← Back to branch summary

~ubuntu-security/ubuntu-cve-tracker/master 

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134

#!/bin/bash
# Author: Kees Cook <kees@ubuntu.com>
# Author: Marc Deslauriers <marc.deslauriers@ubuntu.com>
# Copyright: 2011,2012 Canonical, Ltd
# License: GPLv3
#
# Walk through the steps to do a standard kernel publication using the
# CVE statuses populated in UCT ahead of time. This handles steps 1
# through 5 of:
# https://wiki.ubuntu.com/SecurityTeam/UpdatePublication
#
# This script is still in the testing phase...
set -e

help()
{
    echo "$0 [-n] [-i CVE] RELEASE PACKAGE VERSION" >&2
    echo " -n                Dry run" >&2
    echo " -i CVE[,CVE...]   Ignore specific CVEs in the changelog" >&2
    echo " -a CVE[,CVE...]   Add specific CVEs not found in the pending fixes" >&2
    echo " -u USN            Use specific USN" >&2
    echo " -f                Fetch a new USN" >&2
    echo " -e                Include EoL releases" >&2
    echo " -s                Skip binary package build check" >&2
    echo " -b                Bypass checks for a USN already existing for the specified kernel">&2
    echo " -p RELEASE        Treat USN as a binary pocket copy from RELEASE">&2
    echo " -P PPA            Use kernels from PPA rather than the Ubuntu archive">&2
    echo " -r                Treat as a regression">&2
}

GENERATE_ARGS=
DRYRUN=
EXTRA_CVES=
USN=
FETCH=
SKIP_BUILD_CHECK=
INCLUDE_EOL=
POCKET=""
PPA="ubuntu"
REGRESSION=

while getopts "nsbfei:a:u:p:P:" opt
do
    case "$opt" in
        i) GENERATE_ARGS="--ignore-cves $OPTARG";;
        a) EXTRA_CVES="$OPTARG";;
        u) USN="$OPTARG";;
        n) DRYRUN="1";;
        f) FETCH="1";;
        e) INCLUDE_EOL="--include-eol";;
        p) POCKET="$OPTARG";;
	P) PPA="${OPTARG}";;
        s) SKIP_BUILD_CHECK="--skip-build-check";;
	b) SKIP_SANITY_CHECK="1"; DRYRUN="1";;
	r) REGRESSION='1';;
        h) help; exit 0;;
        ?) help; exit 1;;
    esac
done
shift $((OPTIND - 1))

if [ "${PPA}" == "ubuntu" ] && [ -z "${POCKET}" ] ; then
    # use the Security by default if we're working with the archive and
    # the user hasn't specified a different pocket (e.g. "Proposed").
    POCKET="Security"
fi

REL="$1"
PKG="$2"
VERSION="$3"

if [ -z "$REL" ] || [ -z "$PKG" ] || [ -z "$VERSION" ]; then
    help
    exit 1
fi

if [ -z "$USN" ] && [ -z "$DRYRUN" ] && [ -z "$FETCH" ]; then
    echo "No USN specified. Must choose one of the following:" >&2
    echo " '-n' (dry-run)" >&2
    echo " '-f' (fetch new USN)." >&2
    echo " '-u USN' (specific USN)" >&2
    echo " '-p Pocket' (specific pocket, default 'Security')" >&2
    help
    exit 1
fi

cd "$UCT"

latest=$(./scripts/report-latest-usn-version -r $REL $PKG)
./scripts/report-pending-fixes -D -r $REL $PKG $latest $VERSION -a "$EXTRA_CVES"
cves="$(./scripts/report-pending-fixes -r $REL $PKG $latest $VERSION) $EXTRA_CVES"
META_PKG=$(./scripts/lookup-kernel-meta $REL $PKG)

# Sanity check to make sure we don't publish a new USN when one
# already exists for the same kernel
if [ "$latest" = "$VERSION" ] && [ -z "$SKIP_SANITY_CHECK" ] ; then
    echo "A USN already exists for kernel version $VERSION!" >&2
    echo "Try using report-mismatched-cve-fixes.py to get it modified!" >&2
    exit 1
fi

if [ -z "$USN" ]; then
    if [ -n "$DRYRUN" ]; then
        USN="N-1"
    else
        USN=$(ssh people.canonical.com "~ubuntu-security/bin/get-next-usn" $REL $PKG)
        trap "echo Please re-use $USN! Reserved for $REL $PKG" ERR
    fi
fi

USN_SH=~/new-usn-${REL}-${PKG}.sh
DIR=${TMPDIR:-/tmp}/usn-$REL-$PKG
rm -rf "$DIR"
$UCT/scripts/sis-changes $INCLUDE_EOL $SKIP_BUILD_CHECK --ppa "${PPA}" --pocket "${POCKET}" -r $REL --download $DIR $PKG ${META_PKG}
cd "$DIR"
REGEX='^linux-image-(\d|generic|virtual|lowlatency|power|omap|raspi2|snapdragon|highbank)'
if [[ -z "${cves// }" ]]; then
    if [ -n "$REGRESSION" ] ; then
        echo "INFO no cves found, is this a regression?"
    fi
    "$UCT/scripts/sis-generate-usn" --kernel-mode --no-new-warn $GENERATE_ARGS --filter-bins "${REGEX}" "$USN" ./*.changes > "${USN_SH}"
else
    "$UCT/scripts/sis-generate-usn" --kernel-mode --no-new-warn $GENERATE_ARGS --cves "$(echo $cves | sed -e 's/ /,/g')" --filter-bins "${REGEX}" "$USN" ./*.changes > "${USN_SH}"
fi

${EDITOR:-vi} "${USN_SH}"

if [ -z "$DRYRUN" ]; then
    bash "${USN_SH}"
    ssh people.canonical.com "~ubuntu-security/bin/check-upload $USN"
fi

echo "SRCPKG=\"$PKG\""
echo "USN=$USN"