Scripts to check XSA patch-level on xen trees (xen.git, qemu-xen.git & qemu-xen-traditional.git)

classic Classic list List threaded Threaded
1 message Options
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Scripts to check XSA patch-level on xen trees (xen.git, qemu-xen.git & qemu-xen-traditional.git)

Lars Kurth-3
Hi everyone,

I created a number of scripts primarily for checking whether we have applied
all patches correctly for point and major releases. However, these may be
useful for developers, users and xen packagers.

The tool will be run as part of the Release Manager Checklist: see
https://lists.xenproject.org/archives/html/xen-devel/2017-07/threads.html#03091

Feedback is very welcome.

I can make changes as needed when I have some spare cycles, but am
ultimately looking for someone who is willing to act as maintainer for the
scripts in the long run (as I am not really a developer any more).

Best Regards
Lars

== Script location ==

https://xenbits.xenproject.org/gitweb/?p=people/larsk/xen-release-scripts.git
README in top level directory

== Attached files ==

I attached the output and input of a test run on Xen 4.8.1 to the tip of the
stable branch.

Input: xsa-213-225
Output: 481-stable-xsamatch-smartd.html

However, the DEBUG links won’t work unless you actually run
the script and have the generated directory. To make it easier,
I attached screenshots of actual diffs:

xsa218-diff.png & xsa224-diff.png

./match-xsa --version 4 --major 8 --since 1 --html --smart --debug -xsa  
xsa-213-225 >  481-stable-xsamatch-smartd.html

== Analysis of results ==

For the attached example, I did a quick sample analysis

> XSA 214 : All patches found => check as advisory text may be ambiguous
> or cannot be fully parsed
In this case the published advisory text contains a typo in the RESOLUTION
section of the advisory, which is why the script asks for a manual check

> XSA 215 : No patch found => check
In this case “Xen versions 4.7 and later are not vulnerable”. However, the
tool does not parse sentences, which is why this has been picked up as
a potential issue by the tool.

>  XSA 218 : Some patches not applied => check
In this case, one of the patches in the advisory has been modified by the
committer at check-in into the 4.8 tree.

See xsa218-diff.png for the relevant difference

> XSA 221 : All patches found => check as advisory text may be ambiguous
> or cannot be fully parsed
In this case “Xen versions 4.4 and newer are vulnerable”. However, the
tool does not parse sentences, which is why this has been picked up as
a potential issue by the tool.

> XSA 224 : Some patches not applied => check
In this case, one of the patches in the advisory has been modified by the
committer at check-in into the 4.8 tree.

See xsa224-diff.png for the relevant difference

 == Possible improvements ==

Right now, the tool either scrapes xenbits.xenproject.org/xsa for advisory
information, or it uses information that is only available to Xen Project
security team members. This means that there is somewhat of a gap
in terms of tool usability for people on the pre-disclosure list.  

In addition, XSA Advisories do not yet have a metadata section that is
easily machine readable. However, George Dunlap has been working on
this, which will appear in Advisory Texts in the future, at which point the
tool can be updated. This would avoid a few manual checks that are
Necessary now. But even without, one picks up on possible issues very
quickly.







_______________________________________________
Xen-users mailing list
[hidden email]
https://lists.xen.org/xen-users

xsa-213-225 (9K) Download Attachment
481-stable-xsamatch-smartd.html (70K) Download Attachment
xsa218-diff.png (542K) Download Attachment
xsa224-diff.png (424K) Download Attachment
Loading...