From 034b062871f56e8348e62833d5eb8b156ac4e4a0 Mon Sep 17 00:00:00 2001
From: Robert Buchholz <rbu@goodpoint.de>
Date: Fri, 20 Mar 2009 04:43:47 +0100
Subject: Add doc and some old functions

---
 GOALS           | 20 ++++++++++++++++++++
 example.xml     |  2 +-
 kernsecbugz.txt | 55 +++++++++++++++++++++++++++++++++++++++++++++++++++++++
 kiss2.py        | 55 ++++++++++++++++++++++++++++++++++++++++++++++++-------
 out.xml         | 15 ++++++++++-----
 5 files changed, 134 insertions(+), 13 deletions(-)
 create mode 100644 GOALS
 create mode 100644 kernsecbugz.txt

diff --git a/GOALS b/GOALS
new file mode 100644
index 0000000..ba09572
--- /dev/null
+++ b/GOALS
@@ -0,0 +1,20 @@
+
+* Assess local machine kernel security
+* Support kernel security maintenance
+  - Vulnerability status of *-sources in the tree (->maintainer)
+  - Status of stable / unstable sources (->arch team)
+  - Stale open bugs (->security team)
+
+
+Interfaces:
+  - Gentoo user (Is my machine vulnerable?)
+  - Report (local cli / public xml+html / graphs)
+  - TODO list (cc arch teams, ping maintainer, close bug)
+    + automate TODOs
+
+Backend
+  input:
+  - Bugs from bugzilla: ID, Title, URL, Severity, Architecture, Intervals
+  - CVE feeds from nvd.nist.gov
+  - GENPATCHES history + current portage tree
+
diff --git a/example.xml b/example.xml
index f0b0a92..0bfc20c 100644
--- a/example.xml
+++ b/example.xml
@@ -1,7 +1,7 @@
 
 
 <bug>
-    <id>221123</id>
+    <bugno>221123</bugno>
     <title><![CDATA[ Linux Kernels 2.6.22->2.6.25.2 - utimensat() file time modification bypass vulnerability (CVE-2008-2148) ]]></title>
     <cve>
         <id>CVE-2008-2148</id>
diff --git a/kernsecbugz.txt b/kernsecbugz.txt
new file mode 100644
index 0000000..467b01b
--- /dev/null
+++ b/kernsecbugz.txt
@@ -0,0 +1,55 @@
+Bugzilla Kernel Version specification
+
+The whiteboard field on the bug should be used to specify the vulnerable
+versions of all kernel sources for this bug. A bug can affect a package in three
+ways (and can therefore be fixed in three ways):
+    (1) by affecting the kernel.org release ("linux"),
+    (2) by affecting a certian set of Gentoo Patchsets ("gp")
+    (3) by affecting a specific set of Gentoo kernel sources ("*-sources").
+
+The priorities of these levels override each other with 3 having the highest
+priority (2 second and 1 lowest)  Note that priority does not mean severity of
+the bug. Rather, the priority level is a scale of generality with 1 having the
+highest generality. A whiteboard entry of the type [linux] affects all kernels
+based off that version until a higher priority entry is added.
+
+Higher levels (2, 3) should normally only mark unaffected versions that are
+affected in lower levels. To override this and expand the "affected" interval
+over the boundaries giving by lower levels, version specifiers should be
+prefixed with a "+".
+
+Intervals specify the affected versions and can, for each level, be specified
+open (with upper or lower boundary only), or closed, either inclusive or not.
+Spaces are discarded.
+
+The order in which interval are specified is irrelevant.
+
+Examples:
+  [linux > 2.6]      -- means all Linux releases since 2.6 are affected
+  [linux < 2.6.24.3] -- means all Linux versions prior to 2.6.24.3 are affected.
+  [linux >= 2.6.24 < 2.6.24.3] -- means all Linux versions greater than, and
+                including, 2.6.24, except if they are equal or greater than .3
+
+
+Complex examples:
+ [linux >= 2.6.18 < 2.6.24.3] [gp < 2.6.23-8]
+   This means: affected is every kernel based on a linux release higher/equal than
+   2.6.18, but not those based on 2.6.24.3 or later. Kernels using a genpatches
+   version 2.6.23-8 or later are also not affected. 2.6.17 or earlier kernels
+   using genpatches are not affected.
+ 
+ [linux >= 2.6.18 < 2.6.24.3] [gp +< 2.6.23-8]
+   Same as before, except even 2.6.17 and earlier genpatched kernerls are also
+   affected (because of the +).
+
+ [linux >= 2.6.18 < 2.6.24.3] [gp >= 2.6.15 +<= 2.6.23-8]
+  Similar to the previous example, except kernels using genpatches are
+  affected from versions 2.6.15 (inclusive) up to 2.6.23-8 (inclusive).
+
+ [linux >= 2.6.18] [gp >= 2.6.23 < 2.6.23-8] [gp < 2.6.22-10]
+   All Linuxes since 2.6.18, unaffected are all Genpatched kernels between
+   2.6.22-10 and (not including) 2.6.23, plus those after 2.6.23-8.
+
+ [linux >= 2.6.18 < 2.6.24.3] [gp < 2.6.23-8] [xen < 2.6.18-r9] [xen >= 2.6.19]
+   Same as the first example, except the 2.6.18 series of xen-kernels was fixed in 2.6.18-r9.
+
diff --git a/kiss2.py b/kiss2.py
index 9ede7b6..16a838f 100755
--- a/kiss2.py
+++ b/kiss2.py
@@ -10,6 +10,7 @@ import os
 import portage
 import portage_versions
 import re
+import elementtree.ElementTree as ET
 
 genpatcheslist="./output/genpversions.txt"
 
@@ -251,6 +252,23 @@ class IntervalEntry:
             val += "<%s" % (self.upper)
         return val
 
+    def to_xml(self, element = None):
+        intnode = ET.Element("interval")
+        if element:
+            element.append(bugnode)
+        
+        intnode.source = self.name
+        
+        
+        for item in ("bugno", "title", "arch", "severity", "url"):
+            c = ET.SubElement(bugnode, item)
+            c.text = self.__getattribute__(item)
+        for entry in self.affected:
+            entry.to_xml(bugnode)
+        for cve in self.cve:
+            cve.to_xml(bugnode)
+        return bugnode
+
     def is_in_interval(self, version):
         """ Returns True if the given version is inside our specified interval, False otherwise.
             Note: 'name' is discarded in the comparison. """
@@ -295,11 +313,14 @@ class IntervalEntry:
         return True
 
 
-class Bug:
-    def __init__(self, bugno, title = "", severity = "normal", affected = ()):
+class Bug(object):
+    def __init__(self, bugno, title = "", arch = "All", severity = "normal", url = "", affected = (), cves = ""):
         self.bugno      = bugno
         self.title      = title
+        self.arch       = arch
         self.severity   = severity
+        self.url        = url
+        self.cves       = cves
         self.affected   = affected #(Entry("linux", "<", "2.6.23"),Entry("gp", "<", "2.6.20-14"),Entry("hardened", ">", "2.6"))
 
     def affects(self, kernelatom):
@@ -354,6 +375,25 @@ class Bug:
             affected = False
         return affected
 
+    def to_xml(self, element = None):
+        bugnode = ET.Element("bug")
+        if element:
+            element.append(bugnode)
+
+        for item in ("bugno", "title", "arch", "severity", "url"):
+            c = ET.SubElement(bugnode, item)
+            c.text = self.__getattribute__(item)
+
+        affnode = bugnode.append("affected")
+        for entry in self.affected:
+            entry.to_xml(affnode)
+
+        cves = bugnode.append("cves")
+        for cve in self.cve:
+            cve.to_xml(cves)
+        return bugnode
+
+
     def set_from_whiteboard(self, whiteboard):
         """ Set the Bug's values given reading a Status Whiteboard string from a Bug. """
         if whiteboard == None:
@@ -429,12 +469,13 @@ class Bugzilla:
             bugid = bug_raw['bugid']
 
             bug_xml = self.bz.get(bugid)
-            bug = Bug(bugid, bug_raw['desc'], bug_raw['severity'])
+            bug = Bug(bugid, bug_raw['desc'], bug_raw['arch'], bug_raw['severity'], url = "")
             try:
                 bug.set_from_whiteboard(bug_xml.find('//status_whiteboard').text)
                 self.bugs.append(bug)
+                bug.to_xml()
             except:
-                #print sys.exc_value
+                print sys.exc_value
                 self.failed_bugs.append(bug)
 
 
@@ -467,8 +508,8 @@ def main():
 
 
 if __name__ == "__main__":
-    try:
+    #try:
         main()
-    except KeyboardInterrupt:
-        print '\n ! Exiting.'
+    #except KeyboardInterrupt:
+        #print '\n ! Exiting.'
 
diff --git a/out.xml b/out.xml
index 1e6d2cc..3e9c0b4 100644
--- a/out.xml
+++ b/out.xml
@@ -1,10 +1,7 @@
 <bug>
     <id>221123</id>
     <title> Linux Kernels 2.6.22-&gt;2.6.25.2 - utimensat() file time modification bypass vulnerability (CVE-2008-2148) </title>
-    <cve>
-        <id>CVE-2008-2148</id>
-        <desc> The utimensat system call (sys_utimensat) in Linux kernel 2.6.22 and other versions before 2.6.25.3 does not check file permissions when certain UTIME_NOW and UTIME_OMIT combinations are used, which allows local users to modify file times of arbitrary files, possibly leading to a denial of service. </desc>
-    </cve>
+    <cve>CVE-2008-2148</cve>
     <url>http://git.kernel.org/?p=linux/kernel/git/stable/stable-queue.git;a=blob;f=review-2.6.25/vfs-fix-permission-checking-in-sys_utimensat.patch;h=1da0b9bf9f078e3eb147a6799e5a74af2484014a;hb=cbe22288b271b4e4e51f5573281662f53466e41a</url>
     <arch>All</arch>
     <severity>normal</severity>
@@ -14,4 +11,12 @@
             <upper inclusive="false">2.6.25.2</upper>
         </interval>
     </affected>
-</bug>
\ No newline at end of file
+</bug>
+
+
+<cve xml:id="CVE-2008-2148">
+        <desc> The utimensat system call (sys_utimensat) in Linux kernel 2.6.22 and other versions before 2.6.25.3 does not check file permissions when certain UTIME_NOW and UTIME_OMIT combinations are used, which allows local users to modify file times of arbitrary files, possibly leading to a denial of service. </desc>
+        <cvss>(AV:N/AC:L/Au:N/C:N/I:N/A:P)</cvss>
+</cve>
+
+<!-- CVSS explained: http://nvd.nist.gov/cvss.cfm?vectorinfo&version=2 -->
-- 
cgit v1.2.3-65-gdbad