1. photon
  2. SPECS
  3. cve-check-tool
  4. 0006-Search-for-CVE-xxxx-xxxx-comment-in-.spec-parser.patch
Raw Blame History 
From a67213c64603d19070666ce63ac7ecd66f19edfd Mon Sep 17 00:00:00 2001
From: Alexey Makhalov <amakhalov@vmware.com>
Date: Fri, 23 Dec 2016 00:35:07 -0800
Subject: [PATCH 6/6] Search for CVE-xxxx-xxxx comment in .spec parser

---
 src/plugins/packaging/rpm/rpm.c | 31 +++++++++++++++++++++++++++++--
 1 file changed, 29 insertions(+), 2 deletions(-)

diff --git a/src/plugins/packaging/rpm/rpm.c b/src/plugins/packaging/rpm/rpm.c
index 8b2cc01..2778503 100644
--- a/src/plugins/packaging/rpm/rpm.c
+++ b/src/plugins/packaging/rpm/rpm.c
@@ -53,6 +53,7 @@ struct source_package_t *rpm_inspect_spec(const char *filename)
         autofree(gchar) *release = NULL;
         autofree(CveHashmap) *macros = NULL;
         GList *lpatches = NULL;
+        char *cve_patch_name = NULL;
 
         while ((read = g_data_input_stream_read_line(dis, NULL, NULL, NULL)) != NULL) {
                 autofree(gstrv) *strv = NULL;
@@ -61,6 +62,27 @@ struct source_package_t *rpm_inspect_spec(const char *filename)
 
                 read = g_strstrip(read);
 
+                /* assign comment like #fix for CVE-xxxx-xxxx for the next PatchX: line */
+                if (g_str_has_prefix(read, "#")) {
+                        char *ptr;
+                        autofree(gchar) *str = g_ascii_strdown(read, -1);
+                        if (cve_patch_name)
+                                g_free(cve_patch_name);
+                        cve_patch_name = NULL;
+                        ptr = g_strstr_len(str, -1, "cve-");
+                        if (ptr && (strlen(ptr) > 12) && g_ascii_isdigit(ptr[4]) && g_ascii_isdigit(ptr[5]) &&
+                            g_ascii_isdigit(ptr[6]) && g_ascii_isdigit(ptr[7]) && (ptr[8] == '-') &&
+                            g_ascii_isdigit(ptr[9]) && g_ascii_isdigit(ptr[10]) && g_ascii_isdigit(ptr[11]) &&
+                            g_ascii_isdigit(ptr[12])) {
+                                autofree(gchar) *cvenum = g_strndup(ptr, 13);
+                                cve_patch_name = g_strdup_printf("%s.patch", cvenum);
+                        }
+                } else if (!str_has_iprefix(read, "Patch")) {
+                        if (cve_patch_name)
+                                g_free(cve_patch_name);
+                        cve_patch_name = NULL;
+                }
+
                 if (g_str_has_prefix(read, "%define") || g_str_has_prefix(read, "%global")) {
                         strv = g_strsplit(read, " ", 3);
                         if (g_strv_length(strv) != 3) {
@@ -151,12 +173,17 @@ struct source_package_t *rpm_inspect_spec(const char *filename)
                                 g_critical("Memory allocation failure");
                                 goto clean;
                         }
+
+                        if (cve_patch_name == NULL)
+                                cve_patch_name = g_strdup(value);
+
                         if (g_strv_length(splits) == 1 || !splits[1] || g_str_equal(splits[1], "")) {
-                                cve_hashmap_put(patches, g_strdup("0"), g_strdup(value));
+                                cve_hashmap_put(patches, g_strdup("0"), cve_patch_name);
 
                         } else {
-                                cve_hashmap_put(patches, g_strdup(splits[1]), g_strdup(value));
+                                cve_hashmap_put(patches, g_strdup(splits[1]), cve_patch_name);
                         }
+                        cve_patch_name = NULL;
 
                         /* Store .nopatch in the pkg->extra */
                         if (str_has_isuffix(value, ".nopatch")) {
-- 
2.10.1