From a67213c64603d19070666ce63ac7ecd66f19edfd Mon Sep 17 00:00:00 2001 From: Alexey Makhalov <amakhalov@vmware.com> Date: Fri, 23 Dec 2016 00:35:07 -0800 Subject: [PATCH 6/6] Search for CVE-xxxx-xxxx comment in .spec parser --- src/plugins/packaging/rpm/rpm.c | 31 +++++++++++++++++++++++++++++-- 1 file changed, 29 insertions(+), 2 deletions(-) diff --git a/src/plugins/packaging/rpm/rpm.c b/src/plugins/packaging/rpm/rpm.c index 8b2cc01..2778503 100644 --- a/src/plugins/packaging/rpm/rpm.c +++ b/src/plugins/packaging/rpm/rpm.c @@ -53,6 +53,7 @@ struct source_package_t *rpm_inspect_spec(const char *filename) autofree(gchar) *release = NULL; autofree(CveHashmap) *macros = NULL; GList *lpatches = NULL; + char *cve_patch_name = NULL; while ((read = g_data_input_stream_read_line(dis, NULL, NULL, NULL)) != NULL) { autofree(gstrv) *strv = NULL; @@ -61,6 +62,27 @@ struct source_package_t *rpm_inspect_spec(const char *filename) read = g_strstrip(read); + /* assign comment like #fix for CVE-xxxx-xxxx for the next PatchX: line */ + if (g_str_has_prefix(read, "#")) { + char *ptr; + autofree(gchar) *str = g_ascii_strdown(read, -1); + if (cve_patch_name) + g_free(cve_patch_name); + cve_patch_name = NULL; + ptr = g_strstr_len(str, -1, "cve-"); + if (ptr && (strlen(ptr) > 12) && g_ascii_isdigit(ptr[4]) && g_ascii_isdigit(ptr[5]) && + g_ascii_isdigit(ptr[6]) && g_ascii_isdigit(ptr[7]) && (ptr[8] == '-') && + g_ascii_isdigit(ptr[9]) && g_ascii_isdigit(ptr[10]) && g_ascii_isdigit(ptr[11]) && + g_ascii_isdigit(ptr[12])) { + autofree(gchar) *cvenum = g_strndup(ptr, 13); + cve_patch_name = g_strdup_printf("%s.patch", cvenum); + } + } else if (!str_has_iprefix(read, "Patch")) { + if (cve_patch_name) + g_free(cve_patch_name); + cve_patch_name = NULL; + } + if (g_str_has_prefix(read, "%define") || g_str_has_prefix(read, "%global")) { strv = g_strsplit(read, " ", 3); if (g_strv_length(strv) != 3) { @@ -151,12 +173,17 @@ struct source_package_t *rpm_inspect_spec(const char *filename) g_critical("Memory allocation failure"); goto clean; } + + if (cve_patch_name == NULL) + cve_patch_name = g_strdup(value); + if (g_strv_length(splits) == 1 || !splits[1] || g_str_equal(splits[1], "")) { - cve_hashmap_put(patches, g_strdup("0"), g_strdup(value)); + cve_hashmap_put(patches, g_strdup("0"), cve_patch_name); } else { - cve_hashmap_put(patches, g_strdup(splits[1]), g_strdup(value)); + cve_hashmap_put(patches, g_strdup(splits[1]), cve_patch_name); } + cve_patch_name = NULL; /* Store .nopatch in the pkg->extra */ if (str_has_isuffix(value, ".nopatch")) { -- 2.10.1