diff options
Diffstat (limited to 'src/glsa-check')
| -rw-r--r-- | src/glsa-check/Makefile | 20 | ||||
| -rw-r--r-- | src/glsa-check/glsa-check | 364 | ||||
| -rw-r--r-- | src/glsa-check/glsa-check.1 | 57 | ||||
| -rw-r--r-- | src/glsa-check/glsa.py | 644 |
4 files changed, 1085 insertions, 0 deletions
diff --git a/src/glsa-check/Makefile b/src/glsa-check/Makefile new file mode 100644 index 0000000..9ad5717 --- /dev/null +++ b/src/glsa-check/Makefile @@ -0,0 +1,20 @@ +# Copyright 2003 Karl Trygve Kalleberg <karltk@gentoo.org> +# Copyright 2003 Gentoo Technologies, Inc. +# Distributed under the terms of the GNU General Public License v2 +# +# $Header$ + +include ../../makedefs.mak + +all: + echo "YADDLETHORPE (vb.) (Of offended pooves.) To exit huffily from a boutique." + +dist: + mkdir -p ../../$(distdir)/src/glsa-check/ + cp Makefile glsa.py glsa-check glsa-check.1 ../../$(distdir)/src/glsa-check/ + +install: + install -d $(DESTDIR)/usr/lib/gentoolkit/pym/ + install -m 0755 glsa-check $(bindir)/ + install -m 0644 glsa.py $(DESTDIR)/usr/lib/gentoolkit/pym/ + install -m 0644 glsa-check.1 $(mandir)/ diff --git a/src/glsa-check/glsa-check b/src/glsa-check/glsa-check new file mode 100644 index 0000000..98e5708 --- /dev/null +++ b/src/glsa-check/glsa-check @@ -0,0 +1,364 @@ +#!/usr/bin/python + +# $Header: $ +# This program is licensed under the GPL, version 2 + +import os +import sys +sys.path.insert(0, "/usr/lib/gentoolkit/pym") +try: + import portage +except ImportError: + sys.path.insert(0, "/usr/lib/portage/pym") + import portage + +try: + from portage.output import * +except ImportError: + from output import * + +from getopt import getopt,GetoptError + +__program__ = "glsa-check" +__author__ = "Marius Mauch <genone@gentoo.org>" +__version__ = "0.9" + +optionmap = [ +["-l", "--list", "list all unapplied GLSA"], +["-d", "--dump", "--print", "show all information about the given GLSA"], +["-t", "--test", "test if this system is affected by the given GLSA"], +["-p", "--pretend", "show the necessary commands to apply this GLSA"], +["-f", "--fix", "try to auto-apply this GLSA (experimental)"], +["-i", "--inject", "inject the given GLSA into the checkfile"], +["-n", "--nocolor", "disable colors (option)"], +["-e", "--emergelike", "do not use a least-change algorithm (option)"], +["-h", "--help", "show this help message"], +["-V", "--version", "some information about this tool"], +["-v", "--verbose", "print more information (option)"], +["-c", "--cve", "show CAN ids in listing mode (option)"], +["-m", "--mail", "send a mail with the given GLSAs to the administrator"] +] + +# print a warning as this is beta code (but proven by now, so no more warning) +#sys.stderr.write("WARNING: This tool is completely new and not very tested, so it should not be\n") +#sys.stderr.write("used on production systems. It's mainly a test tool for the new GLSA release\n") +#sys.stderr.write("and distribution system, it's functionality will later be merged into emerge\n") +#sys.stderr.write("and equery.\n") +#sys.stderr.write("Please read http://www.gentoo.org/proj/en/portage/glsa-integration.xml\n") +#sys.stderr.write("before using this tool AND before reporting a bug.\n\n") + +# option parsing +args = [] +params = [] +try: + args, params = getopt(sys.argv[1:], "".join([o[0][1] for o in optionmap]), \ + [x[2:] for x in reduce(lambda x,y: x+y, [z[1:-1] for z in optionmap])]) +# ["dump", "print", "list", "pretend", "fix", "inject", "help", "verbose", "version", "test", "nocolor", "cve", "mail"]) + args = [a for a,b in args] + + for option in ["--nocolor", "-n"]: + if option in args: + nocolor() + args.remove(option) + + verbose = False + for option in ["--verbose", "-v"]: + if option in args: + verbose = True + args.remove(option) + + list_cve = False + for option in ["--cve", "-c"]: + if option in args: + list_cve = True + args.remove(option) + + least_change = True + for option in ["--emergelike", "-e"]: + if option in args: + least_change = False + args.remove(option) + + # sanity checking + if len(args) <= 0: + sys.stderr.write("no option given: what should I do ?\n") + mode="help" + elif len(args) > 1: + sys.stderr.write("please use only one command per call\n") + mode = "help" + else: + # in what mode are we ? + args = args[0] + for m in optionmap: + if args in [o for o in m[:-1]]: + mode = m[1][2:] + +except GetoptError, e: + sys.stderr.write("unknown option given: ") + sys.stderr.write(str(e)+"\n") + mode = "help" + +# we need a set of glsa for most operation modes +if len(params) <= 0 and mode in ["fix", "test", "pretend", "dump", "inject", "mail"]: + sys.stderr.write("\nno GLSA given, so we'll do nothing for now. \n") + sys.stderr.write("If you want to run on all GLSA please tell me so \n") + sys.stderr.write("(specify \"all\" as parameter)\n\n") + mode = "help" +elif len(params) <= 0 and mode == "list": + params.append("new") + +# show help message +if mode == "help": + sys.stderr.write("\nSyntax: glsa-check <option> [glsa-list]\n\n") + for m in optionmap: + sys.stderr.write(m[0] + "\t" + m[1] + " \t: " + m[-1] + "\n") + for o in m[2:-1]: + sys.stderr.write("\t" + o + "\n") + sys.stderr.write("\nglsa-list can contain an arbitrary number of GLSA ids, \n") + sys.stderr.write("filenames containing GLSAs or the special identifiers \n") + sys.stderr.write("'all', 'new' and 'affected'\n") + sys.exit(1) + +# we need root priviledges for write access +if mode in ["fix", "inject"] and os.geteuid() != 0: + sys.stderr.write("\nThis tool needs root access to "+mode+" this GLSA\n\n") + sys.exit(2) + +# show version and copyright information +if mode == "version": + sys.stderr.write("\n"+ __program__ + ", version " + __version__ + "\n") + sys.stderr.write("Author: " + __author__ + "\n") + sys.stderr.write("This program is licensed under the GPL, version 2\n\n") + sys.exit(0) + +# delay this for speed increase +from glsa import * + +glsaconfig = checkconfig(portage.config(clone=portage.settings)) + +vardb = portage.db["/"]["vartree"].dbapi +portdb = portage.db["/"]["porttree"].dbapi + +# Check that we really have a glsa dir to work on +if not (os.path.exists(glsaconfig["GLSA_DIR"]) and os.path.isdir(glsaconfig["GLSA_DIR"])): + sys.stderr.write(red("ERROR")+": GLSA_DIR %s doesn't exist. Please fix this.\n" % glsaconfig["GLSA_DIR"]) + sys.exit(1) + +# build glsa lists +completelist = get_glsa_list(glsaconfig["GLSA_DIR"], glsaconfig) + +if os.access(glsaconfig["CHECKFILE"], os.R_OK): + checklist = [line.strip() for line in open(glsaconfig["CHECKFILE"], "r").readlines()] +else: + checklist = [] +todolist = [e for e in completelist if e not in checklist] + +glsalist = [] +if "new" in params: + glsalist = todolist + params.remove("new") + +if "all" in params: + glsalist = completelist + params.remove("all") +if "affected" in params: + # replaced completelist with todolist on request of wschlich + for x in todolist: + try: + myglsa = Glsa(x, glsaconfig) + except (GlsaTypeException, GlsaFormatException), e: + if verbose: + sys.stderr.write(("invalid GLSA: %s (error message was: %s)\n" % (x, e))) + continue + if myglsa.isVulnerable(): + glsalist.append(x) + params.remove("affected") + +# remove invalid parameters +for p in params[:]: + if not (p in completelist or os.path.exists(p)): + sys.stderr.write(("(removing %s from parameter list as it isn't a valid GLSA specification)\n" % p)) + params.remove(p) + +glsalist.extend([g for g in params if g not in glsalist]) + +def summarylist(myglsalist, fd1=sys.stdout, fd2=sys.stderr): + fd2.write(white("[A]")+" means this GLSA was already applied,\n") + fd2.write(green("[U]")+" means the system is not affected and\n") + fd2.write(red("[N]")+" indicates that the system might be affected.\n\n") + + for myid in myglsalist: + try: + myglsa = Glsa(myid, glsaconfig) + except (GlsaTypeException, GlsaFormatException), e: + if verbose: + fd2.write(("invalid GLSA: %s (error message was: %s)\n" % (myid, e))) + continue + if myglsa.isApplied(): + status = "[A]" + color = white + elif myglsa.isVulnerable(): + status = "[N]" + color = red + else: + status = "[U]" + color = green + + if verbose: + access = ("[%-8s] " % myglsa.access) + else: + access="" + + fd1.write(color(myglsa.nr) + " " + color(status) + " " + color(access) + myglsa.title + " (") + if not verbose: + for pkg in myglsa.packages.keys()[:3]: + fd1.write(" " + pkg + " ") + if len(myglsa.packages) > 3: + fd1.write("... ") + else: + for pkg in myglsa.packages.keys(): + mylist = vardb.match(portage.dep_getkey(pkg)) + if len(mylist) > 0: + pkg = color(" ".join(mylist)) + fd1.write(" " + pkg + " ") + + fd1.write(")") + if list_cve: + fd1.write(" "+(",".join([r[:13] for r in myglsa.references if r[:4] in ["CAN-", "CVE-"]]))) + fd1.write("\n") + return 0 + +if mode == "list": + sys.exit(summarylist(glsalist)) + +# dump, fix, inject and fix are nearly the same code, only the glsa method call differs +if mode in ["dump", "fix", "inject", "pretend"]: + for myid in glsalist: + try: + myglsa = Glsa(myid, glsaconfig) + except (GlsaTypeException, GlsaFormatException), e: + if verbose: + sys.stderr.write(("invalid GLSA: %s (error message was: %s)\n" % (myid, e))) + continue + if mode == "dump": + myglsa.dump() + elif mode == "fix": + sys.stdout.write("fixing "+myid+"\n") + mergelist = myglsa.getMergeList(least_change=least_change) + for pkg in mergelist: + sys.stdout.write(">>> merging "+pkg+"\n") + # using emerge for the actual merging as it contains the dependency + # code and we want to be consistent in behaviour. Also this functionality + # will be integrated in emerge later, so it shouldn't hurt much. + emergecmd = "emerge --oneshot " + glsaconfig["EMERGE_OPTS"] + " =" + pkg + if verbose: + sys.stderr.write(emergecmd+"\n") + exitcode = os.system(emergecmd) + # system() returns the exitcode in the high byte of a 16bit integer + if exitcode >= 1<<8: + exitcode >>= 8 + if exitcode: + sys.exit(exitcode) + myglsa.inject() + elif mode == "pretend": + sys.stdout.write("Checking GLSA "+myid+"\n") + mergelist = myglsa.getMergeList(least_change=least_change) + if mergelist: + sys.stdout.write("The following updates will be performed for this GLSA:\n") + for pkg in mergelist: + oldver = None + for x in vardb.match(portage.dep_getkey(pkg)): + if vardb.aux_get(x, ["SLOT"]) == portdb.aux_get(pkg, ["SLOT"]): + oldver = x + if oldver == None: + raise ValueError("could not find old version for package %s" % pkg) + oldver = oldver[len(portage.dep_getkey(oldver))+1:] + sys.stdout.write(" " + pkg + " (" + oldver + ")\n") + else: + sys.stdout.write("Nothing to do for this GLSA\n") + elif mode == "inject": + sys.stdout.write("injecting " + myid + "\n") + myglsa.inject() + sys.stdout.write("\n") + sys.exit(0) + +# test is a bit different as Glsa.test() produces no output +if mode == "test": + outputlist = [] + for myid in glsalist: + try: + myglsa = Glsa(myid, glsaconfig) + except (GlsaTypeException, GlsaFormatException), e: + if verbose: + sys.stderr.write(("invalid GLSA: %s (error message was: %s)\n" % (myid, e))) + continue + if myglsa.isVulnerable(): + if verbose: + outputlist.append(str(myglsa.nr)+" ( "+myglsa.title+" ) ") + else: + outputlist.append(str(myglsa.nr)) + if len(outputlist) > 0: + sys.stderr.write("This system is affected by the following GLSAs:\n") + sys.stdout.write("\n".join(outputlist)+"\n") + else: + sys.stderr.write("This system is not affected by any of the listed GLSAs\n") + sys.exit(0) + +# mail mode as requested by solar +if mode == "mail": + try: + import portage.mail as portage_mail + except ImportError: + import portage_mail + + import socket + from StringIO import StringIO + try: + from email.mime.text import MIMEText + except ImportError: + from email.MIMEText import MIMEText + + # color doesn't make any sense for mail + nocolor() + + if glsaconfig.has_key("PORTAGE_ELOG_MAILURI"): + myrecipient = glsaconfig["PORTAGE_ELOG_MAILURI"].split()[0] + else: + myrecipient = "root@localhost" + + if glsaconfig.has_key("PORTAGE_ELOG_MAILFROM"): + myfrom = glsaconfig["PORTAGE_ELOG_MAILFROM"] + else: + myfrom = "glsa-check" + + mysubject = "[glsa-check] Summary for %s" % socket.getfqdn() + + # need a file object for summarylist() + myfd = StringIO() + myfd.write("GLSA Summary report for host %s\n" % socket.getfqdn()) + myfd.write("(Command was: %s)\n\n" % " ".join(sys.argv)) + summarylist(glsalist, fd1=myfd, fd2=myfd) + summary = str(myfd.getvalue()) + myfd.close() + + myattachments = [] + for myid in glsalist: + try: + myglsa = Glsa(myid, glsaconfig) + except (GlsaTypeException, GlsaFormatException), e: + if verbose: + sys.stderr.write(("invalid GLSA: %s (error message was: %s)\n" % (myid, e))) + continue + myfd = StringIO() + myglsa.dump(outstream=myfd) + myattachments.append(MIMEText(str(myfd.getvalue()), _charset="utf8")) + myfd.close() + + mymessage = portage_mail.create_message(myfrom, myrecipient, mysubject, summary, myattachments) + portage_mail.send_mail(glsaconfig, mymessage) + + sys.exit(0) + +# something wrong here, all valid paths are covered with sys.exit() +sys.stderr.write("nothing more to do\n") +sys.exit(2) diff --git a/src/glsa-check/glsa-check.1 b/src/glsa-check/glsa-check.1 new file mode 100644 index 0000000..5a7a525 --- /dev/null +++ b/src/glsa-check/glsa-check.1 @@ -0,0 +1,57 @@ +.TH "glsa-check" "1" "0.6" "Marius Mauch" "gentoolkit" +.SH "NAME" +.LP +glsa\-check \- Gentoo: Tool to locally monitor and manage GLSA's +.SH "SYNTAX" +.LP +glsa\-check <\fIoption\fP> [\fIglsa\-list\fP] + +[\fIglsa\-list\fR] can contain an arbitrary number of GLSA ids, filenames containing GLSAs or the special identifiers 'all', 'new' and 'affected' +.SH "DESCRIPTION" +.LP +This tool is used to locally monitor and manage Gentoo Linux Security Advisories. +Please read: +.br +http://www.gentoo.org/proj/en/portage/glsa\-integration.xml +.br +before reporting a bug. +.LP +Note: In order for this tool to be effective, you must regularly sync your local portage tree. +.SH "OPTIONS" +.LP +.TP +.B \-l, \-\-list +list all unapplied GLSA +.TP +.B \-d, \-\-dump, \-\-print +show all information about the given GLSA +.TP +.B \-t, \-\-test +test if this system is affected by the given GLSA +.TP +.B \-p, \-\-pretend +show the necessary commands to apply this GLSA +.TP +.B \-f, \-\-fix +try to auto\-apply this GLSA (experimental) +.TP +.B \-i, \-\-inject +inject the given GLSA into the checkfile +.TP +.B \-n, \-\-nocolor +disable colors (option) +.TP +.B \-h, \-\-help +show this help message +.TP +.B \-V, \-\-version +some information about this tool +.TP +.B \-v, \-\-verbose +print more messages (option) +.TP +.B \-c, \-\-cve +show CAN ids in listing mode (option) +.TP +.B \-m, \-\-mail +send a mail with the given GLSAs to the administrator diff --git a/src/glsa-check/glsa.py b/src/glsa-check/glsa.py new file mode 100644 index 0000000..4c8f280 --- /dev/null +++ b/src/glsa-check/glsa.py @@ -0,0 +1,644 @@ +# $Header$ + +# This program is licensed under the GPL, version 2 + +# WARNING: this code is only tested by a few people and should NOT be used +# on production systems at this stage. There are possible security holes and probably +# bugs in this code. If you test it please report ANY success or failure to +# me (genone@gentoo.org). + +# The following planned features are currently on hold: +# - getting GLSAs from http/ftp servers (not really useful without the fixed ebuilds) +# - GPG signing/verification (until key policy is clear) + +__author__ = "Marius Mauch <genone@gentoo.org>" + +import os +import sys +import urllib +import time +import codecs +import re +import xml.dom.minidom + +if sys.version_info[0:2] < (2,3): + raise NotImplementedError("Python versions below 2.3 have broken XML code " \ + +"and are not supported") + +try: + import portage +except ImportError: + sys.path.insert(0, "/usr/lib/portage/pym") + import portage + +# Note: the space for rgt and rlt is important !! +opMapping = {"le": "<=", "lt": "<", "eq": "=", "gt": ">", "ge": ">=", + "rge": ">=~", "rle": "<=~", "rgt": " >~", "rlt": " <~"} +NEWLINE_ESCAPE = "!;\\n" # some random string to mark newlines that should be preserved +SPACE_ESCAPE = "!;_" # some random string to mark spaces that should be preserved + +def center(text, width): + """ + Returns a string containing I{text} that is padded with spaces on both + sides. If C{len(text) >= width} I{text} is returned unchanged. + + @type text: String + @param text: the text to be embedded + @type width: Integer + @param width: the minimum length of the returned string + @rtype: String + @return: the expanded string or I{text} + """ + if len(text) >= width: + return text + margin = (width-len(text))/2 + rValue = " "*margin + rValue += text + if 2*margin + len(text) == width: + rValue += " "*margin + elif 2*margin + len(text) + 1 == width: + rValue += " "*(margin+1) + return rValue + + +def wrap(text, width, caption=""): + """ + Wraps the given text at column I{width}, optionally indenting + it so that no text is under I{caption}. It's possible to encode + hard linebreaks in I{text} with L{NEWLINE_ESCAPE}. + + @type text: String + @param text: the text to be wrapped + @type width: Integer + @param width: the column at which the text should be wrapped + @type caption: String + @param caption: this string is inserted at the beginning of the + return value and the paragraph is indented up to + C{len(caption)}. + @rtype: String + @return: the wrapped and indented paragraph + """ + rValue = "" + line = caption + text = text.replace(2*NEWLINE_ESCAPE, NEWLINE_ESCAPE+" "+NEWLINE_ESCAPE) + words = text.split() + indentLevel = len(caption)+1 + + for w in words: + if line[-1] == "\n": + rValue += line + line = " "*indentLevel + if len(line)+len(w.replace(NEWLINE_ESCAPE, ""))+1 > width: + rValue += line+"\n" + line = " "*indentLevel+w.replace(NEWLINE_ESCAPE, "\n") + elif w.find(NEWLINE_ESCAPE) >= 0: + if len(line.strip()) > 0: + rValue += line+" "+w.replace(NEWLINE_ESCAPE, "\n") + else: + rValue += line+w.replace(NEWLINE_ESCAPE, "\n") + line = " "*indentLevel + else: + if len(line.strip()) > 0: + line += " "+w + else: + line += w + if len(line) > 0: + rValue += line.replace(NEWLINE_ESCAPE, "\n") + rValue = rValue.replace(SPACE_ESCAPE, " ") + return rValue + +def checkconfig(myconfig): + """ + takes a portage.config instance and adds GLSA specific keys if + they are not present. TO-BE-REMOVED (should end up in make.*) + """ + mysettings = { + "GLSA_DIR": portage.settings["PORTDIR"]+"/metadata/glsa/", + "GLSA_PREFIX": "glsa-", + "GLSA_SUFFIX": ".xml", + "CHECKFILE": "/var/cache/edb/glsa", + "GLSA_SERVER": "www.gentoo.org/security/en/glsa/", # not completely implemented yet + "CHECKMODE": "local", # not completely implemented yet + "PRINTWIDTH": "76" + } + for k in mysettings.keys(): + if k not in myconfig: + myconfig[k] = mysettings[k] + return myconfig + +def get_glsa_list(repository, myconfig): + """ + Returns a list of all available GLSAs in the given repository + by comparing the filelist there with the pattern described in + the config. + + @type repository: String + @param repository: The directory or an URL that contains GLSA files + (Note: not implemented yet) + @type myconfig: portage.config + @param myconfig: a GLSA aware config instance (see L{checkconfig}) + + @rtype: List of Strings + @return: a list of GLSA IDs in this repository + """ + # TODO: remote fetch code for listing + + rValue = [] + + if not os.access(repository, os.R_OK): + return [] + dirlist = os.listdir(repository) + prefix = myconfig["GLSA_PREFIX"] + suffix = myconfig["GLSA_SUFFIX"] + + for f in dirlist: + try: + if f[:len(prefix)] == prefix: + rValue.append(f[len(prefix):-1*len(suffix)]) + except IndexError: + pass + return rValue + +def getListElements(listnode): + """ + Get all <li> elements for a given <ol> or <ul> node. + + @type listnode: xml.dom.Node + @param listnode: <ul> or <ol> list to get the elements for + @rtype: List of Strings + @return: a list that contains the value of the <li> elements + """ + rValue = [] + if not listnode.nodeName in ["ul", "ol"]: + raise GlsaFormatException("Invalid function call: listnode is not <ul> or <ol>") + for li in listnode.childNodes: + if li.nodeType != xml.dom.Node.ELEMENT_NODE: + continue + rValue.append(getText(li, format="strip")) + return rValue + +def getText(node, format): + """ + This is the main parser function. It takes a node and traverses + recursive over the subnodes, getting the text of each (and the + I{link} attribute for <uri> and <mail>). Depending on the I{format} + parameter the text might be formatted by adding/removing newlines, + tabs and spaces. This function is only useful for the GLSA DTD, + it's not applicable for other DTDs. + + @type node: xml.dom.Node + @param node: the root node to start with the parsing + @type format: String + @param format: this should be either I{strip}, I{keep} or I{xml} + I{keep} just gets the text and does no formatting. + I{strip} replaces newlines and tabs with spaces and + replaces multiple spaces with one space. + I{xml} does some more formatting, depending on the + type of the encountered nodes. + @rtype: String + @return: the (formatted) content of the node and its subnodes + """ + rValue = "" + if format in ["strip", "keep"]: + if node.nodeName in ["uri", "mail"]: + rValue += node.childNodes[0].data+": "+node.getAttribute("link") + else: + for subnode in node.childNodes: + if subnode.nodeName == "#text": + rValue += subnode.data + else: + rValue += getText(subnode, format) + else: + for subnode in node.childNodes: + if subnode.nodeName == "p": + for p_subnode in subnode.childNodes: + if p_subnode.nodeName == "#text": + rValue += p_subnode.data.strip() + elif p_subnode.nodeName in ["uri", "mail"]: + rValue += p_subnode.childNodes[0].data + rValue += " ( "+p_subnode.getAttribute("link")+" )" + rValue += NEWLINE_ESCAPE + elif subnode.nodeName == "ul": + for li in getListElements(subnode): + rValue += "-"+SPACE_ESCAPE+li+NEWLINE_ESCAPE+" " + elif subnode.nodeName == "ol": + i = 0 + for li in getListElements(subnode): + i = i+1 + rValue += str(i)+"."+SPACE_ESCAPE+li+NEWLINE_ESCAPE+" " + elif subnode.nodeName == "code": + rValue += getText(subnode, format="keep").replace("\n", NEWLINE_ESCAPE) + if rValue[-1*len(NEWLINE_ESCAPE):] != NEWLINE_ESCAPE: + rValue += NEWLINE_ESCAPE + elif subnode.nodeName == "#text": + rValue += subnode.data + else: + raise GlsaFormatException("Invalid Tag found: ", subnode.nodeName) + if format == "strip": + rValue = rValue.strip(" \n\t") + rValue = re.sub("[\s]{2,}", " ", rValue) + # Hope that the utf conversion doesn't break anything else + return rValue.encode("utf_8") + +def getMultiTagsText(rootnode, tagname, format): + """ + Returns a list with the text of all subnodes of type I{tagname} + under I{rootnode} (which itself is not parsed) using the given I{format}. + + @type rootnode: xml.dom.Node + @param rootnode: the node to search for I{tagname} + @type tagname: String + @param tagname: the name of the tags to search for + @type format: String + @param format: see L{getText} + @rtype: List of Strings + @return: a list containing the text of all I{tagname} childnodes + """ + rValue = [] + for e in rootnode.getElementsByTagName(tagname): + rValue.append(getText(e, format)) + return rValue + +def makeAtom(pkgname, versionNode): + """ + creates from the given package name and information in the + I{versionNode} a (syntactical) valid portage atom. + + @type pkgname: String + @param pkgname: the name of the package for this atom + @type versionNode: xml.dom.Node + @param versionNode: a <vulnerable> or <unaffected> Node that + contains the version information for this atom + @rtype: String + @return: the portage atom + """ + rValue = opMapping[versionNode.getAttribute("range")] \ + + pkgname \ + + "-" + getText(versionNode, format="strip") + return str(rValue) + +def makeVersion(versionNode): + """ + creates from the information in the I{versionNode} a + version string (format <op><version>). + + @type versionNode: xml.dom.Node + @param versionNode: a <vulnerable> or <unaffected> Node that + contains the version information for this atom + @rtype: String + @return: the version string + """ + return opMapping[versionNode.getAttribute("range")] \ + +getText(versionNode, format="strip") + +def match(atom, portdbname, match_type="default"): + """ + wrapper that calls revisionMatch() or portage.dbapi.match() depending on + the given atom. + + @type atom: string + @param atom: a <~ or >~ atom or a normal portage atom that contains the atom to match against + @type portdb: portage.dbapi + @param portdb: one of the portage databases to use as information source + @type match_type: string + @param match_type: if != "default" passed as first argument to dbapi.xmatch + to apply the wanted visibility filters + + @rtype: list of strings + @return: a list with the matching versions + """ + db = portage.db["/"][portdbname].dbapi + if atom[2] == "~": + return revisionMatch(atom, db, match_type=match_type) + elif match_type == "default" or not hasattr(db, "xmatch"): + return db.match(atom) + else: + return db.xmatch(match_type, atom) + +def revisionMatch(revisionAtom, portdb, match_type="default"): + """ + handler for the special >~, >=~, <=~ and <~ atoms that are supposed to behave + as > and < except that they are limited to the same version, the range only + applies to the revision part. + + @type revisionAtom: string + @param revisionAtom: a <~ or >~ atom that contains the atom to match against + @type portdb: portage.dbapi + @param portdb: one of the portage databases to use as information source + @type match_type: string + @param match_type: if != "default" passed as first argument to portdb.xmatch + to apply the wanted visibility filters + + @rtype: list of strings + @return: a list with the matching versions + """ + if match_type == "default" or not hasattr(portdb, "xmatch"): + mylist = portdb.match(re.sub("-r[0-9]+$", "", revisionAtom[2:])) + else: + mylist = portdb.xmatch(match_type, re.sub("-r[0-9]+$", "", revisionAtom[2:])) + rValue = [] + for v in mylist: + r1 = portage.pkgsplit(v)[-1][1:] + r2 = portage.pkgsplit(revisionAtom[3:])[-1][1:] + if eval(r1+" "+revisionAtom[0:2]+" "+r2): + rValue.append(v) + return rValue + + +def getMinUpgrade(vulnerableList, unaffectedList, minimize=True): + """ + Checks if the systemstate is matching an atom in + I{vulnerableList} and returns string describing + the lowest version for the package that matches an atom in + I{unaffectedList} and is greater than the currently installed + version or None if the system is not affected. Both + I{vulnerableList} and I{unaffectedList} should have the + same base package. + + @type vulnerableList: List of Strings + @param vulnerableList: atoms matching vulnerable package versions + @type unaffectedList: List of Strings + @param unaffectedList: atoms matching unaffected package versions + @type minimize: Boolean + @param minimize: True for a least-change upgrade, False for emerge-like algorithm + + @rtype: String | None + @return: the lowest unaffected version that is greater than + the installed version. + """ + rValue = None + v_installed = [] + u_installed = [] + for v in vulnerableList: + v_installed += match(v, "vartree") + + for u in unaffectedList: + u_installed += match(u, "vartree") + + install_unaffected = True + for i in v_installed: + if i not in u_installed: + install_unaffected = False + + if install_unaffected: + return rValue + + for u in unaffectedList: + mylist = match(u, "porttree", match_type="match-all") + for c in mylist: + c_pv = portage.catpkgsplit(c) + i_pv = portage.catpkgsplit(portage.best(v_installed)) + if portage.pkgcmp(c_pv[1:], i_pv[1:]) > 0 \ + and (rValue == None \ + or not match("="+rValue, "porttree") \ + or (minimize ^ (portage.pkgcmp(c_pv[1:], portage.catpkgsplit(rValue)[1:]) > 0)) \ + and match("="+c, "porttree")) \ + and portage.db["/"]["porttree"].dbapi.aux_get(c, ["SLOT"]) == portage.db["/"]["vartree"].dbapi.aux_get(portage.best(v_installed), ["SLOT"]): + rValue = c_pv[0]+"/"+c_pv[1]+"-"+c_pv[2] + if c_pv[3] != "r0": # we don't like -r0 for display + rValue += "-"+c_pv[3] + return rValue + + +# simple Exception classes to catch specific errors +class GlsaTypeException(Exception): + def __init__(self, doctype): + Exception.__init__(self, "wrong DOCTYPE: %s" % doctype) + +class GlsaFormatException(Exception): + pass + +class GlsaArgumentException(Exception): + pass + +# GLSA xml data wrapper class +class Glsa: + """ + This class is a wrapper for the XML data and provides methods to access + and display the contained data. + """ + def __init__(self, myid, myconfig): + """ + Simple constructor to set the ID, store the config and gets the + XML data by calling C{self.read()}. + + @type myid: String + @param myid: String describing the id for the GLSA object (standard + GLSAs have an ID of the form YYYYMM-nn) or an existing + filename containing a GLSA. + @type myconfig: portage.config + @param myconfig: the config that should be used for this object. + """ + if re.match(r'\d{6}-\d{2}', myid): + self.type = "id" + elif os.path.exists(myid): + self.type = "file" + else: + raise GlsaArgumentException("Given ID "+myid+" isn't a valid GLSA ID or filename.") + self.nr = myid + self.config = myconfig + self.read() + + def read(self): + """ + Here we build the filename from the config and the ID and pass + it to urllib to fetch it from the filesystem or a remote server. + + @rtype: None + @return: None + """ + if self.config["CHECKMODE"] == "local": + repository = "file://" + self.config["GLSA_DIR"] + else: + repository = self.config["GLSA_SERVER"] + if self.type == "file": + myurl = "file://"+self.nr + else: + myurl = repository + self.config["GLSA_PREFIX"] + str(self.nr) + self.config["GLSA_SUFFIX"] + self.parse(urllib.urlopen(myurl)) + return None + + def parse(self, myfile): + """ + This method parses the XML file and sets up the internal data + structures by calling the different helper functions in this + module. + + @type myfile: String + @param myfile: Filename to grab the XML data from + @rtype: None + @returns: None + """ + self.DOM = xml.dom.minidom.parse(myfile) + if not self.DOM.doctype: + raise GlsaTypeException(None) + elif self.DOM.doctype.systemId != "http://www.gentoo.org/dtd/glsa.dtd": + raise GlsaTypeException(self.DOM.doctype.systemId) + myroot = self.DOM.getElementsByTagName("glsa")[0] + if self.type == "id" and myroot.getAttribute("id") != self.nr: + raise GlsaFormatException("filename and internal id don't match:" + myroot.getAttribute("id") + " != " + self.nr) + + # the simple (single, required, top-level, #PCDATA) tags first + self.title = getText(myroot.getElementsByTagName("title")[0], format="strip") + self.synopsis = getText(myroot.getElementsByTagName("synopsis")[0], format="strip") + self.announced = getText(myroot.getElementsByTagName("announced")[0], format="strip") + self.revised = getText(myroot.getElementsByTagName("revised")[0], format="strip") + + # now the optional and 0-n toplevel, #PCDATA tags and references + try: + self.access = getText(myroot.getElementsByTagName("access")[0], format="strip") + except IndexError: + self.access = "" + self.bugs = getMultiTagsText(myroot, "bug", format="strip") + self.references = getMultiTagsText(myroot.getElementsByTagName("references")[0], "uri", format="keep") + + # and now the formatted text elements + self.description = getText(myroot.getElementsByTagName("description")[0], format="xml") + self.workaround = getText(myroot.getElementsByTagName("workaround")[0], format="xml") + self.resolution = getText(myroot.getElementsByTagName("resolution")[0], format="xml") + self.impact_text = getText(myroot.getElementsByTagName("impact")[0], format="xml") + self.impact_type = myroot.getElementsByTagName("impact")[0].getAttribute("type") + try: + self.background = getText(myroot.getElementsByTagName("background")[0], format="xml") + except IndexError: + self.background = "" + + # finally the interesting tags (product, affected, package) + self.glsatype = myroot.getElementsByTagName("product")[0].getAttribute("type") + self.product = getText(myroot.getElementsByTagName("product")[0], format="strip") + self.affected = myroot.getElementsByTagName("affected")[0] + self.packages = {} + for p in self.affected.getElementsByTagName("package"): + name = p.getAttribute("name") + if not self.packages.has_key(name): + self.packages[name] = [] + tmp = {} + tmp["arch"] = p.getAttribute("arch") + tmp["auto"] = (p.getAttribute("auto") == "yes") + tmp["vul_vers"] = [makeVersion(v) for v in p.getElementsByTagName("vulnerable")] + tmp["unaff_vers"] = [makeVersion(v) for v in p.getElementsByTagName("unaffected")] + tmp["vul_atoms"] = [makeAtom(name, v) for v in p.getElementsByTagName("vulnerable")] + tmp["unaff_atoms"] = [makeAtom(name, v) for v in p.getElementsByTagName("unaffected")] + self.packages[name].append(tmp) + # TODO: services aren't really used yet + self.services = self.affected.getElementsByTagName("service") + return None + + def dump(self, outstream=sys.stdout): + """ + Dumps a plaintext representation of this GLSA to I{outfile} or + B{stdout} if it is ommitted. You can specify an alternate + I{encoding} if needed (default is latin1). + + @type outstream: File + @param outfile: Stream that should be used for writing + (defaults to sys.stdout) + """ + width = int(self.config["PRINTWIDTH"]) + outstream.write(center("GLSA %s: \n%s" % (self.nr, self.title), width)+"\n") + outstream.write((width*"=")+"\n") + outstream.write(wrap(self.synopsis, width, caption="Synopsis: ")+"\n") + outstream.write("Announced on: %s\n" % self.announced) + outstream.write("Last revised on: %s\n\n" % self.revised) + if self.glsatype == "ebuild": + for k in self.packages.keys(): + pkg = self.packages[k] + for path in pkg: + vul_vers = "".join(path["vul_vers"]) + unaff_vers = "".join(path["unaff_vers"]) + outstream.write("Affected package: %s\n" % k) + outstream.write("Affected archs: ") + if path["arch"] == "*": + outstream.write("All\n") + else: + outstream.write("%s\n" % path["arch"]) + outstream.write("Vulnerable: %s\n" % vul_vers) + outstream.write("Unaffected: %s\n\n" % unaff_vers) + elif self.glsatype == "infrastructure": + pass + if len(self.bugs) > 0: + outstream.write("\nRelated bugs: ") + for i in range(0, len(self.bugs)): + outstream.write(self.bugs[i]) + if i < len(self.bugs)-1: + outstream.write(", ") + else: + outstream.write("\n") + if self.background: + outstream.write("\n"+wrap(self.background, width, caption="Background: ")) + outstream.write("\n"+wrap(self.description, width, caption="Description: ")) + outstream.write("\n"+wrap(self.impact_text, width, caption="Impact: ")) + outstream.write("\n"+wrap(self.workaround, width, caption="Workaround: ")) + outstream.write("\n"+wrap(self.resolution, width, caption="Resolution: ")) + myreferences = "" + for r in self.references: + myreferences += (r.replace(" ", SPACE_ESCAPE)+NEWLINE_ESCAPE+" ") + outstream.write("\n"+wrap(myreferences, width, caption="References: ")) + outstream.write("\n") + + def isVulnerable(self): + """ + Tests if the system is affected by this GLSA by checking if any + vulnerable package versions are installed. Also checks for affected + architectures. + + @rtype: Boolean + @returns: True if the system is affected, False if not + """ + vList = [] + rValue = False + for k in self.packages.keys(): + pkg = self.packages[k] + for path in pkg: + if path["arch"] == "*" or self.config["ARCH"] in path["arch"].split(): + for v in path["vul_atoms"]: + rValue = rValue \ + or (len(match(v, "vartree")) > 0 \ + and getMinUpgrade(path["vul_atoms"], path["unaff_atoms"])) + return rValue + + def isApplied(self): + """ + Looks if the GLSA IDis in the GLSA checkfile to check if this + GLSA was already applied. + + @rtype: Boolean + @returns: True if the GLSA was applied, False if not + """ + aList = portage.grabfile(self.config["CHECKFILE"]) + return (self.nr in aList) + + def inject(self): + """ + Puts the ID of this GLSA into the GLSA checkfile, so it won't + show up on future checks. Should be called after a GLSA is + applied or on explicit user request. + + @rtype: None + @returns: None + """ + if not self.isApplied(): + checkfile = open(self.config["CHECKFILE"], "a+") + checkfile.write(self.nr+"\n") + checkfile.close() + return None + + def getMergeList(self, least_change=True): + """ + Returns the list of package-versions that have to be merged to + apply this GLSA properly. The versions are as low as possible + while avoiding downgrades (see L{getMinUpgrade}). + + @type least_change: Boolean + @param least_change: True if the smallest possible upgrade should be selected, + False for an emerge-like algorithm + @rtype: List of Strings + @return: list of package-versions that have to be merged + """ + rValue = [] + for pkg in self.packages.keys(): + for path in self.packages[pkg]: + update = getMinUpgrade(path["vul_atoms"], path["unaff_atoms"], minimize=least_change) + if update: + rValue.append(update) + return rValue |