summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorRobert Buchholz <rbu@goodpoint.de>2009-03-20 04:43:47 +0100
committerRobert Buchholz <rbu@goodpoint.de>2009-03-20 04:43:47 +0100
commit034b062871f56e8348e62833d5eb8b156ac4e4a0 (patch)
tree416f62e9527d074604178a51b93b4ff2182127dd
parentInitial version of KISS2 (diff)
downloadkernel-check-kiss2-old.tar.gz
kernel-check-kiss2-old.tar.bz2
kernel-check-kiss2-old.zip
Add doc and some old functionskiss2-old
-rw-r--r--GOALS20
-rw-r--r--example.xml2
-rw-r--r--kernsecbugz.txt55
-rwxr-xr-xkiss2.py55
-rw-r--r--out.xml15
5 files changed, 134 insertions, 13 deletions
diff --git a/GOALS b/GOALS
new file mode 100644
index 0000000..ba09572
--- /dev/null
+++ b/GOALS
@@ -0,0 +1,20 @@
+
+* Assess local machine kernel security
+* Support kernel security maintenance
+ - Vulnerability status of *-sources in the tree (->maintainer)
+ - Status of stable / unstable sources (->arch team)
+ - Stale open bugs (->security team)
+
+
+Interfaces:
+ - Gentoo user (Is my machine vulnerable?)
+ - Report (local cli / public xml+html / graphs)
+ - TODO list (cc arch teams, ping maintainer, close bug)
+ + automate TODOs
+
+Backend
+ input:
+ - Bugs from bugzilla: ID, Title, URL, Severity, Architecture, Intervals
+ - CVE feeds from nvd.nist.gov
+ - GENPATCHES history + current portage tree
+
diff --git a/example.xml b/example.xml
index f0b0a92..0bfc20c 100644
--- a/example.xml
+++ b/example.xml
@@ -1,7 +1,7 @@
<bug>
- <id>221123</id>
+ <bugno>221123</bugno>
<title><![CDATA[ Linux Kernels 2.6.22->2.6.25.2 - utimensat() file time modification bypass vulnerability (CVE-2008-2148) ]]></title>
<cve>
<id>CVE-2008-2148</id>
diff --git a/kernsecbugz.txt b/kernsecbugz.txt
new file mode 100644
index 0000000..467b01b
--- /dev/null
+++ b/kernsecbugz.txt
@@ -0,0 +1,55 @@
+Bugzilla Kernel Version specification
+
+The whiteboard field on the bug should be used to specify the vulnerable
+versions of all kernel sources for this bug. A bug can affect a package in three
+ways (and can therefore be fixed in three ways):
+ (1) by affecting the kernel.org release ("linux"),
+ (2) by affecting a certian set of Gentoo Patchsets ("gp")
+ (3) by affecting a specific set of Gentoo kernel sources ("*-sources").
+
+The priorities of these levels override each other with 3 having the highest
+priority (2 second and 1 lowest)  Note that priority does not mean severity of
+the bug. Rather, the priority level is a scale of generality with 1 having the
+highest generality. A whiteboard entry of the type [linux] affects all kernels
+based off that version until a higher priority entry is added.
+
+Higher levels (2, 3) should normally only mark unaffected versions that are
+affected in lower levels. To override this and expand the "affected" interval
+over the boundaries giving by lower levels, version specifiers should be
+prefixed with a "+".
+
+Intervals specify the affected versions and can, for each level, be specified
+open (with upper or lower boundary only), or closed, either inclusive or not.
+Spaces are discarded.
+
+The order in which interval are specified is irrelevant.
+
+Examples:
+ [linux > 2.6] -- means all Linux releases since 2.6 are affected
+ [linux < 2.6.24.3] -- means all Linux versions prior to 2.6.24.3 are affected.
+ [linux >= 2.6.24 < 2.6.24.3] -- means all Linux versions greater than, and
+ including, 2.6.24, except if they are equal or greater than .3
+
+
+Complex examples:
+ [linux >= 2.6.18 < 2.6.24.3] [gp < 2.6.23-8]
+ This means: affected is every kernel based on a linux release higher/equal than
+ 2.6.18, but not those based on 2.6.24.3 or later. Kernels using a genpatches
+ version 2.6.23-8 or later are also not affected. 2.6.17 or earlier kernels
+ using genpatches are not affected.
+
+ [linux >= 2.6.18 < 2.6.24.3] [gp +< 2.6.23-8]
+ Same as before, except even 2.6.17 and earlier genpatched kernerls are also
+ affected (because of the +).
+
+ [linux >= 2.6.18 < 2.6.24.3] [gp >= 2.6.15 +<= 2.6.23-8]
+  Similar to the previous example, except kernels using genpatches are
+ affected from versions 2.6.15 (inclusive) up to 2.6.23-8 (inclusive).
+
+ [linux >= 2.6.18] [gp >= 2.6.23 < 2.6.23-8] [gp < 2.6.22-10]
+ All Linuxes since 2.6.18, unaffected are all Genpatched kernels between
+ 2.6.22-10 and (not including) 2.6.23, plus those after 2.6.23-8.
+
+ [linux >= 2.6.18 < 2.6.24.3] [gp < 2.6.23-8] [xen < 2.6.18-r9] [xen >= 2.6.19]
+ Same as the first example, except the 2.6.18 series of xen-kernels was fixed in 2.6.18-r9.
+
diff --git a/kiss2.py b/kiss2.py
index 9ede7b6..16a838f 100755
--- a/kiss2.py
+++ b/kiss2.py
@@ -10,6 +10,7 @@ import os
import portage
import portage_versions
import re
+import elementtree.ElementTree as ET
genpatcheslist="./output/genpversions.txt"
@@ -251,6 +252,23 @@ class IntervalEntry:
val += "<%s" % (self.upper)
return val
+ def to_xml(self, element = None):
+ intnode = ET.Element("interval")
+ if element:
+ element.append(bugnode)
+
+ intnode.source = self.name
+
+
+ for item in ("bugno", "title", "arch", "severity", "url"):
+ c = ET.SubElement(bugnode, item)
+ c.text = self.__getattribute__(item)
+ for entry in self.affected:
+ entry.to_xml(bugnode)
+ for cve in self.cve:
+ cve.to_xml(bugnode)
+ return bugnode
+
def is_in_interval(self, version):
""" Returns True if the given version is inside our specified interval, False otherwise.
Note: 'name' is discarded in the comparison. """
@@ -295,11 +313,14 @@ class IntervalEntry:
return True
-class Bug:
- def __init__(self, bugno, title = "", severity = "normal", affected = ()):
+class Bug(object):
+ def __init__(self, bugno, title = "", arch = "All", severity = "normal", url = "", affected = (), cves = ""):
self.bugno = bugno
self.title = title
+ self.arch = arch
self.severity = severity
+ self.url = url
+ self.cves = cves
self.affected = affected #(Entry("linux", "<", "2.6.23"),Entry("gp", "<", "2.6.20-14"),Entry("hardened", ">", "2.6"))
def affects(self, kernelatom):
@@ -354,6 +375,25 @@ class Bug:
affected = False
return affected
+ def to_xml(self, element = None):
+ bugnode = ET.Element("bug")
+ if element:
+ element.append(bugnode)
+
+ for item in ("bugno", "title", "arch", "severity", "url"):
+ c = ET.SubElement(bugnode, item)
+ c.text = self.__getattribute__(item)
+
+ affnode = bugnode.append("affected")
+ for entry in self.affected:
+ entry.to_xml(affnode)
+
+ cves = bugnode.append("cves")
+ for cve in self.cve:
+ cve.to_xml(cves)
+ return bugnode
+
+
def set_from_whiteboard(self, whiteboard):
""" Set the Bug's values given reading a Status Whiteboard string from a Bug. """
if whiteboard == None:
@@ -429,12 +469,13 @@ class Bugzilla:
bugid = bug_raw['bugid']
bug_xml = self.bz.get(bugid)
- bug = Bug(bugid, bug_raw['desc'], bug_raw['severity'])
+ bug = Bug(bugid, bug_raw['desc'], bug_raw['arch'], bug_raw['severity'], url = "")
try:
bug.set_from_whiteboard(bug_xml.find('//status_whiteboard').text)
self.bugs.append(bug)
+ bug.to_xml()
except:
- #print sys.exc_value
+ print sys.exc_value
self.failed_bugs.append(bug)
@@ -467,8 +508,8 @@ def main():
if __name__ == "__main__":
- try:
+ #try:
main()
- except KeyboardInterrupt:
- print '\n ! Exiting.'
+ #except KeyboardInterrupt:
+ #print '\n ! Exiting.'
diff --git a/out.xml b/out.xml
index 1e6d2cc..3e9c0b4 100644
--- a/out.xml
+++ b/out.xml
@@ -1,10 +1,7 @@
<bug>
<id>221123</id>
<title> Linux Kernels 2.6.22-&gt;2.6.25.2 - utimensat() file time modification bypass vulnerability (CVE-2008-2148) </title>
- <cve>
- <id>CVE-2008-2148</id>
- <desc> The utimensat system call (sys_utimensat) in Linux kernel 2.6.22 and other versions before 2.6.25.3 does not check file permissions when certain UTIME_NOW and UTIME_OMIT combinations are used, which allows local users to modify file times of arbitrary files, possibly leading to a denial of service. </desc>
- </cve>
+ <cve>CVE-2008-2148</cve>
<url>http://git.kernel.org/?p=linux/kernel/git/stable/stable-queue.git;a=blob;f=review-2.6.25/vfs-fix-permission-checking-in-sys_utimensat.patch;h=1da0b9bf9f078e3eb147a6799e5a74af2484014a;hb=cbe22288b271b4e4e51f5573281662f53466e41a</url>
<arch>All</arch>
<severity>normal</severity>
@@ -14,4 +11,12 @@
<upper inclusive="false">2.6.25.2</upper>
</interval>
</affected>
-</bug> \ No newline at end of file
+</bug>
+
+
+<cve xml:id="CVE-2008-2148">
+ <desc> The utimensat system call (sys_utimensat) in Linux kernel 2.6.22 and other versions before 2.6.25.3 does not check file permissions when certain UTIME_NOW and UTIME_OMIT combinations are used, which allows local users to modify file times of arbitrary files, possibly leading to a denial of service. </desc>
+ <cvss>(AV:N/AC:L/Au:N/C:N/I:N/A:P)</cvss>
+</cve>
+
+<!-- CVSS explained: http://nvd.nist.gov/cvss.cfm?vectorinfo&version=2 -->