diff options
author | Greg Kroah-Hartman <gregkh@linuxfoundation.org> | 2024-02-11 20:54:41 +0000 |
---|---|---|
committer | Greg Kroah-Hartman <gregkh@linuxfoundation.org> | 2024-02-11 20:54:41 +0000 |
commit | 92010c6125e99fc792db4051fc537c0fa5b8af2e (patch) | |
tree | dc84c8b794da3034ed87c74259e08d77d0bdf567 | |
parent | fb6dcb9b9b9cc901680a0188bb1d16c63c1719fd (diff) | |
download | vulns-92010c6125e99fc792db4051fc537c0fa5b8af2e.tar.gz |
scripts/bippy: better changelog text and mbox output
Strip out the signed-off-by crud from the changelog info, and make a
much nicer mbox output and disclaimer.
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
-rwxr-xr-x | scripts/bippy | 59 |
1 files changed, 56 insertions, 3 deletions
diff --git a/scripts/bippy b/scripts/bippy index dfb99165..335fc521 100755 --- a/scripts/bippy +++ b/scripts/bippy @@ -244,6 +244,8 @@ fi dbg "subject=${subject}" # Grab the full commit text, we will use that for many things +# We strip off the signed-off-by stuff AFTER we are done with parsing +# this text commit_text=$(cd ${KERNEL_TREE} && git show --no-patch --pretty=format:"%B" "${GIT_SHA_FULL}") #echo "commit_text=${commit_text}" @@ -490,11 +492,36 @@ for entry in ${fixed_pairs[@]}; do -s versionType="custom" \ ) " - vuln_array_mbox+=("Issue introduced in ${vuln} and fixed in ${fix}") + # If this issue has always been there, just say when it was + # fixed, otherwise try to give a hint when it was introduced. + # The json file just wants 0 for "always been there", so no need + # to check it for the array. + if [[ "${vuln}" == "0" ]] ; then + vuln_array_mbox+=("Fixed in ${fix}") + else + vuln_array_mbox+=("Issue introduced in ${vuln} and fixed in ${fix}") + fi done dbg "vuln_array_json=${vuln_array_json}" dbg "vuln_array_mbox=${vuln_array_mbox[@]}" +# Strip off the signed-off-by stuff out of the commit text. +# Yes, this should be a better regex, and yes, it's going to get long, +# lots of people put lots of crud in changelog text, so use a case +# insensitive line deletion "/pattern/Id" and sed +# There has to be a better way than just calling sed a bunch, right? +commit_text=$(echo "${commit_text}" | sed -e '/^acked-by:/Id') +commit_text=$(echo "${commit_text}" | sed -e '/^cc:/Id;/^signed-off-by:/Id') # multiple on one call... +#commit_text=$(echo "${commit_text}" | sed -e '/^signed-off-by:/Id') +commit_text=$(echo "${commit_text}" | sed -e '/^closes:/Id') +commit_text=$(echo "${commit_text}" | sed -e '/^fixes:/Id') +commit_text=$(echo "${commit_text}" | sed -e '/^link:/Id') +commit_text=$(echo "${commit_text}" | sed -e '/^reported-and-tested-by:/Id') +commit_text=$(echo "${commit_text}" | sed -e '/^reported-by:/Id') +commit_text=$(echo "${commit_text}" | sed -e '/^reviewed-by:/Id') +commit_text=$(echo "${commit_text}" | sed -e '/^suggested-by:/Id') +commit_text=$(echo "${commit_text}" | sed -e '/^tested-by:/Id') + ######################### # Compose the json knowing what we now know, using the 'jo' tool @@ -577,16 +604,42 @@ if [[ "${MBOX_FILE}" != "" ]] ; then From: Linux Kernel CVE team <cve@kernel.org> Subject: ${CVE_NUMBER}: ${subject} -${CVE_NUMBER} has been assigned for the following issue: +Description +=========== ${commit_text} -Affected versions: +The Linux kernel CVE team has assigned ${CVE_NUMBER} to this issue. + + +Mitigation +========== + +The individual change to resolve this issue can be found at: + https://git.kernel.org/torvalds/c/${GIT_SHA_FULL} + + +Affected versions +================= EOF for line in "${vuln_array_mbox[@]}"; do echo " ${line}" >> ${MBOX_FILE} done + cat << EOF >> "${MBOX_FILE}" + + +Recomendation +============= +The Linux kernel CVE team recommends that you update to the latest +stable kernel version for this, and many other bugfixes. Individual +changes are not tested alone, but rather are part of a larger kernel +release. Cherry-picking individual commits is not recommended or +supported by the Linux kernel community at all. +EOF dbg "mbox file written to ${MBOX_FILE}" + fi # end mbox creation +# all done! +exit 0 |