Contents of /bin/checklist

#!/usr/bin/perl
# Must run on a machine with madison.
# 
# To check for un-updated binary kernel packages, also needs grep-dctrl 
# and a Sources file for the distribution. Set the location of the Sources
# file in SOURCES_FILE in the environment.
# 
use URI::Escape;

my $html=0;
if ($ARGV[0] eq 'html') {
        shift;
        $html=1;
}

if (! @ARGV) {
        die "usage: $0 [html] list\n";
}


my %data;
my %needkernel=qw/2.4.27 0 2.6.8 0/;
my $list_unknown=0; #set to 1 to display kernel images with unknown source version
my $sources=$ENV{SOURCES_FILE};
my $need_rebuild=0;

my $unprop = my $unfixed = my $todos = 0;

sub record {
        my ($package, $condition, $item)=@_;
                
        if ($html) {
                $condition=~s{bug #(\d+)}{<a href="http://bugs.debian.org/$1">bug #$1</a>}g;
                $condition=~s{unfixed}{<b>unfixed</b>}g;
                $item=~s#((?:CAN|CVE)-\d+-\d+)#<a href="http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=$1">$1</a>#g;
        }

        push @{$data{$package}{$condition}}, $item;
}

foreach my $list (@ARGV) {
        if (-d $list) {
                $list="$list/list";
        }
        
        open (IN, $list) || die "open $list: $!";
        while (<IN>) {
                chomp;
                if (/^\[/) {
                        ($id)=m/((?:DSA|CAN|CVE)-[^\s]+) /;
                }
                elsif (/^((?:DSA|CAN|CVE)-[^\s]+)/) {
                        $id=$1;
                }
                elsif (/^\s+[!-]\s+(\S+)\s+(.*?)\s*$/) {
                        my $package=$1;
                        my $version=$2;
                        
                        if ($package=~/kernel-source-([0-9.]+)/) {
                                my $kernversion=$1;
                                if (exists $needkernel{$kernversion} &&
                                                $version!~/\(/ ) {
                                        $needkernel{$kernversion}=$version if !system("dpkg --compare-versions $needkernel{$kernversion} lt $version");
                                }
                        }

                        my @maddy;
                        for (1..5) {
                                @maddy=`madison -s testing '$package'`;
                                if ($? & 127 || ($? >> 8 != 0 && $? >> 8 != 1)) {
                                        # good old unrelaible newraff,
                                        # home of our archive..
                                        next;
                                }
                                last;
                        }
                        if ($? & 127) {
                                record($package, "<em>[madison segfaulted 5 times in a row.. Medic!]</em>", $id);
                        }
                        elsif ($? >> 8 != 0 && $? >> 8 != 1) {
                                record($package, "<em>[madison exited with ".($? >> 8)."]</em>", $id);
                        }
                        if (! @maddy) {
                                next;
                        }
                        
                        if ($version=~/unfixed/ || $version=~/pending/) {
                                record($package, $version, $id);
                                $unfixed++;
                        }
                        else {
                                foreach my $maddy (@maddy) {
                                        my @fields = split(/\s*\|\s*/, $maddy);
                                        my $havver=$fields[1];
                                        my $arches=$fields[3];
                                        $version=~s/\s+//; # strip whitespace
                                        $arches=~s/\s+$//;
                                        my $cmp=system("dpkg --compare-versions '$havver' '>=' '$version'");
                                        if ($cmp != 0) {
                                                if ($html) {
                                                        $havver='<a href="http://bjorn.haxx.se/debian/testing.pl?package='.uri_escape($package).'">'.$havver.'</a>';
                                                }
                                                record($package, "$version needed, have $havver".(@maddy > 1 ? " [$arches]" : ""), $id);
                                                $unprop++;
                                        }
                                }
                        }
                }
                elsif (/\s+TODO/) {
                        $todos++;
                }
        }
}


if ($html) {
        print "<html><title>testing security issues</title>\n";
        print "<ul>\n";
}

foreach my $package (sort keys %data) {
        foreach my $condition (sort keys %{$data{$package}}) {
                print "<li>" if $html;
                print "$package $condition for ";
                my $items=0;
                foreach my $item (sort @{$data{$package}{$condition}}) {
                        print ", " if $items > 0;
                        print $item;
                        $items++;
                }
                print "\n";
        }
}

foreach my $version (sort keys %needkernel) {
        my %images;
        
        if ($needkern{$version} eq "0") {
                next;
        }

        my @dctrl;
        if (defined $sources && length $sources) {
                my $cat=($sources=~/\.gz/) ? "zcat" : "cat";
                @dctrl=`$cat $sources | grep-dctrl -F Binary kernel-image-$version -s Package,Build-Depends -`;
        }

        my $package="";
        my $haveversion;
        
        foreach my $line (@dctrl) {
                chomp;
                if ($line=~/Package:\s*(\S+)/) {
                        $package=$1;
                        $haveversion="0";
                } elsif ($line=~/Build-Depends/) {
                        if ($line=~/kernel-tree-$version-([^,\s]+)/) {
                                $haveversion="$version-$1";
                        } elsif ($line=~/kernel-source-$version\s+\(>=\s*([^\s\)])\)/) {
                                $haveversion="$1";
                        }
                } else {
                        if ($package=~/linux-kernel-di/ || $package eq "") {
                                next;
                        }
                        $images{$package}=$haveversion;
                        $package="";
                }
        }

        foreach $package (sort keys %images) {
                if ($images{$package} eq "0") {
                        print "<li>" if ($html && $list_unknown);
                        print "$package built from kernel-source-$version $needkernel{$version} needed, current version unknown\n" if $list_unknown;
                } elsif (!system("dpkg --compare-versions $needkernel{$version} gt $images{$package}")) {
                print "<li>" if $html;
                        print "$package built from kernel-source-$version $needkernel{$version} needed, have $images{$package}\n";
                        $need_rebuild++;
                }
        }


}


if ($html) {
        print "</ul>\n";
        print "<hr>\n";
        print "Total holes unfixed: $unfixed<br>\n";
        print "Total holes fixed in unstable but not testing: $unprop<br>\n";
        print "Total number of kernel image source packages not up to date: $need_rebuild<br>\n";
        print "Number of TODO lines in <a href=\"http://svn.debian.org/wsvn/secure-testing/sarge-checks/?rev=0&sc=0\">records</a>: $todos<br>\n";
        print "Maintained by the <a href=\"http://secure-testing.alioth.debian.org/\">testing security team</a><br>\n";
        print "Last update: ".`date`."<br>\n";
        print "</html>\n";
}
1	joeyh	2	#!/usr/bin/perl
2			# Must run on a machine with madison.
3	joeyh	644	#
4			# To check for un-updated binary kernel packages, also needs grep-dctrl
5			# and a Sources file for the distribution. Set the location of the Sources
6			# file in SOURCES_FILE in the environment.
7			#
8	joeyh	256	use URI::Escape;
9	joeyh	2
10	joeyh	230	my $html=0;
11			if ($ARGV[0] eq 'html') {
12			shift;
13			$html=1;
14			}
15
16	joeyh	31	if (! @ARGV) {
17	joeyh	230	die "usage: $0 [html] list\n";
18	joeyh	2	}
19
20	joeyh	230
21	joeyh	307	my %data;
22	joeyh	644	my %needkernel=qw/2.4.27 0 2.6.8 0/;
23			my $list_unknown=0; #set to 1 to display kernel images with unknown source version
24			my $sources=$ENV{SOURCES_FILE};
25			my $need_rebuild=0;
26
27	joeyh	309	my $unprop = my $unfixed = my $todos = 0;
28	joeyh	307
29			sub record {
30			my ($package, $condition, $item)=@_;
31
32	joeyh	231	if ($html) {
33	joeyh	307	$condition=~s{bug #(\d+)}{<a href="http://bugs.debian.org/$1">bug #$1</a>}g;
34	joeyh	311	$condition=~s{unfixed}{<b>unfixed</b>}g;
35	joeyh	307	$item=~s#((?:CAN\|CVE)-\d+-\d+)#<a href="http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=$1">$1</a>#g;
36	joeyh	231	}
37	joeyh	307
38			push @{$data{$package}{$condition}}, $item;
39	joeyh	230	}
40
41	joeyh	31	foreach my $list (@ARGV) {
42			if (-d $list) {
43			$list="$list/list";
44	joeyh	2	}
45	joeyh	31
46			open (IN, $list) \|\| die "open $list: $!";
47			while (<IN>) {
48			chomp;
49			if (/^\[/) {
50	joeyh	242	($id)=m/((?:DSA\|CAN\|CVE)-[^\s]+) /;
51	joeyh	2	}
52	joeyh	242	elsif (/^((?:DSA\|CAN\|CVE)-[^\s]+)/) {
53			$id=$1;
54	joeyh	31	}
55	joeyh	643	elsif (/^\s+[!-]\s+(\S+)\s+(.?)\s$/) {
56	joeyh	31	my $package=$1;
57			my $version=$2;
58	joeyh	241
59	joeyh	644	if ($package=~/kernel-source-([0-9.]+)/) {
60			my $kernversion=$1;
61			if (exists $needkernel{$kernversion} &&
62			$version!~/\(/ ) {
63			$needkernel{$kernversion}=$version if !system("dpkg --compare-versions $needkernel{$kernversion} lt $version");
64			}
65			}
66
67	joeyh	657	my @maddy;
68			for (1..5) {
69			@maddy=`madison -s testing '$package'`;
70	joeyh	659	if ($? & 127 \|\| ($? >> 8 != 0 && $? >> 8 != 1)) {
71			# good old unrelaible newraff,
72			# home of our archive..
73	joeyh	657	next;
74			}
75			last;
76			}
77	joeyh	654	if ($? & 127) {
78	joeyh	657	record($package, "<em>[madison segfaulted 5 times in a row.. Medic!]</em>", $id);
79	joeyh	564	}
80			elsif ($? >> 8 != 0 && $? >> 8 != 1) {
81	joeyh	654	record($package, "<em>[madison exited with ".($? >> 8)."]</em>", $id);
82	joeyh	564	}
83	joeyh	657	if (! @maddy) {
84	joeyh	307	next;
85			}
86	joeyh	241
87	joeyh	586	if ($version=~/unfixed/ \|\| $version=~/pending/) {
88	joeyh	307	record($package, $version, $id);
89	joeyh	257	$unfixed++;
90	joeyh	2	}
91	joeyh	241	else {
92	joeyh	657	foreach my $maddy (@maddy) {
93			my @fields = split(/\s\\|\s/, $maddy);
94			my $havver=$fields[1];
95			my $arches=$fields[3];
96			$version=~s/\s+//; # strip whitespace
97			$arches=~s/\s+$//;
98			my $cmp=system("dpkg --compare-versions '$havver' '>=' '$version'");
99			if ($cmp != 0) {
100			if ($html) {
101			$havver='<a href="http://bjorn.haxx.se/debian/testing.pl?package='.uri_escape($package).'">'.$havver.'</a>';
102			}
103			record($package, "$version needed, have $havver".(@maddy > 1 ? " [$arches]" : ""), $id);
104			$unprop++;
105	joeyh	230	}
106	joeyh	31	}
107			}
108	joeyh	2	}
109	joeyh	309	elsif (/\s+TODO/) {
110			$todos++;
111			}
112	joeyh	2	}
113			}
114	joeyh	230
115	joeyh	307
116	joeyh	230	if ($html) {
117	joeyh	307	print "<html><title>testing security issues</title>\n";
118			print "<ul>\n";
119			}
120
121			foreach my $package (sort keys %data) {
122			foreach my $condition (sort keys %{$data{$package}}) {
123			print "<li>" if $html;
124			print "$package $condition for ";
125			my $items=0;
126			foreach my $item (sort @{$data{$package}{$condition}}) {
127			print ", " if $items > 0;
128			print $item;
129			$items++;
130			}
131			print "\n";
132			}
133			}
134
135	joeyh	644	foreach my $version (sort keys %needkernel) {
136			my %images;
137
138			if ($needkern{$version} eq "0") {
139			next;
140			}
141
142			my @dctrl;
143			if (defined $sources && length $sources) {
144	joeyh	645	my $cat=($sources=~/\.gz/) ? "zcat" : "cat";
145			@dctrl=`$cat $sources \| grep-dctrl -F Binary kernel-image-$version -s Package,Build-Depends -`;
146	joeyh	644	}
147
148			my $package="";
149			my $haveversion;
150
151			foreach my $line (@dctrl) {
152			chomp;
153			if ($line=~/Package:\s*(\S+)/) {
154			$package=$1;
155			$haveversion="0";
156			} elsif ($line=~/Build-Depends/) {
157			if ($line=~/kernel-tree-$version-([^,\s]+)/) {
158			$haveversion="$version-$1";
159			} elsif ($line=~/kernel-source-$version\s+\(>=\s*([^\s\)])\)/) {
160			$haveversion="$1";
161			}
162			} else {
163			if ($package=~/linux-kernel-di/ \|\| $package eq "") {
164			next;
165			}
166			$images{$package}=$haveversion;
167			$package="";
168			}
169			}
170
171			foreach $package (sort keys %images) {
172			if ($images{$package} eq "0") {
173			print "<li>" if ($html && $list_unknown);
174			print "$package built from kernel-source-$version $needkernel{$version} needed, current version unknown\n" if $list_unknown;
175			} elsif (!system("dpkg --compare-versions $needkernel{$version} gt $images{$package}")) {
176			print "<li>" if $html;
177			print "$package built from kernel-source-$version $needkernel{$version} needed, have $images{$package}\n";
178			$need_rebuild++;
179			}
180			}
181
182
183			}
184
185
186	joeyh	307	if ($html) {
187	joeyh	230	print "</ul>\n";
188	joeyh	233	print "<hr>\n";
189	joeyh	307	print "Total holes unfixed: $unfixed<br>\n";
190			print "Total holes fixed in unstable but not testing: $unprop<br>\n";
191	joeyh	644	print "Total number of kernel image source packages not up to date: $need_rebuild<br>\n";
192	joeyh	309	print "Number of TODO lines in <a href=\"http://svn.debian.org/wsvn/secure-testing/sarge-checks/?rev=0&sc=0\">records</a>: $todos<br>\n";
193	joeyh	382	print "Maintained by the <a href=\"http://secure-testing.alioth.debian.org/\">testing security team</a><br>\n";
194	joeyh	244	print "Last update: ".`date`."<br>\n";
195			print "</html>\n";
196	joeyh	230	}