Contents of /data/checklist

#!/usr/bin/perl
# Must run on a machine with madison.
# 
# To check for un-updated binary kernel packages, also needs grep-dctrl 
# and a Sources file for the distribution. Set the location of the Sources
# file in SOURCES_FILE in the environment.
use URI::Escape;
use Getopt::Long;

my $html=0;
my $debug=0;
my $suite="testing";
my $output;
if (! GetOptions(
                "html" => \$html,
                "debug" => \$debug,
                "suite=s" => \$suite,
                "output=s", \$output)
    || ! @ARGV) {
        die "usage: $0 [--suite suite] [--html] [--output=file] [--debug] list ...\n";
}

if (defined $output) {
        open (OUT, ">$output.tmp.$$") || die "output.tmp.$$: $!";
}
else {
        open (OUT, ">&STDOUT");
}

if ($html) {
        print OUT "<html><title>$suite security issues</title>\n";
        if ($suite ne 'testing' && $suite ne 'unstable') {
                print OUT <<"EOF";
<p>
<em>Warning:</em> This page is the result of running the testing security
check script against the $suite distribution. As data is only gathered for
the testing distribution, results may be innacurate if a package has
changed its name, if a vulnerability affects $suite and not testing, or if a
vulnerability has been fixed in $suite by the $suite security team.
</p>
EOF
        }
        print OUT "<ul>\n";
}


my %data;
my %needkernel=qw/2.4.27 0 2.6.11 0/;
my $list_unknown=1; #set to 1 to display kernel images with unknown source version
my $sources=$ENV{SOURCES_FILE};
my $need_rebuild=0;

my @urgencies=("high", "medium", "low", "unknown");
my %colormap=(
        high => "#FF0000",
        medium => "#FF9999",
        low => "#FFFFFF",
        unknown => "#FFFF00"
);

my $unprop = my $unprop_all = my $unfixed = my $todos = 0;

sub record {
        my ($package, $condition, $item, $urgency)=@_;
                
        if ($html) {
                $condition=~s{bug #(\d+)}{<a href="http://bugs.debian.org/$1">bug #$1</a>}g;
                $condition=~s{unfixed}{<b>unfixed</b>}g;
                $item=~s#((?:CAN|CVE)-\d+-\d+)#<a href="http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=$1">$1</a>#g;
        }

        push @{$data{$package}{$condition}}, {item => $item, urgency => $urgency};
}

foreach my $list (@ARGV) {
        if (-d $list) {
                $list="$list/list";
        }
        
        open (IN, $list) || die "open $list: $!";
        while (<IN>) {
                print STDERR "line: $_" if $debug;
                chomp;
                if (/^\[/) {
                        ($id)=m/((?:DSA|CAN|CVE)-[^\s]+) /;
                }
                elsif (/^((?:DSA|CAN|CVE)-[^\s]+)/) {
                        $id=$1;
                }
                elsif (/^\s+[!-]\s+(\S+)\s+(.*?)\s*$/) {
                        my $package=$1;
                        my $rest=$2;
                        my $version;
                        my $notes;
                        if ($rest=~/([^\(\s]+)\s+\((.*)\)/) {
                                $version=$1;
                                $notes=$2;
                        }
                        elsif ($rest=~/\((.*)\)/) {
                                $version="";
                                $notes=$1;
                        }
                        else {
                                $version=$rest;
                                $notes="";
                        }
                        my @notes=split(/\s*;\s+/, $notes);

                        my $urgency="unknown";
                        foreach my $u (@urgencies) {
                                if (grep { $_ eq $u } @notes) {
                                        $urgency=$u;
                                        @notes = grep { $_ ne $u } @notes;
                                        last;
                                }
                        }
                        
                        if ($package=~/kernel-source-([0-9.]+)/) {
                                my $kernversion=$1;
                                if (exists $needkernel{$kernversion} &&
                                    length $version &&
                                    system("dpkg --compare-versions $needkernel{$kernversion} lt $version") != 0) {
                                        $needkernel{$kernversion}=$version;
                                }
                        }

                        my @maddy;
                        for (1..5) {
                                @maddy=`madison -s '$suite' '$package'`;
                                if ($? & 127 || ($? >> 8 != 0 && $? >> 8 != 1)) {
                                        # good old unrelaible newraff,
                                        # home of our archive..
                                        next;
                                }
                                last;
                        }
                        if ($? & 127) {
                                record($package, "<em>[madison segfaulted 5 times in a row.. Medic!]</em>", $id);
                        }
                        elsif ($? >> 8 != 0 && $? >> 8 != 1) {
                                record($package, "<em>[madison exited with ".($? >> 8)."]</em>", $id);
                        }
                        if (! @maddy) {
                                next;
                        }
                        
                        if (grep { $_ eq 'unfixed' || $_ eq 'pending' } @notes) {
                                record($package, '('.join("; ", @notes).')', $id, $urgency);
                                $unfixed++;
                        }
                        else {
                                foreach my $maddy (@maddy) {
                                        my @fields = split(/\s*\|\s*/, $maddy);
                                        my $havver=$fields[1];
                                        my $arches=$fields[3];
                                        $version=~s/\s+//; # strip whitespace
                                        $arches=~s/\s+$//;
                                        my $cmp=system("dpkg --compare-versions '$havver' '>=' '$version'");
                                        if ($cmp != 0) {
                                                if ($html && $suite eq 'testing') {
                                                        $havver='<a href="http://bjorn.haxx.se/debian/testing.pl?package='.uri_escape($package).'">'.$havver.'</a>';
                                                }
                                                record($package, "$version needed, have $havver".(@maddy > 1 ? " [$arches]" : ""), $id, $urgency);
                                                $unprop++;
                                                $unprop_all++ unless @maddy > 1;
                                        }
                                }
                        }
                }
                elsif (/\s+TODO/) {
                        $todos++;
                }
        }
}


foreach my $package (sort keys %data) {
        foreach my $condition (sort keys %{$data{$package}}) {
                print OUT "<li>" if $html;
                print OUT "$package $condition for ";
                my $items=0;
                foreach my $i (sort @{$data{$package}{$condition}}) {
                        print OUT ", " if $items > 0;
                        
                        if ($html) {
                                my $color=$colormap{$i->{urgency}};
                                print OUT "<span style=\"background:$color\">";
                        }
                        print OUT $i->{item};
                        if ($html) {
                                print OUT "</span>";
                        }
                        
                        $items++;
                }
                print OUT "\n";
        }
}

foreach my $version (sort keys %needkernel) {
        my %images;
        
        if ($needkern{$version} eq "0") {
                next;
        }

        my @dctrl;
        if (defined $sources && length $sources) {
                my $cat=($sources=~/\.gz/) ? "zcat" : "cat";
                @dctrl=`$cat $sources | grep-dctrl -F Binary kernel-image-$version -s Package,Build-Depends -`;
        }

        my $package="";
        my $haveversion;
        
        foreach my $line (@dctrl) {
                chomp;
                if ($line=~/Package:\s*(\S+)/) {
                        $package=$1;
                        $haveversion="0";
                } elsif ($line=~/Build-Depends/) {
                        if ($line=~/kernel-tree-$version-([^,\s]+)/) {
                                $haveversion="$version-$1";
                        } elsif ($line=~/kernel-source-$version\s+\(>?=\s*([^\s\)]+)\)/) {
                                $haveversion="$1";
                        }
                } else {
                        if ($package=~/linux-kernel-di/ || $package eq "") {
                                next;
                        }
                        $images{$package}=$haveversion;
                        $package="";
                }
        }

        foreach $package (sort keys %images) {
                if ($images{$package} eq "0") {
                        print OUT "<li>" if ($html && $list_unknown);
                        print OUT "$package built from kernel-source-$version $needkernel{$version} needed, current version unknown\n" if $list_unknown;
                } elsif (!system("dpkg --compare-versions $needkernel{$version} gt $images{$package}")) {
                print OUT "<li>" if $html;
                        print OUT "$package built from kernel-source-$version $needkernel{$version} needed, have $images{$package}\n";
                        $need_rebuild++;
                }
        }


}


if ($html) {
        print OUT "</ul>\n";
        print OUT "<hr>\n";
        print OUT "Total holes unfixed: $unfixed<br>\n";
        print OUT "Total holes fixed in unstable but not $suite: $unprop_all";
        if ($unprop_all != $unprop) {
                print OUT " (+".($unprop - $unprop_all)." on some arches)";
        }
        print OUT "<br>\n";
        print OUT "Total number of kernel image packages not up to date: $need_rebuild<br>\n";
        print OUT "Number of TODO lines in <a href=\"http://svn.debian.org/wsvn/secure-testing/data/?rev=0&sc=0\">records</a>: $todos<br>\n";
        print OUT "Maintained by the <a href=\"http://secure-testing.debian.net/\">testing security team</a><br>\n";
        print OUT "Last update: ".`date`."<br>\n";
        print OUT "</html>\n";
}

close OUT;
if (defined $output) {
        rename("$output.tmp.$$", $output) || die "rename: $!";
}
1	#!/usr/bin/perl
2	# Must run on a machine with madison.
3	#
4	# To check for un-updated binary kernel packages, also needs grep-dctrl
5	# and a Sources file for the distribution. Set the location of the Sources
6	# file in SOURCES_FILE in the environment.
7	use URI::Escape;
8	use Getopt::Long;
9
10	my $html=0;
11	my $debug=0;
12	my $suite="testing";
13	my $output;
14	if (! GetOptions(
15	"html" => \$html,
16	"debug" => \$debug,
17	"suite=s" => \$suite,
18	"output=s", \$output)
19	\|\| ! @ARGV) {
20	die "usage: $0 [--suite suite] [--html] [--output=file] [--debug] list ...\n";
21	}
22
23	if (defined $output) {
24	open (OUT, ">$output.tmp.$$") \|\| die "output.tmp.$$: $!";
25	}
26	else {
27	open (OUT, ">&STDOUT");
28	}
29
30	if ($html) {
31	print OUT "<html><title>$suite security issues</title>\n";
32	if ($suite ne 'testing' && $suite ne 'unstable') {
33	print OUT <<"EOF";
34	<p>
35	<em>Warning:</em> This page is the result of running the testing security
36	check script against the $suite distribution. As data is only gathered for
37	the testing distribution, results may be innacurate if a package has
38	changed its name, if a vulnerability affects $suite and not testing, or if a
39	vulnerability has been fixed in $suite by the $suite security team.
40	</p>
41	EOF
42	}
43	print OUT "<ul>\n";
44	}
45
46
47	my %data;
48	my %needkernel=qw/2.4.27 0 2.6.11 0/;
49	my $list_unknown=1; #set to 1 to display kernel images with unknown source version
50	my $sources=$ENV{SOURCES_FILE};
51	my $need_rebuild=0;
52
53	my @urgencies=("high", "medium", "low", "unknown");
54	my %colormap=(
55	high => "#FF0000",
56	medium => "#FF9999",
57	low => "#FFFFFF",
58	unknown => "#FFFF00"
59	);
60
61	my $unprop = my $unprop_all = my $unfixed = my $todos = 0;
62
63	sub record {
64	my ($package, $condition, $item, $urgency)=@_;
65
66	if ($html) {
67	$condition=~s{bug #(\d+)}{<a href="http://bugs.debian.org/$1">bug #$1</a>}g;
68	$condition=~s{unfixed}{<b>unfixed</b>}g;
69	$item=~s#((?:CAN\|CVE)-\d+-\d+)#<a href="http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=$1">$1</a>#g;
70	}
71
72	push @{$data{$package}{$condition}}, {item => $item, urgency => $urgency};
73	}
74
75	foreach my $list (@ARGV) {
76	if (-d $list) {
77	$list="$list/list";
78	}
79
80	open (IN, $list) \|\| die "open $list: $!";
81	while (<IN>) {
82	print STDERR "line: $_" if $debug;
83	chomp;
84	if (/^\[/) {
85	($id)=m/((?:DSA\|CAN\|CVE)-[^\s]+) /;
86	}
87	elsif (/^((?:DSA\|CAN\|CVE)-[^\s]+)/) {
88	$id=$1;
89	}
90	elsif (/^\s+[!-]\s+(\S+)\s+(.?)\s$/) {
91	my $package=$1;
92	my $rest=$2;
93	my $version;
94	my $notes;
95	if ($rest=~/([^\(\s]+)\s+\((.*)\)/) {
96	$version=$1;
97	$notes=$2;
98	}
99	elsif ($rest=~/\((.*)\)/) {
100	$version="";
101	$notes=$1;
102	}
103	else {
104	$version=$rest;
105	$notes="";
106	}
107	my @notes=split(/\s*;\s+/, $notes);
108
109	my $urgency="unknown";
110	foreach my $u (@urgencies) {
111	if (grep { $_ eq $u } @notes) {
112	$urgency=$u;
113	@notes = grep { $_ ne $u } @notes;
114	last;
115	}
116	}
117
118	if ($package=~/kernel-source-([0-9.]+)/) {
119	my $kernversion=$1;
120	if (exists $needkernel{$kernversion} &&
121	length $version &&
122	system("dpkg --compare-versions $needkernel{$kernversion} lt $version") != 0) {
123	$needkernel{$kernversion}=$version;
124	}
125	}
126
127	my @maddy;
128	for (1..5) {
129	@maddy=`madison -s '$suite' '$package'`;
130	if ($? & 127 \|\| ($? >> 8 != 0 && $? >> 8 != 1)) {
131	# good old unrelaible newraff,
132	# home of our archive..
133	next;
134	}
135	last;
136	}
137	if ($? & 127) {
138	record($package, "<em>[madison segfaulted 5 times in a row.. Medic!]</em>", $id);
139	}
140	elsif ($? >> 8 != 0 && $? >> 8 != 1) {
141	record($package, "<em>[madison exited with ".($? >> 8)."]</em>", $id);
142	}
143	if (! @maddy) {
144	next;
145	}
146
147	if (grep { $_ eq 'unfixed' \|\| $_ eq 'pending' } @notes) {
148	record($package, '('.join("; ", @notes).')', $id, $urgency);
149	$unfixed++;
150	}
151	else {
152	foreach my $maddy (@maddy) {
153	my @fields = split(/\s\\|\s/, $maddy);
154	my $havver=$fields[1];
155	my $arches=$fields[3];
156	$version=~s/\s+//; # strip whitespace
157	$arches=~s/\s+$//;
158	my $cmp=system("dpkg --compare-versions '$havver' '>=' '$version'");
159	if ($cmp != 0) {
160	if ($html && $suite eq 'testing') {
161	$havver='<a href="http://bjorn.haxx.se/debian/testing.pl?package='.uri_escape($package).'">'.$havver.'</a>';
162	}
163	record($package, "$version needed, have $havver".(@maddy > 1 ? " [$arches]" : ""), $id, $urgency);
164	$unprop++;
165	$unprop_all++ unless @maddy > 1;
166	}
167	}
168	}
169	}
170	elsif (/\s+TODO/) {
171	$todos++;
172	}
173	}
174	}
175
176
177	foreach my $package (sort keys %data) {
178	foreach my $condition (sort keys %{$data{$package}}) {
179	print OUT "<li>" if $html;
180	print OUT "$package $condition for ";
181	my $items=0;
182	foreach my $i (sort @{$data{$package}{$condition}}) {
183	print OUT ", " if $items > 0;
184
185	if ($html) {
186	my $color=$colormap{$i->{urgency}};
187	print OUT "<span style=\"background:$color\">";
188	}
189	print OUT $i->{item};
190	if ($html) {
191	print OUT "</span>";
192	}
193
194	$items++;
195	}
196	print OUT "\n";
197	}
198	}
199
200	foreach my $version (sort keys %needkernel) {
201	my %images;
202
203	if ($needkern{$version} eq "0") {
204	next;
205	}
206
207	my @dctrl;
208	if (defined $sources && length $sources) {
209	my $cat=($sources=~/\.gz/) ? "zcat" : "cat";
210	@dctrl=`$cat $sources \| grep-dctrl -F Binary kernel-image-$version -s Package,Build-Depends -`;
211	}
212
213	my $package="";
214	my $haveversion;
215
216	foreach my $line (@dctrl) {
217	chomp;
218	if ($line=~/Package:\s*(\S+)/) {
219	$package=$1;
220	$haveversion="0";
221	} elsif ($line=~/Build-Depends/) {
222	if ($line=~/kernel-tree-$version-([^,\s]+)/) {
223	$haveversion="$version-$1";
224	} elsif ($line=~/kernel-source-$version\s+\(>?=\s*([^\s\)]+)\)/) {
225	$haveversion="$1";
226	}
227	} else {
228	if ($package=~/linux-kernel-di/ \|\| $package eq "") {
229	next;
230	}
231	$images{$package}=$haveversion;
232	$package="";
233	}
234	}
235
236	foreach $package (sort keys %images) {
237	if ($images{$package} eq "0") {
238	print OUT "<li>" if ($html && $list_unknown);
239	print OUT "$package built from kernel-source-$version $needkernel{$version} needed, current version unknown\n" if $list_unknown;
240	} elsif (!system("dpkg --compare-versions $needkernel{$version} gt $images{$package}")) {
241	print OUT "<li>" if $html;
242	print OUT "$package built from kernel-source-$version $needkernel{$version} needed, have $images{$package}\n";
243	$need_rebuild++;
244	}
245	}
246
247
248	}
249
250
251	if ($html) {
252	print OUT "</ul>\n";
253	print OUT "<hr>\n";
254	print OUT "Total holes unfixed: $unfixed<br>\n";
255	print OUT "Total holes fixed in unstable but not $suite: $unprop_all";
256	if ($unprop_all != $unprop) {
257	print OUT " (+".($unprop - $unprop_all)." on some arches)";
258	}
259	print OUT "<br>\n";
260	print OUT "Total number of kernel image packages not up to date: $need_rebuild<br>\n";
261	print OUT "Number of TODO lines in <a href=\"http://svn.debian.org/wsvn/secure-testing/data/?rev=0&sc=0\">records</a>: $todos<br>\n";
262	print OUT "Maintained by the <a href=\"http://secure-testing.debian.net/\">testing security team</a><br>\n";
263	print OUT "Last update: ".`date`."<br>\n";
264	print OUT "</html>\n";
265	}
266
267	close OUT;
268	if (defined $output) {
269	rename("$output.tmp.$$", $output) \|\| die "rename: $!";
270	}