclass = pkgstatus
#print >>sys.stderr, '\t\tstatus for %s is %s' % (report_pkg, pkgclass)
if pkgclass == 'DNE':
pkgstatus = "--"
if pkgstatus == 'pending' and pkgnotes != '':
pkgclass = 'pendingversion'
priority_class = ""
priority_start = ""
priority_end = ""
if priority_override != priority:
priority_class = " override"
priority_start = '<div class="%s">' % (
quote(priority_override))
priority_end = '</div>'
# Sort out supportability override
if pkgstatus not in ["--", "not-affected"] and \
src_supported[rel_orig] and \
not cve_lib.is_supported(map, report_pkg, rel_orig, data):
starred = True
pkgstatus += "*"
print('<td class="%s%s">%s%s%s</td>' %
(quote(pkgclass), priority_class, priority_start,
escape(pkgstatus), priority_end),
end=' ',
file=outfd)
else:
print('<td class="DNE">--</td>', end=' ', file=outfd)
print('</tr>', file=outfd)
print('</table>', file=outfd)
if starred:
print('<p class="note text-right">* community supported</p>',
file=outfd)
html_footer(outfd, commit)
def sync_to_bug_phase1(bug, tasks, data):
touched = False
if opt.verbose:
print("\tsync to bug (phase 1)", file=sys.stderr)
# Scan for EOL source packages and mark appropriately
for src in tasks:
if src not in cve_lib.kernel_srcs:
continue
for rel in cve_lib.eol_releases:
# Already have a nomination for this release?
if rel in tasks[src] and not opt.allow_eol_tasks and set_task_eol(tasks, src, rel):
touched = True
for src in data['pkgs']:
if src not in cve_lib.kernel_srcs:
continue
if src not in tasks:
# Logic for handling the missing tasks has already happened,
# so unconditionally allow it here to avoid blowing up, since
# a full abort is not needed.
continue
for rel in data['pkgs'][src]:
release = rel
if release == 'devel':
release = cve_lib.devel_release
if release in ['', 'upstream'] + cve_lib.eol_releases:
continue
# TODO: product kernels should be synced to a particular LP
# project. This url is cve_lib.supported_products[src][1]
if release == 'product' or release == 'snap':
continue
if release not in tasks[src]:
continue
state = data['pkgs'][src][rel][0]
if release not in tasks[src] and state != 'DNE':
print("\tmissing task for %s,%s" % (src, release), file=sys.stderr)
continue
# Update Status
if state == 'DNE':
# replace next line with following commented line when deleting tasks is fixed
if set_task_status_iff_exists(tasks, src, release, 'Invalid'):
touched = True
# if delete_task(tasks, src, release, 'DNE'): touched = True
elif state == 'pending' and tasks[src][release].status in ['Invalid', 'New', 'Confirmed', 'Triaged', 'In Progress']:
if set_task_status(tasks, src, release, 'Fix Committed'):
touched = True
elif state == 'released':
if set_task_status(tasks, src, release, 'Fix Released'):
touched = True
elif state in ['not-affected', 'ignored'] and tasks[src][release].status == "New":
if set_task_status(tasks, src, release, 'Invalid'):
touched = True
elif state == 'deferred':
print("\tskipping deferred for %s, %s" % (src, release), file=sys.stderr)
continue
# Update Importance
priority = cve_lib.contextual_priority(data, src, rel)[1]
if set_task_importance(tasks, src, release, priority_to_importance[priority]):
touched = True
return touched
]))
cves = []
for cve in sorted(db[usn]['cves']):
info = None
if cve.startswith("CVE-") and usn in usns:
unique_cves.add(cve)
if report_priorities or opt.description:
# Skip non-CVEs and missing CVEs.
try:
filename = cve_lib.find_cve(cve)
info = cve_lib.load_cve(filename)
except:
continue
if report_priorities:
specificity, cve_priority = cve_lib.contextual_priority(
info, src, release)
# Skip CVEs that we aren't interested in.
if not cve_priority in report_priorities:
continue
cve = "%s (%s)" % (cve, cve_priority)
if opt.description:
text = info.get('Ubuntu-Description',
info['Description']).strip()
# Skip CVEs that do not match the description we're interested in.
if not re.search(opt.description, text):
continue
text = textwrap.fill(text, 60)
cve += "\n\t\t%s" % ("\n\t\t".join(text.splitlines()))
cves.append(cve)
if len(cves) > 0:
if not opt.summary:
def _get_cve_priority(cve, pkg, rel):
prio = 'unknown'
if cve in info:
prio = cve_lib.contextual_priority(info[cve], pkg, rel)[1]
return prio