Contents of /bin/checklist

#!/usr/bin/perl
# Must run on a machine with dak ls.
# 
# To check for un-updated binary kernel packages, also needs grep-dctrl 
# and a Sources file for the distribution. Set the location of the Sources
# file in SOURCES_FILE in the environment.
use warnings;
use strict;
use URI::Escape;
use Getopt::Long;

my $html=0;
my $debug=0;
my $suite="testing";
my $sta="http://security.debian.org/debian-security/dists/testing/updates/main/source/Sources.gz";
my $output;
if (! GetOptions(
                "html" => \$html,
                "debug" => \$debug,
                "suite=s" => \$suite,
                "sta=s" => \$sta,
                "output=s", \$output)
    || ! @ARGV) {
        die "usage: $0 [--suite suite] [--sta sta-mirror] [--html] [--output=file] [--debug] list ...\n";
}

my $stasources=`tempfile`;
chomp $stasources;
system("wget -q -O $stasources $sta");

if (defined $output) {
        open (OUT, ">$output.tmp.$$") || die "output.tmp.$$: $!"; # Set the output to a file
}
else {
        open (OUT, ">&STDOUT"); # Set the output to stdout
}

if ($html) { # It's HTML, so we need a header
        print OUT "<html><title>$suite security issues</title>\n";
        print OUT <<"EOF";
<p><b>Note:</b>The information in the <a href="http://idssi.enyo.de/tracker">Security
Bug Tracker</a> is more detailed and likely more accurate.
</p>
EOF

        
        # This is being run against something it's not meant to be, so print a warning
        if ($suite ne 'testing' && $suite ne 'unstable') { 
                print OUT <<"EOF";
<p>
<em>Warning:</em> This page is the result of running the testing security
check script against the $suite distribution. As data is only gathered for
the testing distribution, results may be innacurate if a package has
changed its name, if a vulnerability affects $suite and not testing, or if a
vulnerability has been fixed in $suite by the security team.
</p>
EOF
        }
        print OUT "<ul>\n";
}


my %data;
my %advlist;
my %needkernel=qw/2.4.27 0 2.6.11 0/;
my $list_unknown=1; #set to 1 to display kernel images with unknown source version
my $sources=$ENV{SOURCES_FILE};
my $need_rebuild=0;

# Set some colours for the urgency types
my @urgencies=("high", "medium", "low", "unimportant", "unknown", "fixed");
my %colormap=(
        high => "#FF0000",
        medium => "#FF9999",
        low => "#FFFFFF",
        unknown => "#FFFF00",
        fixed => "#00FF00",
);

my $unprop = my $unprop_all = my $unfixed = my $todos = my $fixedsta = 0;

# Add an item into the data array.
sub record {
        my ($package, $condition, $item, $urgency)=@_;

        if (! defined $item) {
                $item='';
        }
                
        if ($html) {
                $condition=~s{bug #(\d+)}{<a href="http://bugs.debian.org/$1">bug #$1</a>}g;
                $condition=~s{unfixed}{<b>unfixed</b>}g;
                $item=~s#(CVE-\d+-\d+)#<a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=$1">$1</a>#g;
                $item=~s#(DTSA-\d+-\d+)#<a href="http://testing-security.debian.net/DTSA/$1.html">$1</a>#g;
        }

        push @{$data{$package}{$condition}}, {item => $item, urgency => $urgency};
}

foreach my $list (@ARGV) {
        # Each of the @ARGVs we've got passed need parsing. So lets do that
        
        # If it's a directory, set the file to list, cause we need that.
        if (-d $list) {
                $list="$list/list";
        }
        
        my $id;
        open (IN, $list) || die "open $list: $!";
        while (<IN>) {
                print STDERR "line: $_" if $debug;
                chomp;
                if (/\s+TODO/) { # It's a todo item. Add it to the count, and ignore it
                        $todos++;
                }
                elsif (/^\[/) { # Checking adv. number for a line starting with [ : Set $id to it
                        ($id)=m/((?:DSA|DTSA|CVE)-[^\s]+) /;
                }
                elsif (/^((?:DSA|DTSA|CVE)-[^\s]+)/) { # Check for a line with an advisory at the start : Set $id to it
                        $id=$1;
                }
                elsif (/^\s+\[\w+\]\s+/) { # line tagged with a debian codename
                        next; # don't handle these for now
                }
                elsif (/^\s+(?:\[\w+\]\s+)?[!-]\s+(\S+)\s+(.*?)\s*$/) { # Deal with the rest of the lines
                        my $package=$1; # We know which package it is.
                        my $rest=$2; 
                        my $version;
                        my $notes;
                        if ($rest=~/([^\(\s]+)\s+\((.*)\)/) {
                                $version=$1;
                                $notes=$2;
                        }
                        elsif ($rest=~/\((.*)\)/) {
                                $version="";
                                $notes=$1;
                        }
                        else {
                                $version=$rest;
                                $notes="";
                        }

                        # by now, we also have the version that's affected by the security problem.
                        # This is stored in $version
                        next if $version eq '<not-affected>' || $version eq '<removed>' || $version eq '<no-dsa>';
                        
                        my @notes=split(/\s*;\s+/, $notes);

                        # Fetch the urgency, if we can.
                        my $urgency="unknown";
                        foreach my $u (@urgencies) {
                                if (grep { $_ eq $u } @notes) {
                                        $urgency=$u;
                                        @notes = grep { $_ ne $u } @notes;
                                        last;
                                }
                        }
                        next if $urgency eq 'unimportant';
                
                        # It's a kernel. Add it to the list of kernels that need to be looked at.
                        if ($package=~/kernel-source-([0-9.]+)/ && $version ne '<unfixed>') {
                                my $kernversion=$1;
                                if (exists $needkernel{$kernversion} &&
                                    length $version &&
                                    system("dpkg --compare-versions $needkernel{$kernversion} lt $version") != 0) {
                                        $needkernel{$kernversion}=$version;
                                }
                        }

                        # Fire up dak ls.
                        my @maddy;
                        for (1..5) {
                                @maddy=`dak ls -s '$suite' '$package'`;
                                if ($? & 127 || ($? >> 8 != 0 && $? >> 8 != 1)) {
                                        # good old unrelaible newraff,
                                        # home of our archive..
                                        next;
                                }
                                last;
                        }
                        if ($? & 127) {
                                record($package, "<em>[dak ls segfaulted 5 times in a row.. Medic!]</em>", $id);
                        }
                        elsif ($? >> 8 != 0 && $? >> 8 != 1) {
                                record($package, "<em>[dak ls exited with ".($? >> 8)."]</em>", $id);
                        }
                        if (! @maddy) {
                                next;
                        }
                        
                        if ($version eq '<unfixed>' || grep { $_ eq 'pending' } @notes) {
                                record($package, '('.join("; ", "unfixed", @notes).')', $id, $urgency);
                                $unfixed++;
                                # It's not been fixed!
                        }
                        else {
                                foreach my $maddy (@maddy) {
                                        my @fields = split(/\s*\|\s*/, $maddy);
                                        my $havver=$fields[1]; # It's this version in the archive I'm checking.
                                        my $arches=$fields[3];
                                        $version=~s/\s+//; # strip whitespace
                                        $arches=~s/\s+$//;
                                        next if $arches eq 'hurd-i386';
                                        # Is the version in the archive the same or newer than the fix?
                                        my $cmp=system("dpkg --compare-versions '$havver' '>=' '$version'"); 
                                        if ($cmp != 0){ # No, so the archive is vulnerable.
                                                # Does the version exist in the secure-testing archive?
                                                my $staversion = `zcat $stasources |grep-dctrl -F Package -e ^$package\$ -s Version -`;
                                                chomp $staversion;
                                                $staversion=~s/Version: //;
                                                $staversion=~s/\s+//;
                                                if (length ($staversion)) {
                                                        # Yes, but what version is in s-t?
                                                        my $stacmp = system("dpkg --compare-versions '$staversion' '>=' '$version'");
                                                        if ($stacmp == 0){
                                                                # Well, the version in the s-t archive fixes the issue
                                                                # but it's still vulnerable in the main archive
                                                                $urgency='fixed';
                                                                $fixedsta++;
                                                        }
                                                }
                                                
                                                if ($html && $suite eq 'testing') {
                                                        $havver='<a href="http://release.debian.org/migration/testing.pl?package='.uri_escape($package).'">'.$havver.'</a>';
                                                }
                                                record($package, "$version needed, have $havver".(@maddy > 1 ? " [$arches]" : ""), $id, $urgency);
                                                $unprop++;
                                                $unprop_all++ unless @maddy > 1;
                                        }
                                }
                        }
                }
        }
}


foreach my $package (sort keys %data) {
        foreach my $condition (sort keys %{$data{$package}}) {
                print OUT "<li>" if $html;
                print OUT "$package $condition for ";
                my $items=0;
                foreach my $i (sort @{$data{$package}{$condition}}) {
                        print OUT ", " if $items > 0;
                        
                        if ($html) {
                                my $color=$colormap{$i->{urgency}};
                                print OUT "<span style=\"background:$color\">";
                        }
                        print OUT $i->{item};
                        if ($html) {
                                print OUT "</span>";
                        }
                        
                        $items++;
                }
                print OUT "\n";
        }
}

my %needkern;

foreach my $version (sort keys %needkernel) {
        my %images;
        
        if (defined $needkern{$version} && $needkern{$version} eq "0") {
                next;
        }

        my @dctrl;
        if (defined $sources && length $sources) {
                my $cat=($sources=~/\.gz/) ? "zcat" : "cat";
                @dctrl=`$cat $sources | grep-dctrl -F Binary kernel-image-$version -s Package,Build-Depends -`;
        }

        my $package="";
        my $haveversion;
        
        foreach my $line (@dctrl) {
                chomp $line;
                if ($line=~/Package:\s*(\S+)/) {
                        $package=$1;
                        $haveversion="0";
                } elsif ($line=~/Build-Depends/) {
                        if ($line=~/kernel-tree-$version-([^,\s]+)/) {
                                $haveversion="$version-$1";
                        } elsif ($line=~/kernel-source-$version\s+\(>?=\s*([^\s\)]+)\)/) {
                                $haveversion="$1";
                        }
                } else {
                        if ($package=~/linux-kernel-di/ || $package eq "") {
                                next;
                        }
                        $images{$package}=$haveversion;
                        $package="";
                }
        }

        foreach my $package (sort keys %images) {
                if ($images{$package} eq "0") {
                        print OUT "<li>" if ($html && $list_unknown);
                        print OUT "$package built from kernel-source-$version $needkernel{$version} needed, current version unknown\n" if $list_unknown;
                } elsif (!system("dpkg --compare-versions $needkernel{$version} gt $images{$package}")) {
                        print OUT "<li>" if $html;
                        print OUT "$package built from kernel-source-$version $needkernel{$version} needed, have $images{$package}\n";
                        $need_rebuild++;
                }
        }


}


if ($html) {
        print OUT "</ul>\n";
        print OUT "<hr>\n";
        print OUT "Key: ";
        foreach my $keyline (@urgencies) {
                next if $keyline eq 'unimportant';
                print OUT "<span style=\"border: 1px dashed; background:".$colormap{$keyline}."\">&nbsp;$keyline&nbsp;</span> ";
        }
        print OUT "<br>";
        print OUT "Total holes unfixed: $unfixed<br>\n";
        print OUT "Total holes fixed in unstable (or experimental) but not $suite: $unprop_all ($fixedsta fixed in secure-testing archive)";
        if ($unprop_all != $unprop) {
                print OUT " (+".($unprop - $unprop_all)." on some arches)";
        }
        print OUT "<br>\n";
        print OUT "Total number of kernel image packages not up to date: $need_rebuild<br>\n";
        print OUT "Number of TODO lines in <a href=\"http://svn.debian.org/wsvn/secure-testing/data/?rev=0&sc=0\">records</a>: $todos<br>\n";
        print OUT "Maintained by the <a href=\"http://testing-security.debian.net/\">testing security team</a><br>\n";
        print OUT "Last update: ".`date`."<br>\n";
        print OUT "</html>\n";
}

close OUT;
if (defined $output) {
        rename("$output.tmp.$$", $output) || die "rename: $!";
}
unlink $stasources;
1	#!/usr/bin/perl
2	# Must run on a machine with dak ls.
3	#
4	# To check for un-updated binary kernel packages, also needs grep-dctrl
5	# and a Sources file for the distribution. Set the location of the Sources
6	# file in SOURCES_FILE in the environment.
7	use warnings;
8	use strict;
9	use URI::Escape;
10	use Getopt::Long;
11
12	my $html=0;
13	my $debug=0;
14	my $suite="testing";
15	my $sta="http://security.debian.org/debian-security/dists/testing/updates/main/source/Sources.gz";
16	my $output;
17	if (! GetOptions(
18	"html" => \$html,
19	"debug" => \$debug,
20	"suite=s" => \$suite,
21	"sta=s" => \$sta,
22	"output=s", \$output)
23	\|\| ! @ARGV) {
24	die "usage: $0 [--suite suite] [--sta sta-mirror] [--html] [--output=file] [--debug] list ...\n";
25	}
26
27	my $stasources=`tempfile`;
28	chomp $stasources;
29	system("wget -q -O $stasources $sta");
30
31	if (defined $output) {
32	open (OUT, ">$output.tmp.$$") \|\| die "output.tmp.$$: $!"; # Set the output to a file
33	}
34	else {
35	open (OUT, ">&STDOUT"); # Set the output to stdout
36	}
37
38	if ($html) { # It's HTML, so we need a header
39	print OUT "<html><title>$suite security issues</title>\n";
40	print OUT <<"EOF";
41	<p><b>Note:</b>The information in the <a href="http://idssi.enyo.de/tracker">Security
42	Bug Tracker</a> is more detailed and likely more accurate.
43	</p>
44	EOF
45
46
47	# This is being run against something it's not meant to be, so print a warning
48	if ($suite ne 'testing' && $suite ne 'unstable') {
49	print OUT <<"EOF";
50	<p>
51	<em>Warning:</em> This page is the result of running the testing security
52	check script against the $suite distribution. As data is only gathered for
53	the testing distribution, results may be innacurate if a package has
54	changed its name, if a vulnerability affects $suite and not testing, or if a
55	vulnerability has been fixed in $suite by the security team.
56	</p>
57	EOF
58	}
59	print OUT "<ul>\n";
60	}
61
62
63	my %data;
64	my %advlist;
65	my %needkernel=qw/2.4.27 0 2.6.11 0/;
66	my $list_unknown=1; #set to 1 to display kernel images with unknown source version
67	my $sources=$ENV{SOURCES_FILE};
68	my $need_rebuild=0;
69
70	# Set some colours for the urgency types
71	my @urgencies=("high", "medium", "low", "unimportant", "unknown", "fixed");
72	my %colormap=(
73	high => "#FF0000",
74	medium => "#FF9999",
75	low => "#FFFFFF",
76	unknown => "#FFFF00",
77	fixed => "#00FF00",
78	);
79
80	my $unprop = my $unprop_all = my $unfixed = my $todos = my $fixedsta = 0;
81
82	# Add an item into the data array.
83	sub record {
84	my ($package, $condition, $item, $urgency)=@_;
85
86	if (! defined $item) {
87	$item='';
88	}
89
90	if ($html) {
91	$condition=~s{bug #(\d+)}{<a href="http://bugs.debian.org/$1">bug #$1</a>}g;
92	$condition=~s{unfixed}{<b>unfixed</b>}g;
93	$item=~s#(CVE-\d+-\d+)#<a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=$1">$1</a>#g;
94	$item=~s#(DTSA-\d+-\d+)#<a href="http://testing-security.debian.net/DTSA/$1.html">$1</a>#g;
95	}
96
97	push @{$data{$package}{$condition}}, {item => $item, urgency => $urgency};
98	}
99
100	foreach my $list (@ARGV) {
101	# Each of the @ARGVs we've got passed need parsing. So lets do that
102
103	# If it's a directory, set the file to list, cause we need that.
104	if (-d $list) {
105	$list="$list/list";
106	}
107
108	my $id;
109	open (IN, $list) \|\| die "open $list: $!";
110	while (<IN>) {
111	print STDERR "line: $_" if $debug;
112	chomp;
113	if (/\s+TODO/) { # It's a todo item. Add it to the count, and ignore it
114	$todos++;
115	}
116	elsif (/^\[/) { # Checking adv. number for a line starting with [ : Set $id to it
117	($id)=m/((?:DSA\|DTSA\|CVE)-[^\s]+) /;
118	}
119	elsif (/^((?:DSA\|DTSA\|CVE)-[^\s]+)/) { # Check for a line with an advisory at the start : Set $id to it
120	$id=$1;
121	}
122	elsif (/^\s+\[\w+\]\s+/) { # line tagged with a debian codename
123	next; # don't handle these for now
124	}
125	elsif (/^\s+(?:\[\w+\]\s+)?[!-]\s+(\S+)\s+(.?)\s$/) { # Deal with the rest of the lines
126	my $package=$1; # We know which package it is.
127	my $rest=$2;
128	my $version;
129	my $notes;
130	if ($rest=~/([^\(\s]+)\s+\((.*)\)/) {
131	$version=$1;
132	$notes=$2;
133	}
134	elsif ($rest=~/\((.*)\)/) {
135	$version="";
136	$notes=$1;
137	}
138	else {
139	$version=$rest;
140	$notes="";
141	}
142
143	# by now, we also have the version that's affected by the security problem.
144	# This is stored in $version
145	next if $version eq '<not-affected>' \|\| $version eq '<removed>' \|\| $version eq '<no-dsa>';
146
147	my @notes=split(/\s*;\s+/, $notes);
148
149	# Fetch the urgency, if we can.
150	my $urgency="unknown";
151	foreach my $u (@urgencies) {
152	if (grep { $_ eq $u } @notes) {
153	$urgency=$u;
154	@notes = grep { $_ ne $u } @notes;
155	last;
156	}
157	}
158	next if $urgency eq 'unimportant';
159
160	# It's a kernel. Add it to the list of kernels that need to be looked at.
161	if ($package=~/kernel-source-([0-9.]+)/ && $version ne '<unfixed>') {
162	my $kernversion=$1;
163	if (exists $needkernel{$kernversion} &&
164	length $version &&
165	system("dpkg --compare-versions $needkernel{$kernversion} lt $version") != 0) {
166	$needkernel{$kernversion}=$version;
167	}
168	}
169
170	# Fire up dak ls.
171	my @maddy;
172	for (1..5) {
173	@maddy=`dak ls -s '$suite' '$package'`;
174	if ($? & 127 \|\| ($? >> 8 != 0 && $? >> 8 != 1)) {
175	# good old unrelaible newraff,
176	# home of our archive..
177	next;
178	}
179	last;
180	}
181	if ($? & 127) {
182	record($package, "<em>[dak ls segfaulted 5 times in a row.. Medic!]</em>", $id);
183	}
184	elsif ($? >> 8 != 0 && $? >> 8 != 1) {
185	record($package, "<em>[dak ls exited with ".($? >> 8)."]</em>", $id);
186	}
187	if (! @maddy) {
188	next;
189	}
190
191	if ($version eq '<unfixed>' \|\| grep { $_ eq 'pending' } @notes) {
192	record($package, '('.join("; ", "unfixed", @notes).')', $id, $urgency);
193	$unfixed++;
194	# It's not been fixed!
195	}
196	else {
197	foreach my $maddy (@maddy) {
198	my @fields = split(/\s\\|\s/, $maddy);
199	my $havver=$fields[1]; # It's this version in the archive I'm checking.
200	my $arches=$fields[3];
201	$version=~s/\s+//; # strip whitespace
202	$arches=~s/\s+$//;
203	next if $arches eq 'hurd-i386';
204	# Is the version in the archive the same or newer than the fix?
205	my $cmp=system("dpkg --compare-versions '$havver' '>=' '$version'");
206	if ($cmp != 0){ # No, so the archive is vulnerable.
207	# Does the version exist in the secure-testing archive?
208	my $staversion = `zcat $stasources \|grep-dctrl -F Package -e ^$package\$ -s Version -`;
209	chomp $staversion;
210	$staversion=~s/Version: //;
211	$staversion=~s/\s+//;
212	if (length ($staversion)) {
213	# Yes, but what version is in s-t?
214	my $stacmp = system("dpkg --compare-versions '$staversion' '>=' '$version'");
215	if ($stacmp == 0){
216	# Well, the version in the s-t archive fixes the issue
217	# but it's still vulnerable in the main archive
218	$urgency='fixed';
219	$fixedsta++;
220	}
221	}
222
223	if ($html && $suite eq 'testing') {
224	$havver='<a href="http://release.debian.org/migration/testing.pl?package='.uri_escape($package).'">'.$havver.'</a>';
225	}
226	record($package, "$version needed, have $havver".(@maddy > 1 ? " [$arches]" : ""), $id, $urgency);
227	$unprop++;
228	$unprop_all++ unless @maddy > 1;
229	}
230	}
231	}
232	}
233	}
234	}
235
236
237	foreach my $package (sort keys %data) {
238	foreach my $condition (sort keys %{$data{$package}}) {
239	print OUT "<li>" if $html;
240	print OUT "$package $condition for ";
241	my $items=0;
242	foreach my $i (sort @{$data{$package}{$condition}}) {
243	print OUT ", " if $items > 0;
244
245	if ($html) {
246	my $color=$colormap{$i->{urgency}};
247	print OUT "<span style=\"background:$color\">";
248	}
249	print OUT $i->{item};
250	if ($html) {
251	print OUT "</span>";
252	}
253
254	$items++;
255	}
256	print OUT "\n";
257	}
258	}
259
260	my %needkern;
261
262	foreach my $version (sort keys %needkernel) {
263	my %images;
264
265	if (defined $needkern{$version} && $needkern{$version} eq "0") {
266	next;
267	}
268
269	my @dctrl;
270	if (defined $sources && length $sources) {
271	my $cat=($sources=~/\.gz/) ? "zcat" : "cat";
272	@dctrl=`$cat $sources \| grep-dctrl -F Binary kernel-image-$version -s Package,Build-Depends -`;
273	}
274
275	my $package="";
276	my $haveversion;
277
278	foreach my $line (@dctrl) {
279	chomp $line;
280	if ($line=~/Package:\s*(\S+)/) {
281	$package=$1;
282	$haveversion="0";
283	} elsif ($line=~/Build-Depends/) {
284	if ($line=~/kernel-tree-$version-([^,\s]+)/) {
285	$haveversion="$version-$1";
286	} elsif ($line=~/kernel-source-$version\s+\(>?=\s*([^\s\)]+)\)/) {
287	$haveversion="$1";
288	}
289	} else {
290	if ($package=~/linux-kernel-di/ \|\| $package eq "") {
291	next;
292	}
293	$images{$package}=$haveversion;
294	$package="";
295	}
296	}
297
298	foreach my $package (sort keys %images) {
299	if ($images{$package} eq "0") {
300	print OUT "<li>" if ($html && $list_unknown);
301	print OUT "$package built from kernel-source-$version $needkernel{$version} needed, current version unknown\n" if $list_unknown;
302	} elsif (!system("dpkg --compare-versions $needkernel{$version} gt $images{$package}")) {
303	print OUT "<li>" if $html;
304	print OUT "$package built from kernel-source-$version $needkernel{$version} needed, have $images{$package}\n";
305	$need_rebuild++;
306	}
307	}
308
309
310	}
311
312
313	if ($html) {
314	print OUT "</ul>\n";
315	print OUT "<hr>\n";
316	print OUT "Key: ";
317	foreach my $keyline (@urgencies) {
318	next if $keyline eq 'unimportant';
319	print OUT "<span style=\"border: 1px dashed; background:".$colormap{$keyline}."\"> $keyline </span> ";
320	}
321	print OUT "<br>";
322	print OUT "Total holes unfixed: $unfixed<br>\n";
323	print OUT "Total holes fixed in unstable (or experimental) but not $suite: $unprop_all ($fixedsta fixed in secure-testing archive)";
324	if ($unprop_all != $unprop) {
325	print OUT " (+".($unprop - $unprop_all)." on some arches)";
326	}
327	print OUT "<br>\n";
328	print OUT "Total number of kernel image packages not up to date: $need_rebuild<br>\n";
329	print OUT "Number of TODO lines in <a href=\"http://svn.debian.org/wsvn/secure-testing/data/?rev=0&sc=0\">records</a>: $todos<br>\n";
330	print OUT "Maintained by the <a href=\"http://testing-security.debian.net/\">testing security team</a><br>\n";
331	print OUT "Last update: ".`date`."<br>\n";
332	print OUT "</html>\n";
333	}
334
335	close OUT;
336	if (defined $output) {
337	rename("$output.tmp.$$", $output) \|\| die "rename: $!";
338	}
339	unlink $stasources;