| 1 |
#!/usr/bin/python
|
| 2 |
|
| 3 |
import sys, getopt, os, glob
|
| 4 |
|
| 5 |
# TODO:
|
| 6 |
# Add code for updating a DTSA
|
| 7 |
# Include SHA-1 checksums in advisories
|
| 8 |
|
| 9 |
# Note: This has to be run inside secure-testing/data/DTSA/
|
| 10 |
|
| 11 |
# Prerequisites:
|
| 12 |
# subdirectories advs/plain-text, advs/html and templates
|
| 13 |
# Templates must include header.html and footer.html, but can be blank
|
| 14 |
# mailx package installed
|
| 15 |
|
| 16 |
announce_mail_address = "secure-testing-announce@lists.alioth.debian.org"
|
| 17 |
|
| 18 |
def print_usage():
|
| 19 |
print "dtsa [-a | -u] dtsa-id major number"
|
| 20 |
print " -p Process a new DTSA from a template"
|
| 21 |
print " -u Update an existing DTSA from a template"
|
| 22 |
sys.exit(-1)
|
| 23 |
|
| 24 |
|
| 25 |
def process_dtsa(id, sid):
|
| 26 |
filename=glob.glob("advs/" + id + "-*.adv")
|
| 27 |
|
| 28 |
src = ""
|
| 29 |
date = ""
|
| 30 |
vuln_type = ""
|
| 31 |
cve = ""
|
| 32 |
testing_fix = ""
|
| 33 |
sid_fix = ""
|
| 34 |
vendor_advisory = ""
|
| 35 |
d = False
|
| 36 |
descr = []
|
| 37 |
author = ""
|
| 38 |
scope = ""
|
| 39 |
debian_specific = False
|
| 40 |
|
| 41 |
dtsa_id = "DTSA-" + id + "-" + str(sid)
|
| 42 |
|
| 43 |
t_f = open(filename[0], "r")
|
| 44 |
t_l = t_f.readlines()
|
| 45 |
|
| 46 |
for i in t_l:
|
| 47 |
if i.startswith("source:"):
|
| 48 |
src = i[7:].strip()
|
| 49 |
elif i.startswith("date:"):
|
| 50 |
date = i[5:].strip()
|
| 51 |
elif i.startswith("author:"):
|
| 52 |
author = i[7:].strip()
|
| 53 |
elif i.startswith("vendor-advisory:"):
|
| 54 |
vendor_advisory = i[16:].strip()
|
| 55 |
elif i.startswith("vuln-type:"):
|
| 56 |
vuln_type = i[10:].strip()
|
| 57 |
elif i.startswith("problem-scope:"):
|
| 58 |
scope = i[14:].strip()
|
| 59 |
elif i.startswith("debian-specific:"):
|
| 60 |
if i[16:].strip() == "yes":
|
| 61 |
debian_specific = True
|
| 62 |
elif i.startswith("cve:"):
|
| 63 |
cve = i[4:].strip().split(" ")
|
| 64 |
elif i.startswith("testing-fix:"):
|
| 65 |
testing_fix = i[12:].strip()
|
| 66 |
elif i.startswith("sid-fix:"):
|
| 67 |
sid_fix = i[8:].strip()
|
| 68 |
elif d:
|
| 69 |
descr.append(i.strip())
|
| 70 |
elif i == "\n" and d == False:
|
| 71 |
d = True
|
| 72 |
|
| 73 |
if len(cve) == 0:
|
| 74 |
print "No CVE assignments seem to have been made for this issue"
|
| 75 |
|
| 76 |
export_html(src, date, vuln_type, cve, testing_fix, sid_fix, descr, vendor_advisory, dtsa_id, 1, author, scope, debian_specific)
|
| 77 |
|
| 78 |
print "A html representation has been generated as",dtsa_id + ".html"
|
| 79 |
|
| 80 |
export_ascii(src, date, vuln_type, cve, testing_fix, sid_fix, descr, vendor_advisory, dtsa_id, 1, author, scope, debian_specific)
|
| 81 |
|
| 82 |
print "A textual representation has been generated as", dtsa_id
|
| 83 |
print "You can publish it with the sndadvisory script"
|
| 84 |
print
|
| 85 |
|
| 86 |
construct_dtsa_list(date, dtsa_id, cve, src, vuln_type, testing_fix)
|
| 87 |
|
| 88 |
print "Added new DTSA to the list of DTSAs"
|
| 89 |
print
|
| 90 |
|
| 91 |
# This adds a published DTSA to the list, so that it can be cross-referenced with DSAs and CVE IDs
|
| 92 |
def construct_dtsa_list(date, dtsa_id, cve, src, vuln_type, testing_fix):
|
| 93 |
l_f = open(os.getcwd() + "/list", "a")
|
| 94 |
# What do we need the date for?
|
| 95 |
l_f.write("[" + date + "] " + dtsa_id + " " + src + " - " + vuln_type + "\n")
|
| 96 |
cves = ""
|
| 97 |
if len(cve) > 0:
|
| 98 |
for i in cve:
|
| 99 |
cves += i
|
| 100 |
cves += " "
|
| 101 |
l_f.write("\t{" + cves + "}\n")
|
| 102 |
l_f.write("\t- " + src + " " + testing_fix + "\n")
|
| 103 |
l_f.write("\tTODO: unreleased\n")
|
| 104 |
l_f.close()
|
| 105 |
|
| 106 |
def export_html(src, date, vuln_type, cve, testing_fix, sid_fix, descr, vendor_advisory, id, rev, author, scope, debian_specific):
|
| 107 |
html = open(os.getcwd() + "/" + id + ".html", "w")
|
| 108 |
|
| 109 |
# Open, read, write and close the header
|
| 110 |
header = open(os.getcwd() + "/templates/header.html","r")
|
| 111 |
for line in header.readlines():
|
| 112 |
html.write(line);
|
| 113 |
header.close
|
| 114 |
|
| 115 |
# Write the actual html
|
| 116 |
|
| 117 |
html.write("<h2>"+ id + "</h2>\n")
|
| 118 |
html.write("<dl>\n")
|
| 119 |
html.write("<dt>Date Reported:</dt>\n<dd>" + date + "</dd>\n")
|
| 120 |
html.write("<dt>Affected Package:</dt>\n<dd><a href='http://packages.debian.org/src:" + src + "'>" + src + "</a></dd>\n")
|
| 121 |
html.write("<dt>Vulnerability:</dt>\n<dd>" + vuln_type + "</dd>\n")
|
| 122 |
html.write("<dt>Problem-Scope:</dt>\n<dd>" + scope + "</dd>\n")
|
| 123 |
html.write("<dt>Debian-specific:</dt>\n<dd>" + yn(debian_specific) + "<br></dd>\n")
|
| 124 |
|
| 125 |
# if len(vendor_advisory) > 0:
|
| 126 |
# html.write("Vendor advisory: " + vendor_advisory + "\n")
|
| 127 |
# else:
|
| 128 |
# html.write("Vendor advisory: Not available\n")
|
| 129 |
cves = "<dt>CVE:</dt>\n<dd>\n"
|
| 130 |
if len(cve) > 0:
|
| 131 |
for i in cve:
|
| 132 |
cves += "<a href='http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=" + i +"'>"
|
| 133 |
cves += i
|
| 134 |
cves += "</a> \n"
|
| 135 |
else:
|
| 136 |
cves += "None so far\n"
|
| 137 |
html.write(cves + "<br></dd>\n")
|
| 138 |
|
| 139 |
html.write("<br>")
|
| 140 |
html.write("<dt>More information:</dt>\n")
|
| 141 |
html.write("<dd>");
|
| 142 |
for i in descr:
|
| 143 |
html.write(i + " <br>\n")
|
| 144 |
html.write("</dd>\n")
|
| 145 |
|
| 146 |
html.write("<br>")
|
| 147 |
html.write("<dt>For the testing distribution (etch) this is fixed in version " + testing_fix + "</dt>\n")
|
| 148 |
|
| 149 |
if len(sid_fix) > 0:
|
| 150 |
html.write("<dt>For the unstable distribution (sid) this is fixed in version " + sid_fix + "</dt>\n")
|
| 151 |
else:
|
| 152 |
html.write("<dt>For the unstable distribution this problem will be fixed soon</dt>\n")
|
| 153 |
|
| 154 |
html.write("<br>")
|
| 155 |
html.write("<dt>This upgrade is recommended if you use " + src + ".<dt>\n")
|
| 156 |
html.write("<br>")
|
| 157 |
|
| 158 |
html.write("<dt>If you have the secure testing lines in your sources.list, you can update by running this command as root:</dt>\n")
|
| 159 |
html.write("\n")
|
| 160 |
|
| 161 |
html.write("<dd>apt-get update && apt-get install "+ src + " FIXME, I'm broken </dd>\n")
|
| 162 |
html.write("<br>\n")
|
| 163 |
html.write("\n")
|
| 164 |
# FIXME, use python-crypto for inclusion of SHA-1 checksums
|
| 165 |
|
| 166 |
print "HTML representation has been exported"
|
| 167 |
# Open, read, write and close the footer
|
| 168 |
footer = open(os.getcwd() + "/templates/footer.html","r")
|
| 169 |
for line in footer.readlines():
|
| 170 |
html.write(line);
|
| 171 |
footer.close
|
| 172 |
|
| 173 |
# Be nice and close the html file
|
| 174 |
html.close;
|
| 175 |
pass
|
| 176 |
|
| 177 |
|
| 178 |
def export_ascii(src, date, vuln_type, cve, testing_fix, sid_fix, descr, vendor_advisory, id, rev, author, scope, debian_specific):
|
| 179 |
ascii = open(os.getcwd() + "/" + id, "w")
|
| 180 |
|
| 181 |
# FIXME: use a nice external template with alignment specifiers
|
| 182 |
# like it used it.
|
| 183 |
ascii.write("------------------------------------------------------------------------------\n")
|
| 184 |
ascii.write("Debian Testing Security Advisory "+ id + ((45-len(id)-len(date))*" ") + date + "\n")
|
| 185 |
ascii.write("secure-testing-team@lists.alioth.debian.org " + ((34-len(author))*" ") + author + "\n")
|
| 186 |
ascii.write("http://secure-testing-master.debian.net/\n")
|
| 187 |
ascii.write("------------------------------------------------------------------------------\n")
|
| 188 |
ascii.write("\n")
|
| 189 |
ascii.write("Package : " + src + "\n")
|
| 190 |
ascii.write("Vulnerability : " + vuln_type + "\n")
|
| 191 |
ascii.write("Problem-Scope : " + scope + "\n")
|
| 192 |
ascii.write("Debian-specific: " + yn(debian_specific) + "\n")
|
| 193 |
# if len(vendor_advisory) > 0:
|
| 194 |
# ascii.write("Vendor advisory: " + vendor_advisory + "\n")
|
| 195 |
# else:
|
| 196 |
# ascii.write("Vendor advisory: Not available\n")
|
| 197 |
cves = "CVE ID : "
|
| 198 |
if len(cve) > 0:
|
| 199 |
for i in cve:
|
| 200 |
cves += i
|
| 201 |
cves += " "
|
| 202 |
ascii.write(cves + "\n")
|
| 203 |
else:
|
| 204 |
ascii.write(cves + "None so far\n")
|
| 205 |
ascii.write("\n")
|
| 206 |
for i in descr:
|
| 207 |
ascii.write(i + "\n")
|
| 208 |
ascii.write("\n")
|
| 209 |
|
| 210 |
ascii.write("For the testing distribution (etch) this is fixed in version\n")
|
| 211 |
ascii.write(testing_fix + "\n")
|
| 212 |
ascii.write("\n")
|
| 213 |
|
| 214 |
if len(sid_fix) > 0:
|
| 215 |
ascii.write("For the unstable distribution (sid) this is fixed in version\n")
|
| 216 |
ascii.write(sid_fix + "\n")
|
| 217 |
else:
|
| 218 |
ascii.write("For the unstable distribution this problem will be fixed soon\n")
|
| 219 |
ascii.write("\n")
|
| 220 |
|
| 221 |
ascii.write("This upgrade is recommended if you use " + src + ".\n")
|
| 222 |
ascii.write("\n")
|
| 223 |
|
| 224 |
ascii.write("The Debian testing security team does not track security issues for then\n")
|
| 225 |
ascii.write("stable (sarge) and oldstable (woody) distributions. If stable is vulnerable,\n")
|
| 226 |
ascii.write("the Debian security team will make an announcement once a fix is ready.\n")
|
| 227 |
ascii.write("\n")
|
| 228 |
|
| 229 |
ascii.write("Upgrade Instructions\n")
|
| 230 |
ascii.write("--------------------\n")
|
| 231 |
ascii.write("\n")
|
| 232 |
|
| 233 |
ascii.write("To use the Debian testing security archive, add the following lines to\n")
|
| 234 |
ascii.write("your /etc/apt/sources.list:\n")
|
| 235 |
ascii.write("\n")
|
| 236 |
ascii.write("deb http://secure-testing.debian.net/debian-secure-testing etch-proposed-updates/security-updates main contrib non-free\n")
|
| 237 |
ascii.write("deb-src http://secure-testing.debian.net/debian-secure-testing etch-proposed-updates/security-updates main contrib non-free\n")
|
| 238 |
ascii.write("\n")
|
| 239 |
ascii.write("The archive signing key can be downloaded from\n")
|
| 240 |
ascii.write("http://secure-testing.debian.net/ziyi-2005-7.asc\n")
|
| 241 |
ascii.write("\n")
|
| 242 |
|
| 243 |
ascii.write("To install the update, run this command as root:\n")
|
| 244 |
ascii.write("\n")
|
| 245 |
|
| 246 |
ascii.write("apt-get update && apt-get install "+ src + "FIXME, I'm broken \n")
|
| 247 |
ascii.write("\n")
|
| 248 |
|
| 249 |
ascii.write("For further information about the Debian testing security team, please refer\n")
|
| 250 |
ascii.write("to http://secure-testing.debian.net/\n")
|
| 251 |
|
| 252 |
# FIXME, use python-crypto for inclusion of SHA-1 checksums
|
| 253 |
|
| 254 |
print "ASCII representation has been exported"
|
| 255 |
|
| 256 |
def yn(v):
|
| 257 |
if v:
|
| 258 |
return "Yes"
|
| 259 |
else:
|
| 260 |
return "No"
|
| 261 |
|
| 262 |
|
| 263 |
def update_dtsa(id):
|
| 264 |
filename=glob.glob("DTSA-" + id + "*")
|
| 265 |
for i in filename: # prune HTML reports
|
| 266 |
if i.endswith(".html"):
|
| 267 |
filename.remove(i)
|
| 268 |
sub_id = int(filename[-1].split("-")[-1])
|
| 269 |
sub_id += 1
|
| 270 |
process_dtsa(id, sub_id)
|
| 271 |
|
| 272 |
opts, pargs = getopt.getopt(sys.argv[1:], "up")
|
| 273 |
|
| 274 |
# FIXME, better cmdline error handling
|
| 275 |
|
| 276 |
if len(opts) < 1:
|
| 277 |
print_usage()
|
| 278 |
|
| 279 |
if len(opts) != 1:
|
| 280 |
print_usage()
|
| 281 |
|
| 282 |
if opts[0][0] == "-u":
|
| 283 |
update_dtsa(pargs[0].strip())
|
| 284 |
|
| 285 |
if opts[0][0] == "-p":
|
| 286 |
process_dtsa(pargs[0].strip(), 1)
|
| 287 |
|
Parent Directory
| 
Revision Log