Bug#738199: Fixing OVAL generation

[MONLONG Pierre]

I can give some help.



I try to understand the scripts.



One problem I noticed is that since the update of the DSA format (DSA-2134), we 
loose the part where the corrected packages are listed :



--extract--

Fixed in:

    Debian GNU/Linux 5.0 (lenny)



    Source:

        
http://security.debian.org/pool/updates/main/c/collectd/collectd_4.4.2-3+lenny1.dsc

        Size/MD5 checksum: 1742 7eb809863e35c70e5da831ef83e5935b

        
http://security.debian.org/pool/updates/main/c/collectd/collectd_4.4.2.orig.tar.gz

        Size/MD5 checksum: 1220408 dbffe35a2d19840e86253c7052485ff0

        
http://security.debian.org/pool/updates/main/c/collectd/collectd_4.4.2-3+lenny1.diff.gz

        Size/MD5 checksum: 38096 6e0579c82d00a84da53d06eba261a157

    Architecture-independent component:

        
http://security.debian.org/pool/updates/main/c/collectd/collectd-dev_4.4.2-3+lenny1_all.deb

        Size/MD5 checksum: 58100 6ab2decfb0f6d4822bd399f83acde4bf

    Alpha:

        
http://security.debian.org/pool/updates/main/c/collectd/collectd-dbg_4.4.2-3+lenny1_alpha.deb

        Size/MD5 checksum: 476094 3ba6081a7bda823e51deb57e670681a6

        
http://security.debian.org/pool/updates/main/c/collectd/collectd_4.4.2-3+lenny1_alpha.deb

        Size/MD5 checksum: 465310 512bcae97e48588f6f8e3c06b71b4a05



--extract--



But the script is looking for this part to build a correct OVLA definition 
(line 110 of the /parser/dsa.py script)



With the new format this information is no longer explicitly present, and will 
be more difficult to extract  :



--extract--

More information:



    Yang Dingning discovered a double free in libxml's Xpath processing, which 
might allow the execution of arbitrary code.



    For the stable distribution (lenny), this problem has been fixed in version 
2.6.32.dfsg-5+lenny3.



    For the upcoming stable distribution (squeeze) and the unstable 
distribution (sid), this problem has been fixed in version 2.7.8.dfsg-2.



--extract--



So I see two ways :



-No change to DSA format, but complex evolution to  dsa.py parser that must 
rebuild the package name. With the following constraints :

                -we loose the arch part of the package that fixed the problem 
(what happens if a DSA impact only some arch and not others ?)

                - the sentence format :  For the stable distribution (lenny), 
this problem has been fixed in version 2.6.32.dfsg-5+lenny3 must not evolve to 
be corrected parsed.



-Evolution of the DSA format, to re-integrate somewhere (even in  hidden 
fields) the list of the packages that fixed the problem (without MD5SUM because 
it was the goal of the DSA format evolution), and

                Minor adaptation of the parser/dsa.py script.





What do you think ?





Cheers,



--Pierre