Update advisory format and introduce some automation

Simplify the advisory format by dropping the -Backport tags and instead
stick to using just the -Commit tags.  To identify backports, put a
substring of git-describe into the release version in the brackets next
to the commit ref.  This way, it not only identifies that the fix (or
regression) is on the release/2.YY/master branch, it also disambiguates
regressions/fixes in the branch from those in the tarball.

Add a README to make it easier for consumers to understand the format.
Additionally, the Release wiki needs to be updated to inform the release
manager to:

1. Generate a NEWS snipped from the advisories directory

AND

2. on release/2.YY/master, replace the advisories directory with a text
   file pointing to the advisories directory in master so that we don't
   have to update multiple locations.

Signed-off-by: Siddhesh Poyarekar <siddhesh@sourceware.org>
Reviewed-by: Andreas K. Hüttel <dilfridge@gentoo.org>
This commit is contained in:
Siddhesh Poyarekar 2024-01-24 13:37:20 -05:00
parent 6cdc442142
commit 443c10018c
8 changed files with 182 additions and 67 deletions

View File

@ -11,4 +11,4 @@ CVE-Id: CVE-2023-25139
Public-Date: 2023-02-02
Vulnerable-Commit: e88b9f0e5cc50cab57a299dc7efe1a4eb385161d (2.37)
Fix-Commit: c980549cc6a1c03c23cc2fe3e7b0fe626a0364b0 (2.38)
Fix-Backport: 07b9521fc6369d000216b96562ff7c0ed32a16c4 (2.37)
Fix-Commit: 07b9521fc6369d000216b96562ff7c0ed32a16c4 (2.37-4)

View File

@ -10,6 +10,6 @@ CVE-Id: CVE-2023-4527
Public-Date: 2023-09-12
Vulnerable-Commit: f282cdbe7f436c75864e5640a409a10485e9abb2 (2.36)
Fix-Commit: bd77dd7e73e3530203be1c52c8a29d08270cb25d (2.39)
Fix-Backport: 4ea972b7edd7e36610e8cde18bf7a8149d7bac4f (2.36)
Fix-Backport: b7529346025a130fee483d42178b5c118da971bb (2.37)
Fix-Backport: b25508dd774b617f99419bdc3cf2ace4560cd2d6 (2.38)
Fix-Commit: 4ea972b7edd7e36610e8cde18bf7a8149d7bac4f (2.36-113)
Fix-Commit: b7529346025a130fee483d42178b5c118da971bb (2.37-38)
Fix-Commit: b25508dd774b617f99419bdc3cf2ace4560cd2d6 (2.38-19)

View File

@ -8,8 +8,8 @@ arbitrary memory.
CVE-Id: CVE-2023-4806
Public-Date: 2023-09-12
Fix-Commit: 973fe93a5675c42798b2161c6f29c01b0e243994 (2.39)
Fix-Backport: e09ee267c03e3150c2c9ba28625ab130705a485e (2.34)
Fix-Backport: e3ccb230a961b4797510e6a1f5f21fd9021853e7 (2.35)
Fix-Backport: a9728f798ec7f05454c95637ee6581afaa9b487d (2.36)
Fix-Backport: 6529a7466c935f36e9006b854d6f4e1d4876f942 (2.37)
Fix-Backport: 00ae4f10b504bc4564e9f22f00907093f1ab9338 (2.38)
Fix-Commit: e09ee267c03e3150c2c9ba28625ab130705a485e (2.34-420)
Fix-Commit: e3ccb230a961b4797510e6a1f5f21fd9021853e7 (2.35-270)
Fix-Commit: a9728f798ec7f05454c95637ee6581afaa9b487d (2.36-115)
Fix-Commit: 6529a7466c935f36e9006b854d6f4e1d4876f942 (2.37-39)
Fix-Commit: 00ae4f10b504bc4564e9f22f00907093f1ab9338 (2.38-20)

View File

@ -9,8 +9,8 @@ CVE-Id: CVE-2023-4911
Public-Date: 2023-10-03
Vulnerable-Commit: 2ed18c5b534d9e92fc006202a5af0df6b72e7aca (2.34)
Fix-Commit: 1056e5b4c3f2d90ed2b4a55f96add28da2f4c8fa (2.39)
Fix-Backport: dcc367f148bc92e7f3778a125f7a416b093964d9 (2.34)
Fix-Backport: c84018a05aec80f5ee6f682db0da1130b0196aef (2.35)
Fix-Backport: 22955ad85186ee05834e47e665056148ca07699c (2.36)
Fix-Backport: b4e23c75aea756b4bddc4abcf27a1c6dca8b6bd3 (2.37)
Fix-Backport: 750a45a783906a19591fb8ff6b7841470f1f5701 (2.38)
Fix-Commit: dcc367f148bc92e7f3778a125f7a416b093964d9 (2.34-423)
Fix-Commit: c84018a05aec80f5ee6f682db0da1130b0196aef (2.35-274)
Fix-Commit: 22955ad85186ee05834e47e665056148ca07699c (2.36-118)
Fix-Commit: b4e23c75aea756b4bddc4abcf27a1c6dca8b6bd3 (2.37-45)
Fix-Commit: 750a45a783906a19591fb8ff6b7841470f1f5701 (2.38-27)

View File

@ -6,15 +6,13 @@ flags set.
CVE-Id: CVE-2023-5156
Public-Date: 2023-09-25
Vulnerable-Commit: 973fe93a5675c42798b2161c6f29c01b0e243994 (pre-2.39)
Fix-Commit: ec6b95c3303c700eb89eebeda2d7264cc184a796 (2.39)
Vulnerable-Backport: e09ee267c03e3150c2c9ba28625ab130705a485e (2.34)
Vulnerable-Backport: e3ccb230a961b4797510e6a1f5f21fd9021853e7 (2.35)
Vulnerable-Backport: a9728f798ec7f05454c95637ee6581afaa9b487d (2.36)
Vulnerable-Backport: 6529a7466c935f36e9006b854d6f4e1d4876f942 (2.37)
Vulnerable-Backport: 00ae4f10b504bc4564e9f22f00907093f1ab9338 (2.38)
Fix-Backport: 8006457ab7e1cd556b919f477348a96fe88f2e49 (2.34)
Fix-Backport: 17092c0311f954e6f3c010f73ce3a78c24ac279a (2.35)
Fix-Backport: 856bac55f98dc840e7c27cfa82262b933385de90 (2.36)
Fix-Backport: 4473d1b87d04b25cdd0e0354814eeaa421328268 (2.37)
Fix-Backport: 5ee59ca371b99984232d7584fe2b1a758b4421d3 (2.38)
Vulnerable-Commit: e09ee267c03e3150c2c9ba28625ab130705a485e (2.34-420)
Vulnerable-Commit: e3ccb230a961b4797510e6a1f5f21fd9021853e7 (2.35-270)
Vulnerable-Commit: a9728f798ec7f05454c95637ee6581afaa9b487d (2.36-115)
Vulnerable-Commit: 6529a7466c935f36e9006b854d6f4e1d4876f942 (2.37-39)
Vulnerable-Commit: 00ae4f10b504bc4564e9f22f00907093f1ab9338 (2.38-20)
Fix-Commit: 8006457ab7e1cd556b919f477348a96fe88f2e49 (2.34-421)
Fix-Commit: 17092c0311f954e6f3c010f73ce3a78c24ac279a (2.35-272)
Fix-Commit: 856bac55f98dc840e7c27cfa82262b933385de90 (2.36-116)
Fix-Commit: 4473d1b87d04b25cdd0e0354814eeaa421328268 (2.37-42)
Fix-Commit: 5ee59ca371b99984232d7584fe2b1a758b4421d3 (2.38-24)

73
advisories/README Normal file
View File

@ -0,0 +1,73 @@
GNU C Library Security Advisory Format
======================================
Security advisories in this directory follow a simple git commit log
format, with a heading and free-format description augmented with tags
to allow parsing key information. References to code changes are
specific to the glibc repository and follow a specific format:
Tag-name: <commit-ref> (release-version)
The <commit-ref> indicates a specific commit in the repository. The
release-version indicates the publicly consumable release in which this
commit is known to exist. The release-version is derived from the
git-describe format, (i.e. stripped out from glibc-2.34.NNN-gxxxx) and
is of the form 2.34-NNN. If the -NNN suffix is absent, it means that
the change is in that release tarball, otherwise the change is on the
release/2.YY/master branch and not in any released tarball.
The following tags are currently being used:
CVE-Id:
This is the CVE-Id assigned under the CVE Program
(https://www.cve.org/).
Public-Date:
The date this issue became publicly known.
Vulnerable-Commit:
The commit that introduced this vulnerability. There could be multiple
entries, one for each release branch in the glibc repository; the
release-version portion of this tag should tell you which branch this is
on.
Fix-Commit:
The commit that fixed this vulnerability. There could be multiple
entries for each release branch in the glibc repository, indicating that
all of those commits contributed to fixing that issue in each of those
branches.
Adding an Advisory
------------------
An advisory for a CVE needs to be added on the master branch in two steps:
1. Add the text of the advisory without any Fix-Commit tags along with
the fix for the CVE. Add the Vulnerable-Commit tag, if applicable.
The advisories directory does not exist in release branches, so keep
the advisory text commit distinct from the code changes, to ease
backports. Ask for the GLIBC-SA advisory number from the security
team.
2. Finish all backports on release branches and then back on the msater
branch, add all commit refs to the advisory using the Fix-Commit
tags. Don't bother adding the release-version subscript since the
next step will overwrite it.
3. Run the process-advisories.sh script in the scripts directory on the
advisory:
scripts/process-advisories.sh update GLIBC-SA-YYYY-NNNN
(replace YYYY-NNNN with the actual advisory number).
4. Verify the updated advisory and push the result.
Getting a NEWS snippet from advisories
--------------------------------------
Run:
scripts/process-advisories.sh news
and copy the content into the NEWS file.

85
scripts/process-advisories.sh Executable file
View File

@ -0,0 +1,85 @@
#!/bin/bash -e
# Copyright The GNU Toolchain Authors.
# This file is part of the GNU C Library.
#
# The GNU C Library is free software; you can redistribute it and/or
# modify it under the terms of the GNU Lesser General Public
# License as published by the Free Software Foundation; either
# version 2.1 of the License, or (at your option) any later version.
#
# The GNU C Library is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
# Lesser General Public License for more details.
#
# You should have received a copy of the GNU Lesser General Public
# License along with the GNU C Library; if not, see
# <https://www.gnu.org/licenses/>.
if ! [ -d advisories ]; then
echo "error: Run me from the toplevel directory of the glibc repository."
exit 1
fi
command=$1
usage () {
cat >&2 <<EOF
usage: $0 {update|news}
EOF
exit 1
}
command="$1"
case "$command" in
update|news)
;;
*)
usage
;;
esac
get_rel() {
rel=$(git describe $1 | sed 's/glibc-\([^g]\+\)-g.*/\1/')
# If the latest tag for the commit is the development tag, then increment
# the release version.
if echo $rel | grep -q "\.9000"; then
rel=$(echo $rel | sed 's/2\.\([0-9]\+\)\.9000.*/\1/')
rel="2.$((rel+1))"
fi
echo $rel
}
advisories_update() {
advisory=$1
if [ -z $1 ]; then
echo "Usage: $0 update GLIBC-SA-YYYY-NNNN"
exit 1
fi
advisory_file=advisories/$advisory
grep --color=none Commit $advisory_file | awk '{printf "%s %s\n", $1, $2}' |
while read t r; do
rel=$(get_rel $r)
echo "*** Updating: $t $r ($rel)"
sed -i "s/^$t $r.*/$t $r ($rel)/" $advisory_file
done
}
advisories_news() {
rel=$(get_rel "HEAD")
for f in $(grep -l "^Fix-Commit: .* ($rel)$" advisories/*); do
echo -e " $(basename $f):"
cve_id=$(sed -n 's/CVE-Id: \(.*\)/\1/p' $f)
echo "$(head -1 $f) ($cve_id)" | fold -w 68 -s |
while read line; do
echo " $line"
done
echo
done
}
advisories_$command $2

View File

@ -1,41 +0,0 @@
#!/bin/bash -e
# Copyright The GNU Toolchain Authors.
# This file is part of the GNU C Library.
#
# The GNU C Library is free software; you can redistribute it and/or
# modify it under the terms of the GNU Lesser General Public
# License as published by the Free Software Foundation; either
# version 2.1 of the License, or (at your option) any later version.
#
# The GNU C Library is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
# Lesser General Public License for more details.
#
# You should have received a copy of the GNU Lesser General Public
# License along with the GNU C Library; if not, see
# <https://www.gnu.org/licenses/>.
if ! [ -d advisories ]; then
echo "error: Run me from the toplevel directory of the glibc repository."
exit 1
fi
release=$(echo RELEASE | gcc -E -include version.h -o - - | grep -v "^#")
minor=$(echo __GLIBC_MINOR__ | gcc -E -include include/features.h -o - - |
grep -v "^#")
if [ $release = "\"development\"" ]; then
cur_rel=2.$((minor + 1))
else
cur_rel=2.$minor
fi
for f in $(grep -l "^Fix-Commit: .* ($cur_rel)$" advisories/*); do
echo -e " $(basename $f):"
cve_id=$(sed -n 's/CVE-Id: \(.*\)/\1/p' $f)
echo "$(head -1 $f) ($cve_id)" | fold -w 68 -s | while read line; do
echo " $line"
done
echo
done