bin/check-syntax

@@ -65,13 +65,10 @@ def parse_DSA(name):
 def parse_DTSA(name):
     do_parse(construct(bugs.DTSAFile, name))
 
-def parse_DLA(name):
-    do_parse(construct(bugs.DLAFile, name))
-
 file_types = {'CVE' : parse_CVE,
               'DSA' : parse_DSA,
               'DTSA' : parse_DTSA,
-              'DLA' : parse_DLA}
+              'DLA' : parse_DSA}
 
 if len(sys.argv) <> 3 or not file_types.has_key(sys.argv[1]):
     l = file_types.keys()

bin/gen-DSA

@@ -22,7 +22,7 @@ set -e
 
 IDMODE=DSA
 case "$(basename "$0")" in
-    *gen-D[LS]A)
+    *gen-*)
 	IDMODE=${0#*gen-}
     ;;
 esac
@@ -333,11 +333,7 @@ setvar DEBFULLNAME
 setvar SPACEDDEBFULLNAME
 setvar PACKAGE
 setvar CVE "$CVE_LIST"
-if [ "$IDMODE" = DSA ]; then
-    setvar DSAID "$DAID"
-else
-    setvar DLAID "$DAID"
-fi
+setvar ${IDMODE}ID "$DAID"
 setvar BUGNUM
 setvar OLDOLDSTABLE
 setvar OLDSTABLE

data/config.json

 {
   "repositories": {
     "etch": "http://mirror.1und1.de/debian/dists/etch",
-    "etch-security" :
-      "http://security.debian.org/debian-security/dists/etch/updates",
-    "etch-proposed-updates" :
-      "http://mirror.1und1.de/debian/dists/etch-proposed-updates",
-
+    "etch-security": "http://security.debian.org/debian-security/dists/etch/updates",
+    "etch-proposed-updates": "http://mirror.1und1.de/debian/dists/etch-proposed-updates",
     "lenny": "http://mirror.1und1.de/debian/dists/lenny",
-    "lenny-security" :
-      "http://security.debian.org/debian-security/dists/lenny/updates",
-    "lenny-proposed-updates" :
-      "http://mirror.1und1.de/debian/dists/lenny-proposed-updates",
-
+    "lenny-security": "http://security.debian.org/debian-security/dists/lenny/updates",
+    "lenny-proposed-updates": "http://mirror.1und1.de/debian/dists/lenny-proposed-updates",
     "squeeze": "http://mirror.1und1.de/debian/dists/squeeze",
-    "squeeze-security" :
-      "http://security.debian.org/debian-security/dists/squeeze/updates",
-    "squeeze-proposed-updates" :
-      "http://mirror.1und1.de/debian/dists/squeeze-proposed-updates",
-
+    "squeeze-security": "http://security.debian.org/debian-security/dists/squeeze/updates",
+    "squeeze-proposed-updates": "http://mirror.1und1.de/debian/dists/squeeze-proposed-updates",
     "sid": "http://mirror.1und1.de/debian/dists/sid"
   },
-
   "distributions": {
     "potato": {},
     "woody": {},
@@ -28,42 +18,75 @@
     "etch": {},
     "lenny": {
       "members": {
-	"supported" : ["lenny", "lenny-security"],
-	"optional" : ["lenny-proposed-updates"]
-      },
+        "supported": [
+          "lenny",
+          "lenny-security"
+        ],
+        "optional": [
+          "lenny-proposed-updates"
+        ]
+      }
     },
     "squeeze": {
       "members": {
-	"supported" : ["squeeze", "squeeze-security"],
-	"optional" : ["squeeze-proposed-updates"]
-      },
+        "supported": [
+          "squeeze",
+          "squeeze-security"
+        ],
+        "optional": [
+          "squeeze-proposed-updates"
+        ]
+      }
     },
     "wheezy": {
       "members": {
-	"supported" : ["wheezy", "wheezy-security"],
-	"optional" : ["wheezy-proposed-updates"]
+        "supported": [
+          "wheezy",
+          "wheezy-security"
+        ],
+        "optional": [
+          "wheezy-proposed-updates"
+        ]
       },
       "release": "oldstable"
     },
     "jessie": {
       "members": {
-	"supported" : ["jessie", "jessie-security"],
-	"optional" : ["jessie-proposed-updates"]
+        "supported": [
+          "jessie",
+          "jessie-security"
+        ],
+        "optional": [
+          "jessie-proposed-updates"
+        ]
       },
       "release": "stable"
     },
     "stretch": {
       "members": {
-	"supported" : ["stretch", "stretch-security"],
-	"optional" : ["stretch-proposed-updates"]
+        "supported": [
+          "stretch",
+          "stretch-security"
+        ],
+        "optional": [
+          "stretch-proposed-updates"
+        ]
       },
       "release": "testing"
     },
     "sid": {
       "members": {
-	"supported" : ["sid"]
+        "supported": [
+          "sid"
+        ]
       },
       "release": "unstable"
     }
+  },
+  "sources": {
+    "/CVE/list": "CVEFile",
+    "/DSA/list": "DSAFile",
+    "/DTSA/list": "DTSAFile",
+    "/DLA/list": "DSAFile"
   }
 }

doc/security-team.d.o/security_tracker

@@ -612,3 +612,23 @@ The following commands build the databases for stable and run a python local ser
     make serve
 
 The website is now available as `http://127.0.0.1:10605/tracker/`.
+
+Setting up an extended instance
+-------------------------------
+
+The security tracker supports extra sources of data, which can be used
+to override or extend the information in CVE/list, and to support your
+own announce lists. To do that, add a CVEExtendFile source to
+`data/config.json`. Entries in that file can add information to an
+existing CVE, e.g. to mark it as fixed or ignored, or to mark it as
+affecting additional source packages. For example:
+
+CVE-2018-11646
+	- webkitgtk <unfixed>
+CVE-2016-1000340
+	[wheezy] - bouncycastle <not-affected> (Vulnerable code introduced later)
+
+You can also add an announce list of type DSAFile to `data/config.json`,
+and then symlink `bin/gen-DSA` to e.g. `bin/gen-MYSA` and use that to
+create new advisories under your namespace. For that you will need to
+add a `data/mysa-needed.txt` file and `doc/MYSA.template`.

lib/python/bugs.py

@@ -16,6 +16,7 @@
 # Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA
 
 import debian_support
+import os
 import re
 import types
 import hashlib
@@ -200,6 +201,7 @@ class BugBase:
         self.notes = []
         self.xref = []
         self.not_for_us = False
+        self.is_extend = False
 
     def isFromCVE(self):
         """Returns True if the name has been officially assigned.
@@ -225,6 +227,8 @@ class BugBase:
             not_for_us = 0
 
         import apsw
+
+        if not self.is_extend:
             try:
                 cursor.execute("""INSERT INTO bugs
                 (name, cve_status, not_for_us, description, release_date,
@@ -257,7 +261,7 @@ class Bug(BugBase):
     """Class for bugs for which we have some data."""
 
     def __init__(self, fname, lineno, date, name, description, comments, notes,
-                 xref, not_for_us=False):
+                 xref, not_for_us=False, is_extend=False):
         for n in notes:
             assert isinstance(n, PackageNote) \
                    or isinstance(n, PackageNoteNoDSA)
@@ -268,6 +272,7 @@ class Bug(BugBase):
         self.notes = notes
         self.xref = xref
         self.not_for_us = not_for_us
+        self.is_extend = is_extend
 
     def mergeNotes(self):
         """Merge notes so that there is only one note for each
@@ -435,6 +440,7 @@ class FileBase(debian_support.PackageFile):
     re_rejected = re.compile(r'^(?:NOTE:\s+rejected|REJECTED)\s*$')
     re_note = re.compile(r'^NOTE:\s+(.*)$')
     re_todo = re.compile(r'^TODO:\s+(.*)$')
+    is_extend = False
 
     def __init__(self, name, fileObj=None):
         debian_support.PackageFile.__init__(self, name, fileObj)
@@ -730,7 +736,8 @@ class FileBase(debian_support.PackageFile):
                     record_name = temp_bug_name(first_bug, description)
                 yield self.finishBug(Bug(self.file.name, first_lineno, date,
                                          record_name, description,
-                                         comments, notes=pkg_notes, xref=xref))
+                                         comments, notes=pkg_notes, xref=xref,
+                                         is_extend=self.is_extend))
 
     def finishBug(self, bug):
         """Applies a transformation to the bug after it has been
@@ -773,6 +780,15 @@ class CVEFile(FileBase):
         bug.mergeNotes()
         return bug
 
+class CVEExtendFile(CVEFile):
+    # This is an extend file. The main CVEFile can have a 'CVE-2018-XXXX' (sic)
+    # identifier, which will get converted to TEMP-* automatically. However to
+    # refer to that one from here, we need to use the TEMP-* identifier, so we
+    # allow those in the regex
+    re_cve = re.compile(r'^(CVE-\d{4}-(?:\d{4,}|XXXX)|TEMP-\d+-\S+)\s+(.*?)\s*$')
+
+    is_extend = True
+
 class DSAFile(FileBase):
     """A DSA file.
 
@@ -780,49 +796,12 @@ class DSAFile(FileBase):
     reference point, and release dates.
     """
 
-    re_dsa = re.compile(r'^\[(\d\d) ([A-Z][a-z][a-z]) (\d{4})\] '
-                        + r'(DSA-\d+(?:-\d+)?)\s+'
-                        + r'(.*?)\s*$')
-
-    month_names = {'Jan': 1,
-                   'Feb': 2,
-                   'Mar': 3,
-                   'Apr': 4,
-                   'May': 5,
-                   'Jun': 6,
-                   'Jul': 7,
-                   'Aug': 8,
-                   'Sep': 9,
-                   'Oct': 10,
-                   'Nov': 11,
-                   'Dec': 12}
-
-    def matchHeader(self, line):
-        match = self.re_dsa.match(line)
-        if not match:
-            self.raiseSyntaxError("expected DSA record, got: %s" % `line`)
-            (record_name, description) = match.groups()
-        (day, month, year, name, desc) = match.groups()
-        try:
-            month = self.month_names[month]
-        except KeyError:
-            self.raiseSyntaxError("invalid month name %s" % `month`)
-        return ("%s-%02d-%s" % (year, month, day), name, desc)
-
-    def finishBug(self, bug):
-        # Merge identical package notes, for historical reasons.
-        bug.mergeNotes()
-        return bug
-
-class DLAFile(FileBase):
-    """A DLA file.
-
-    Similar to a CVE file, only that it contains DLAs as its main
-    reference point, and release dates.
-    """
+    def __init__(self, name, fileObj=None):
+        FileBase.__init__(self, name, fileObj)
 
-    re_dsa = re.compile(r'^\[(\d\d) ([A-Z][a-z][a-z]) (\d{4})\] '
-                        + r'(DLA-\d+(?:-\d+)?)\s+'
+        self.base = os.path.basename(os.path.dirname(self.name))
+        self.re_dsa = re.compile(r'^\[(\d\d) ([A-Z][a-z][a-z]) (\d{4})\] '
+                                + r'(' + self.base + '-\d+(?:-\d+)?)\s+'
                                 + r'(.*?)\s*$')
 
     month_names = {'Jan': 1,
@@ -841,7 +820,7 @@ class DLAFile(FileBase):
     def matchHeader(self, line):
         match = self.re_dsa.match(line)
         if not match:
-            self.raiseSyntaxError("expected DLA record, got: %s" % `line`)
+            self.raiseSyntaxError("expected %s record, got: %s" % (self.base, `line`))
             (record_name, description) = match.groups()
         (day, month, year, name, desc) = match.groups()
         try:
@@ -855,6 +834,7 @@ class DLAFile(FileBase):
         bug.mergeNotes()
         return bug
 
+
 class DTSAFile(FileBase):
     """A DTSA file.
 

lib/python/security_db.py

@@ -856,6 +856,28 @@ class DB:
             VALUES (?, ?, ?, ?, ?, ?, ?, ?)""",
             gen())
 
+    def getSources(self):
+        config = debian_support.getconfig()
+        sources = config["sources"]
+
+        return sources
+
+    def genDBAdvisoryString(self, field, dtsa=False):
+        sources = self.getSources()
+        advs = []
+
+        for path, cls in sources.iteritems():
+            name = path.split('/')[1]
+
+            if cls == 'DSAFile':
+                advs.append(name)
+
+            if cls == 'DTSAFile' and dtsa:
+                advs.append(name)
+
+        advs = ["{} LIKE '{}-%'".format(field, adv) for adv in advs]
+        return " OR ".join(advs)
+
     def readBugs(self, cursor, path):
         if self.verbose:
             print "readBugs:"
@@ -913,15 +935,11 @@ class DB:
             return True
 
         source_removed_packages = '/packages/removed-packages'
-        sources = ((bugs.CVEFile, '/CVE/list'),
-                   (bugs.DSAFile, '/DSA/list'),
-                   (bugs.DTSAFile, '/DTSA/list'),
-                   (bugs.DLAFile, '/DLA/list'),
-                   (None, source_removed_packages))
+        sources = self.getSources()
 
         unchanged = True
-        for (_, name) in sources:
-            if has_changed(path + name):
+        for filename in sources.keys() + [source_removed_packages]:
+            if has_changed(path + filename):
                 unchanged = False
                 break
         if unchanged:
@@ -940,9 +958,8 @@ class DB:
                 """INSERT OR REPLACE INTO inodeprints (inodeprint, file)
                 VALUES (?, ?)""", (current_print, filename))
 
-        for (cls, name) in sources:
-            if cls is None:
-                continue
+        for name, cls in sources.iteritems():
+            cls = getattr(bugs, cls)
             read_one(cls(path + name))
 
         if self.verbose:
@@ -967,9 +984,10 @@ class DB:
         # Copy notes from DSA/DTSA/DLA to CVE.
 
         old_source = ''
+        source_like = self.genDBAdvisoryString("source", dtsa=True)
         for source, target in list(cursor.execute(
             """SELECT source, target FROM bugs_xref
-            WHERE (source LIKE 'DTSA-%' OR source LIKE 'DSA-%' OR source LIKE 'DLA-%')
+            WHERE (""" + source_like +  """)
             AND target LIKE 'CVE-%'""")):
             if source <> old_source:
                 source_bug = bugs.BugFromDB(cursor, source)
@@ -1848,11 +1866,12 @@ class DB:
         return flag
 
     def getDSAsForSourcePackage(self, cursor, package):
+        bugs_like = self.genDBAdvisoryString("bugs.name", dtsa=False)
         for row in cursor.execute(
             """SELECT bugs.name, bugs.description
             FROM bugs, package_notes as p
             WHERE p.bug_name = bugs.name
-            AND ( bugs.name LIKE 'DSA-%' OR bugs.name LIKE 'DLA-%')
+            AND ( """ + bugs_like + """ )
             AND p.package = ?
             ORDER BY bugs.release_date DESC""", (package,)):
             yield DSAsForSourcePackage(*row)