1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
|
#!/bin/bash
# Author: Kees Cook <kees@ubuntu.com>
# Author: Marc Deslauriers <marc.deslauriers@ubuntu.com>
# Copyright: 2011,2012 Canonical, Ltd
# License: GPLv3
#
# Walk through the steps to do a standard kernel publication using the
# CVE statuses populated in UCT ahead of time. This handles steps 1
# through 5 of:
# https://wiki.ubuntu.com/SecurityTeam/UpdatePublication
#
# This script is still in the testing phase...
set -e
help()
{
echo "$0 [-n] [-i CVE] RELEASE PACKAGE VERSION" >&2
echo " -n Dry run" >&2
echo " -i CVE[,CVE...] Ignore specific CVEs in the changelog" >&2
echo " -a CVE[,CVE...] Add specific CVEs not found in the pending fixes" >&2
echo " -u USN Use specific USN" >&2
echo " -f Fetch a new USN" >&2
echo " -e Include EoL releases" >&2
echo " -s Skip binary package build check" >&2
echo " -b Bypass checks for a USN already existing for the specified kernel">&2
echo " -p RELEASE Treat USN as a binary pocket copy from RELEASE">&2
echo " -P PPA Use kernels from PPA rather than the Ubuntu archive">&2
echo " -r Treat as a regression">&2
}
GENERATE_ARGS=
DRYRUN=
EXTRA_CVES=
USN=
FETCH=
SKIP_BUILD_CHECK=
INCLUDE_EOL=
POCKET=""
PPA="ubuntu"
REGRESSION=
while getopts "nsbfei:a:u:p:P:" opt
do
case "$opt" in
i) GENERATE_ARGS="--ignore-cves $OPTARG";;
a) EXTRA_CVES="$OPTARG";;
u) USN="$OPTARG";;
n) DRYRUN="1";;
f) FETCH="1";;
e) INCLUDE_EOL="--include-eol";;
p) POCKET="$OPTARG";;
P) PPA="${OPTARG}";;
s) SKIP_BUILD_CHECK="--skip-build-check";;
b) SKIP_SANITY_CHECK="1"; DRYRUN="1";;
r) REGRESSION='1';;
h) help; exit 0;;
?) help; exit 1;;
esac
done
shift $((OPTIND - 1))
if [ "${PPA}" == "ubuntu" ] && [ -z "${POCKET}" ] ; then
# use the Security by default if we're working with the archive and
# the user hasn't specified a different pocket (e.g. "Proposed").
POCKET="Security"
fi
REL="$1"
PKG="$2"
VERSION="$3"
if [ -z "$REL" ] || [ -z "$PKG" ] || [ -z "$VERSION" ]; then
help
exit 1
fi
if [ -z "$USN" ] && [ -z "$DRYRUN" ] && [ -z "$FETCH" ]; then
echo "No USN specified. Must choose one of the following:" >&2
echo " '-n' (dry-run)" >&2
echo " '-f' (fetch new USN)." >&2
echo " '-u USN' (specific USN)" >&2
echo " '-p Pocket' (specific pocket, default 'Security')" >&2
help
exit 1
fi
cd "$UCT"
latest=$(./scripts/report-latest-usn-version -r $REL $PKG)
./scripts/report-pending-fixes -D -r $REL $PKG $latest $VERSION -a "$EXTRA_CVES"
cves="$(./scripts/report-pending-fixes -r $REL $PKG $latest $VERSION) $EXTRA_CVES"
META_PKG=$(./scripts/lookup-kernel-meta $REL $PKG)
# Sanity check to make sure we don't publish a new USN when one
# already exists for the same kernel
if [ "$latest" = "$VERSION" ] && [ -z "$SKIP_SANITY_CHECK" ] ; then
echo "A USN already exists for kernel version $VERSION!" >&2
echo "Try using report-mismatched-cve-fixes.py to get it modified!" >&2
exit 1
fi
if [ -z "$USN" ]; then
if [ -n "$DRYRUN" ]; then
USN="N-1"
else
USN=$(ssh people.canonical.com "~ubuntu-security/bin/get-next-usn" $REL $PKG)
trap "echo Please re-use $USN! Reserved for $REL $PKG" ERR
fi
fi
USN_SH=~/new-usn-${REL}-${PKG}.sh
DIR=${TMPDIR:-/tmp}/usn-$REL-$PKG
rm -rf "$DIR"
$UCT/scripts/sis-changes $INCLUDE_EOL $SKIP_BUILD_CHECK --ppa "${PPA}" --pocket "${POCKET}" -r $REL --download $DIR $PKG ${META_PKG}
cd "$DIR"
REGEX='^linux-image-(\d|generic|virtual|lowlatency|power|omap|raspi2|snapdragon|highbank)'
if [[ -z "${cves// }" ]]; then
if [ -n "$REGRESSION" ] ; then
echo "INFO no cves found, is this a regression?"
fi
"$UCT/scripts/sis-generate-usn" --kernel-mode --no-new-warn $GENERATE_ARGS --filter-bins "${REGEX}" "$USN" ./*.changes > "${USN_SH}"
else
"$UCT/scripts/sis-generate-usn" --kernel-mode --no-new-warn $GENERATE_ARGS --cves "$(echo $cves | sed -e 's/ /,/g')" --filter-bins "${REGEX}" "$USN" ./*.changes > "${USN_SH}"
fi
${EDITOR:-vi} "${USN_SH}"
if [ -z "$DRYRUN" ]; then
bash "${USN_SH}"
ssh people.canonical.com "~ubuntu-security/bin/check-upload $USN"
fi
echo "SRCPKG=\"$PKG\""
echo "USN=$USN"
|