diff options
| -rw-r--r-- | GOALS | 20 | ||||
| -rw-r--r-- | example.xml | 2 | ||||
| -rw-r--r-- | kernsecbugz.txt | 55 | ||||
| -rwxr-xr-x | kiss2.py | 55 | ||||
| -rw-r--r-- | out.xml | 15 |
5 files changed, 134 insertions, 13 deletions
@@ -0,0 +1,20 @@ + +* Assess local machine kernel security +* Support kernel security maintenance + - Vulnerability status of *-sources in the tree (->maintainer) + - Status of stable / unstable sources (->arch team) + - Stale open bugs (->security team) + + +Interfaces: + - Gentoo user (Is my machine vulnerable?) + - Report (local cli / public xml+html / graphs) + - TODO list (cc arch teams, ping maintainer, close bug) + + automate TODOs + +Backend + input: + - Bugs from bugzilla: ID, Title, URL, Severity, Architecture, Intervals + - CVE feeds from nvd.nist.gov + - GENPATCHES history + current portage tree + diff --git a/example.xml b/example.xml index f0b0a92..0bfc20c 100644 --- a/example.xml +++ b/example.xml @@ -1,7 +1,7 @@ <bug> - <id>221123</id> + <bugno>221123</bugno> <title><![CDATA[ Linux Kernels 2.6.22->2.6.25.2 - utimensat() file time modification bypass vulnerability (CVE-2008-2148) ]]></title> <cve> <id>CVE-2008-2148</id> diff --git a/kernsecbugz.txt b/kernsecbugz.txt new file mode 100644 index 0000000..467b01b --- /dev/null +++ b/kernsecbugz.txt @@ -0,0 +1,55 @@ +Bugzilla Kernel Version specification + +The whiteboard field on the bug should be used to specify the vulnerable +versions of all kernel sources for this bug. A bug can affect a package in three +ways (and can therefore be fixed in three ways): + (1) by affecting the kernel.org release ("linux"), + (2) by affecting a certian set of Gentoo Patchsets ("gp") + (3) by affecting a specific set of Gentoo kernel sources ("*-sources"). + +The priorities of these levels override each other with 3 having the highest +priority (2 second and 1 lowest) Note that priority does not mean severity of +the bug. Rather, the priority level is a scale of generality with 1 having the +highest generality. A whiteboard entry of the type [linux] affects all kernels +based off that version until a higher priority entry is added. + +Higher levels (2, 3) should normally only mark unaffected versions that are +affected in lower levels. To override this and expand the "affected" interval +over the boundaries giving by lower levels, version specifiers should be +prefixed with a "+". + +Intervals specify the affected versions and can, for each level, be specified +open (with upper or lower boundary only), or closed, either inclusive or not. +Spaces are discarded. + +The order in which interval are specified is irrelevant. + +Examples: + [linux > 2.6] -- means all Linux releases since 2.6 are affected + [linux < 2.6.24.3] -- means all Linux versions prior to 2.6.24.3 are affected. + [linux >= 2.6.24 < 2.6.24.3] -- means all Linux versions greater than, and + including, 2.6.24, except if they are equal or greater than .3 + + +Complex examples: + [linux >= 2.6.18 < 2.6.24.3] [gp < 2.6.23-8] + This means: affected is every kernel based on a linux release higher/equal than + 2.6.18, but not those based on 2.6.24.3 or later. Kernels using a genpatches + version 2.6.23-8 or later are also not affected. 2.6.17 or earlier kernels + using genpatches are not affected. + + [linux >= 2.6.18 < 2.6.24.3] [gp +< 2.6.23-8] + Same as before, except even 2.6.17 and earlier genpatched kernerls are also + affected (because of the +). + + [linux >= 2.6.18 < 2.6.24.3] [gp >= 2.6.15 +<= 2.6.23-8] + Similar to the previous example, except kernels using genpatches are + affected from versions 2.6.15 (inclusive) up to 2.6.23-8 (inclusive). + + [linux >= 2.6.18] [gp >= 2.6.23 < 2.6.23-8] [gp < 2.6.22-10] + All Linuxes since 2.6.18, unaffected are all Genpatched kernels between + 2.6.22-10 and (not including) 2.6.23, plus those after 2.6.23-8. + + [linux >= 2.6.18 < 2.6.24.3] [gp < 2.6.23-8] [xen < 2.6.18-r9] [xen >= 2.6.19] + Same as the first example, except the 2.6.18 series of xen-kernels was fixed in 2.6.18-r9. + @@ -10,6 +10,7 @@ import os import portage import portage_versions import re +import elementtree.ElementTree as ET genpatcheslist="./output/genpversions.txt" @@ -251,6 +252,23 @@ class IntervalEntry: val += "<%s" % (self.upper) return val + def to_xml(self, element = None): + intnode = ET.Element("interval") + if element: + element.append(bugnode) + + intnode.source = self.name + + + for item in ("bugno", "title", "arch", "severity", "url"): + c = ET.SubElement(bugnode, item) + c.text = self.__getattribute__(item) + for entry in self.affected: + entry.to_xml(bugnode) + for cve in self.cve: + cve.to_xml(bugnode) + return bugnode + def is_in_interval(self, version): """ Returns True if the given version is inside our specified interval, False otherwise. Note: 'name' is discarded in the comparison. """ @@ -295,11 +313,14 @@ class IntervalEntry: return True -class Bug: - def __init__(self, bugno, title = "", severity = "normal", affected = ()): +class Bug(object): + def __init__(self, bugno, title = "", arch = "All", severity = "normal", url = "", affected = (), cves = ""): self.bugno = bugno self.title = title + self.arch = arch self.severity = severity + self.url = url + self.cves = cves self.affected = affected #(Entry("linux", "<", "2.6.23"),Entry("gp", "<", "2.6.20-14"),Entry("hardened", ">", "2.6")) def affects(self, kernelatom): @@ -354,6 +375,25 @@ class Bug: affected = False return affected + def to_xml(self, element = None): + bugnode = ET.Element("bug") + if element: + element.append(bugnode) + + for item in ("bugno", "title", "arch", "severity", "url"): + c = ET.SubElement(bugnode, item) + c.text = self.__getattribute__(item) + + affnode = bugnode.append("affected") + for entry in self.affected: + entry.to_xml(affnode) + + cves = bugnode.append("cves") + for cve in self.cve: + cve.to_xml(cves) + return bugnode + + def set_from_whiteboard(self, whiteboard): """ Set the Bug's values given reading a Status Whiteboard string from a Bug. """ if whiteboard == None: @@ -429,12 +469,13 @@ class Bugzilla: bugid = bug_raw['bugid'] bug_xml = self.bz.get(bugid) - bug = Bug(bugid, bug_raw['desc'], bug_raw['severity']) + bug = Bug(bugid, bug_raw['desc'], bug_raw['arch'], bug_raw['severity'], url = "") try: bug.set_from_whiteboard(bug_xml.find('//status_whiteboard').text) self.bugs.append(bug) + bug.to_xml() except: - #print sys.exc_value + print sys.exc_value self.failed_bugs.append(bug) @@ -467,8 +508,8 @@ def main(): if __name__ == "__main__": - try: + #try: main() - except KeyboardInterrupt: - print '\n ! Exiting.' + #except KeyboardInterrupt: + #print '\n ! Exiting.' @@ -1,10 +1,7 @@ <bug> <id>221123</id> <title> Linux Kernels 2.6.22->2.6.25.2 - utimensat() file time modification bypass vulnerability (CVE-2008-2148) </title> - <cve> - <id>CVE-2008-2148</id> - <desc> The utimensat system call (sys_utimensat) in Linux kernel 2.6.22 and other versions before 2.6.25.3 does not check file permissions when certain UTIME_NOW and UTIME_OMIT combinations are used, which allows local users to modify file times of arbitrary files, possibly leading to a denial of service. </desc> - </cve> + <cve>CVE-2008-2148</cve> <url>http://git.kernel.org/?p=linux/kernel/git/stable/stable-queue.git;a=blob;f=review-2.6.25/vfs-fix-permission-checking-in-sys_utimensat.patch;h=1da0b9bf9f078e3eb147a6799e5a74af2484014a;hb=cbe22288b271b4e4e51f5573281662f53466e41a</url> <arch>All</arch> <severity>normal</severity> @@ -14,4 +11,12 @@ <upper inclusive="false">2.6.25.2</upper> </interval> </affected> -</bug>
\ No newline at end of file +</bug> + + +<cve xml:id="CVE-2008-2148"> + <desc> The utimensat system call (sys_utimensat) in Linux kernel 2.6.22 and other versions before 2.6.25.3 does not check file permissions when certain UTIME_NOW and UTIME_OMIT combinations are used, which allows local users to modify file times of arbitrary files, possibly leading to a denial of service. </desc> + <cvss>(AV:N/AC:L/Au:N/C:N/I:N/A:P)</cvss> +</cve> + +<!-- CVSS explained: http://nvd.nist.gov/cvss.cfm?vectorinfo&version=2 --> |