Re: Looking for issues affecting wheezy but fixed in squeeze

[Guido Günther <agx@sigxcpu.org>]

Hi,
On Thu, Jan 28, 2016 at 07:27:20PM +0100, Moritz Mühlenhoff wrote:
> On Sat, Jan 23, 2016 at 02:22:22PM +0100, Guido Günther wrote:
> > Hi,
> > 
> > now that Wheezy LTS is approaching I wondered what would be the best
> > places to help out fixing issues in Wheezy so that upgrading from
> > Squeeze to Wheezy would not introduce new security issues.
> > 
> > Therefore I added bin/lts-needs-forward-port.py (based on
> > lts-cve-triage.py) that lists issues fixed in Squeeze that are unfixed
> > or marked no-dsa in wheezy. O.k. to apply?
> 
> That should also parse next-oldstable-point-update.txt, since several of
> those are likely scheduled for the next whezy point release.

Good point - I didn't even know about that file. New version
attached.

The CVE-<number>-XXXX issues in are problematic since they're not unique
so we have some fuzziness there until the issues get updated.

Am I reading the SVN logs correctly that they are currently hand
maintained? If so should one add user tags when filing bugs about this
to release.debian.org so it gets easier to track.

Cheers,
 -- Guido

>From 18e502cbeeeae7c30966aec5db6ea2b3474042b7 Mon Sep 17 00:00:00 2001
Message-Id: <18e502cbeeeae7c30966aec5db6ea2b3474042b7.1454074057.git.agx@sigxcpu.org>
From: =?UTF-8?q?Guido=20G=C3=BCnther?= <agx@sigxcpu.org>
Date: Sat, 23 Jan 2016 13:49:02 +0100
Subject: [PATCH] Add lts-needs-forward-port
To: debian-lts@lists.debian.org

This looks for issues fixed in LTS but yet unfixed in lts_next taking
into account next-oldstable-point-update.txt.
---
 bin/lts-needs-forward-port.py | 99 +++++++++++++++++++++++++++++++++++++++++++
 bin/tracker_data.py           | 22 ++++++++++
 2 files changed, 121 insertions(+)
 create mode 100755 bin/lts-needs-forward-port.py

diff --git a/bin/lts-needs-forward-port.py b/bin/lts-needs-forward-port.py
new file mode 100755
index 0000000..fbf859d
--- /dev/null
+++ b/bin/lts-needs-forward-port.py
@@ -0,0 +1,99 @@
+#!/usr/bin/python
+# vim: set fileencoding=utf-8 :
+#
+# Copyright 2016 Guido Günther <agx@sigxcpu.org>
+#
+# This file is free software: you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation, either version 2 of the License, or
+# (at your option) any later version.
+#
+# This file is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this file.  If not, see <https://www.gnu.org/licenses/>.
+
+import argparse
+import collections
+import sys
+
+from tracker_data import TrackerData, RELEASES
+
+# lts is currently squeeze, next_lts wheezy
+LIST_NAMES = (
+    ('needs_fix_in_next_lts',
+     ('Issues that are unfixed in {next_lts} but fixed in {lts}'
+      ).format(**RELEASES)),
+    ('needs_review_in_next_lts',
+     ('Issues that are no-dsa in {next_lts} but fixed in {lts}'
+      ).format(**RELEASES)),
+    ('fixed_via_pu_in_oldstable',
+     ('Issues that will be fixed via p-u in {oldstable}'
+      ).format(**RELEASES)),
+)
+
+
+def main():
+    def add_to_list(key, pkg, issue):
+        assert key in [l[0] for l in LIST_NAMES]
+        lists[key][pkg].append(issue)
+
+    parser = argparse.ArgumentParser(
+        description='Find discrepancies between suites')
+    parser.add_argument('--skip-cache-update', action='store_true',
+                        help='Skip updating the tracker data cache')
+    parser.add_argument('--exclude', nargs='+', choices=[x[0] for x in LIST_NAMES],
+                        help='Filter out specified lists')
+
+    args = parser.parse_args()
+
+    lists = collections.defaultdict(lambda: collections.defaultdict(lambda: []))
+    tracker = TrackerData(update_cache=not args.skip_cache_update)
+
+    for pkg in tracker.iterate_packages():
+        for issue in tracker.iterate_pkg_issues(pkg):
+            status_in_lts = issue.get_status('lts')
+            status_in_next_lts = issue.get_status('next_lts')
+
+            if status_in_lts.status in ('not-affected', 'open'):
+                continue
+
+            if status_in_lts.status == 'resolved':
+                #  Package will be updated via the next oldstable
+                #  point release
+                if (issue.name in tracker.oldstable_point_update and
+                    pkg in tracker.oldstable_point_update[issue.name]):
+                    add_to_list('fixed_via_pu_in_oldstable', pkg, issue)
+                    continue
+
+                #  The security tracker marks "not-affected" as
+                #  "resolved in version 0" (#812410)
+                if status_in_lts.reason == 'fixed in 0':
+                    continue
+
+                if status_in_next_lts.status == 'open':
+                    add_to_list('needs_fix_in_next_lts', pkg, issue)
+                    continue
+
+                if status_in_next_lts.status == 'ignored':
+                    add_to_list('needs_review_in_next_lts', pkg, issue)
+                    continue
+
+    for key, desc in LIST_NAMES:
+        if args.exclude is not None and key in args.exclude:
+            continue
+        if not len(lists[key]):
+            continue
+        print('{}:'.format(desc))
+        for pkg in sorted(lists[key].keys()):
+            cve_list = ' '.join(
+                [i.name for i in sorted(lists[key][pkg],
+                                        key=lambda i: i.name)])
+            print('* {:20s} -> {}'.format(pkg, cve_list))
+        print('')
+
+if __name__ == '__main__':
+    sys.exit(main())
diff --git a/bin/tracker_data.py b/bin/tracker_data.py
index 28f8a7f..e1b97ae 100644
--- a/bin/tracker_data.py
+++ b/bin/tracker_data.py
@@ -103,6 +103,7 @@ class TrackerData(object):
         with open(self.cached_data_path, 'r') as f:
             self.data = json.load(f)
         self.load_dsa_dla_needed()
+        self.load_point_updates()
 
     @classmethod
     def parse_needed_file(self, inputfile):
@@ -137,6 +138,27 @@ class TrackerData(object):
         with open(os.path.join(self.DATA_DIR, 'dla-needed.txt'), 'r') as f:
             self.dla_needed = self.parse_needed_file(f)
 
+    @classmethod
+    def parse_point_update_file(self, inputfile):
+        CVE_RE = 'CVE-[0-9]{4}-[0-9X]{4}'
+        result = {}
+        for line in inputfile:
+            res = re.match(CVE_RE, line)
+            if res:
+                cve = res.group(0)
+                result[cve] = {}
+                continue
+            elif line.startswith('\t['):
+                dist, _, pkg, ver = line.split()
+                result[cve][pkg] = ver
+        return result
+
+    def load_point_updates(self):
+        with open(os.path.join(self.DATA_DIR, 'next-oldstable-point-update.txt'), 'r') as f:
+            self.oldstable_point_update = self.parse_point_update_file(f)
+        with open(os.path.join(self.DATA_DIR, 'next-point-update.txt'), 'r') as f:
+            self.stable_point_update = self.parse_point_update_file(f)
+
     def iterate_packages(self):
         """Iterate over known packages"""
         for pkg in self.data:
-- 
2.7.0.rc3