From nobody Sun Feb 8 09:30:44 2026 Delivered-To: importer@patchew.org Received-SPF: pass (zoho.com: domain of redhat.com designates 209.132.183.28 as permitted sender) client-ip=209.132.183.28; envelope-from=libvir-list-bounces@redhat.com; helo=mx1.redhat.com; Authentication-Results: mx.zohomail.com; spf=pass (zoho.com: domain of redhat.com designates 209.132.183.28 as permitted sender) smtp.mailfrom=libvir-list-bounces@redhat.com; dmarc=pass(p=none dis=none) header.from=redhat.com ARC-Seal: i=1; a=rsa-sha256; t=1557748344; cv=none; d=zoho.com; s=zohoarc; b=SM4jTNh3IFcPWPxkKxdcMZDF+DbA3t0sx55mINHD1/nGN4XF2K/SW6DeKllgv9Z4O4+WVk53ZTwTM43GDj7DaLM5XH0+ujOKoCJAmGJSFpas+Wl2PxyJ//SqK/8y/gWcVBklvDd34FaejXb/R0xre7QKWHLfYnQCrLxrHjtbNtA= ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zoho.com; s=zohoarc; t=1557748344; h=Content-Type:Content-Transfer-Encoding:Date:From:In-Reply-To:List-Subscribe:List-Post:List-Id:List-Archive:List-Help:List-Unsubscribe:MIME-Version:Message-ID:References:Sender:Subject:To:ARC-Authentication-Results; bh=9ENuw6z/WiCN4LBN846vsDsRI/ScjudAA0QXVq7FkJs=; b=WpS1ullvrsYxboFDidfmkXDxkDV3hbuaHFaWquxYuHZ5HvyDZfiXL7WVGkUXnXWzqsxL4E4NbptucTrjCz8ixKlksXPLc5r1bV+CfZaAtd/O7YQevqIqVkioX5hU+Z6+bnFiGqUi2WAgHr2F+PyrPnCqIsBm7lesNIN7yoCaS8M= ARC-Authentication-Results: i=1; mx.zoho.com; spf=pass (zoho.com: domain of redhat.com designates 209.132.183.28 as permitted sender) smtp.mailfrom=libvir-list-bounces@redhat.com; dmarc=pass header.from= (p=none dis=none) header.from= Return-Path: Received: from mx1.redhat.com (mx1.redhat.com [209.132.183.28]) by mx.zohomail.com with SMTPS id 1557748344047568.8263837327212; Mon, 13 May 2019 04:52:24 -0700 (PDT) Received: from smtp.corp.redhat.com (int-mx05.intmail.prod.int.phx2.redhat.com [10.5.11.15]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mx1.redhat.com (Postfix) with ESMTPS id EC05E3082B4D; Mon, 13 May 2019 11:52:21 +0000 (UTC) Received: from colo-mx.corp.redhat.com (colo-mx01.intmail.prod.int.phx2.redhat.com [10.5.11.20]) by smtp.corp.redhat.com (Postfix) with ESMTPS id C68765D71F; Mon, 13 May 2019 11:52:21 +0000 (UTC) Received: from lists01.pubmisc.prod.ext.phx2.redhat.com (lists01.pubmisc.prod.ext.phx2.redhat.com [10.5.19.33]) by colo-mx.corp.redhat.com (Postfix) with ESMTP id 2D3B218089D1; Mon, 13 May 2019 11:52:21 +0000 (UTC) Received: from smtp.corp.redhat.com (int-mx02.intmail.prod.int.phx2.redhat.com [10.5.11.12]) by lists01.pubmisc.prod.ext.phx2.redhat.com (8.13.8/8.13.8) with ESMTP id x4DBqJFj031015 for ; Mon, 13 May 2019 07:52:19 -0400 Received: by smtp.corp.redhat.com (Postfix) id A44BF60C4D; Mon, 13 May 2019 11:52:19 +0000 (UTC) Received: from localhost.localdomain.com (unknown [10.42.22.189]) by smtp.corp.redhat.com (Postfix) with ESMTP id 1D5186A483; Mon, 13 May 2019 11:52:16 +0000 (UTC) From: =?UTF-8?q?Daniel=20P=2E=20Berrang=C3=A9?= To: libvir-list@redhat.com Date: Mon, 13 May 2019 12:52:00 +0100 Message-Id: <20190513115206.1088-4-berrange@redhat.com> In-Reply-To: <20190513115206.1088-1-berrange@redhat.com> References: <20190513115206.1088-1-berrange@redhat.com> MIME-Version: 1.0 X-Scanned-By: MIMEDefang 2.79 on 10.5.11.12 X-loop: libvir-list@redhat.com Subject: [libvirt] [security-notice PATCH 3/9] scripts: add ability to handle a fixed commit hash X-BeenThere: libvir-list@redhat.com X-Mailman-Version: 2.1.12 Precedence: junk List-Id: Development discussions about the libvirt library & tools List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable Sender: libvir-list-bounces@redhat.com Errors-To: libvir-list-bounces@redhat.com X-Scanned-By: MIMEDefang 2.79 on 10.5.11.15 X-Greylist: Sender IP whitelisted, not delayed by milter-greylist-4.5.16 (mx1.redhat.com [10.5.110.45]); Mon, 13 May 2019 11:52:22 +0000 (UTC) Currently when given a broken commit hash we assume everything newer than this is broken. If we are retroactively recording info on a flaw that is already fixed in git though, we might know a fixed commit hash. Use this info to know when to stop reporting broken tags and branches. Note this only works for branches containing the original primary fixed commit. This does not try to identify cherry-picks to branches. Signed-off-by: Daniel P. Berrang=C3=A9 Reviewed-by: J=C3=A1n Tomko --- scripts/report-vulnerable-tags.pl | 74 +++++++++++++++++++++++++++---- 1 file changed, 66 insertions(+), 8 deletions(-) diff --git a/scripts/report-vulnerable-tags.pl b/scripts/report-vulnerable-= tags.pl index 8a6c2e4..431a7bf 100644 --- a/scripts/report-vulnerable-tags.pl +++ b/scripts/report-vulnerable-tags.pl @@ -5,15 +5,18 @@ use warnings; =20 use Sort::Versions; =20 -if (int(@ARGV) !=3D 1) { - die "syntax: $0 CHANGESET\n"; +if (int(@ARGV) !=3D 1 && int(@ARGV) !=3D 2) { + die "syntax: $0 BROKEN-CHANGESET [FIXED-CHANGESET]\n"; } =20 -my $changeset =3D shift @ARGV; +my $broken =3D shift @ARGV; +my $fixed =3D shift @ARGV; =20 # branch name to hash with keys # - brokenchanges -> list of commit ids # - brokentags -> hash of tag names to '1' +# - fixedchanges -> list of commit ids +# - fixedtags -> hash of tag names to '1' my %branches; =20 # tag name to '0' (fixed) or '1' (broken) @@ -68,11 +71,22 @@ sub add_branch { return if exists $branches{$name}; =20 $branches{$name} =3D { - "brokenchanges" =3D> [$changeset], + "brokenchanges" =3D> [$broken], "brokentags" =3D> {}, + "fixedchanges" =3D> [], + "fixedtags" =3D> {}, }; } =20 +sub delete_branch { + my $name =3D shift @_; + + if (int(keys %{$branches{$name}->{"brokentags"}})) { + print "Branch $name shouldn't have broken tags\n"; + } + delete $branches{$name}; +} + sub add_broken_tag { my $branch =3D shift @_; my $tag =3D shift @_; @@ -81,16 +95,51 @@ sub add_broken_tag { $branches{$branch}->{"brokentags"}->{$tag} =3D 1; } =20 +sub add_fixed_tag { + my $branch =3D shift @_; + my $tag =3D shift @_; + + $tags{$tag} =3D 0; + $branches{$branch}->{"fixedtags"}->{$tag} =3D 1; +} + +sub add_fixed_commit { + my $branch =3D shift @_; + my $commit =3D shift @_; + + push @{$branches{$branch}->{"fixedchanges"}}, $commit; +} + add_branch("master"); =20 +if (defined $fixed) { + # Mark any tags containing the fix as known so they + # get excluded when later finding vulnerable tags + for my $tag (get_tags("--contains", $fixed)) { + $tags{$tag} =3D 0; + } + + + # Record the first tag in master which has the fix, if any + my @fixedtags =3D sort versioncmp get_tags("--contains", $fixed, "--me= rged", "master"); + if (int(@fixedtags)) { + add_fixed_tag("master", $fixedtags[0]); + } + + add_fixed_commit("master", $fixed); +} + # Most tags live on master so lets get them first -for my $tag (get_tags("--contains", $changeset, "--merged", "master")) { +for my $tag (get_tags("--contains", $broken, "--merged", "master")) { + + next if exists $tags{$tag}; + add_broken_tag("master", $tag); } =20 # Now we need slower work to find branches for # few remaining tags -for my $tag (get_tags("--contains", $changeset)) { +for my $tag (get_tags("--contains", $broken)) { =20 next if exists $tags{$tag}; =20 @@ -117,6 +166,12 @@ for my $branch (get_branches($broken)) { add_branch($branch); } =20 +if (defined $fixed) { + for my $branch (get_branches($fixed)) { + delete_branch($branch); + } +} + foreach my $branch (sort versioncmp keys %branches) { print " \n"; print " $branch\n"; @@ -127,8 +182,11 @@ foreach my $branch (sort versioncmp keys %branches) { print " $commit\n"; } =20 - if ($branch eq "master") { - print " $fixed\n"; + foreach my $tag (sort versioncmp keys %{$branches{$branch}->{"fixedtag= s"}}) { + print " $tag\n"; + } + foreach my $commit (@{$branches{$branch}->{"fixedchanges"}}) { + print " $commit\n"; } print " \n"; } --=20 2.21.0 -- libvir-list mailing list libvir-list@redhat.com https://www.redhat.com/mailman/listinfo/libvir-list