In an attempt to complete this TODO item from the wiki: automatically strip no-dsa tags by gen-DLA https://wiki.debian.org/LTS/TODO#automatically_strip_no-dsa_tags_by_gen-DLA
This is my very early attempt to modify the CVE parser so that it can write the results back to the CVE file again. Meaning we can made deliberate modifications to the data before doing so. https://salsa.debian.org/snippets/354 Unfortunately in making the required changes, it is no longer compatible with the previous API. As we need to keep track of all the data in such away that any modifications are reversible. Which is why I copied the files completely rather then trying to edit in place. The original parser makes certain changes that are not reversible and can produce slightly different results (e.g. different ordering of values, different white-space, etc). Currently it produces a file with the following differences (see diff below), the first two changes are due to twp tab characters being replaced by spaces (not sure it matters enough to try and fix this...) and the last was due to deliberate filtering (line 273). The filtering is currently hard coded, this should be called somehow by gen-DLA. Any comments or suggestions? === cut === --- data/CVE/list 2019-11-12 16:54:16.835792742 +1100 +++ a 2019-11-15 16:51:09.043817845 +1100 @@ -354371,7 +354371,7 @@ NOT-FOR-US: Trend Micro Anti-Rootkit Common Module CVE-2007-0855 (Stack-based buffer overflow in RARLabs Unrar, as packaged in WinRAR an ...) - rar 1:3.7b1-1 (high; bug #410582) - [sarge] - rar <no-dsa> (Non-free) + [sarge] - rar <no-dsa> (Non-free) [etch] - rar <no-dsa> (Non-free) - unrar-nonfree 1:3.7.3-1 (high; bug #410580) [sarge] - unrar-nonfree 1:3.5.2-0.2 @@ -359261,7 +359261,7 @@ NOT-FOR-US: BytesFall Explorer (bfExplorer) CVE-2006-5718 (Cross-site scripting (XSS) vulnerability in error.php in phpMyAdmin 2. ...) - phpmyadmin 4:2.9.0.3-1 (low; bug #396638) - [sarge] - phpmyadmin <not-affected> (Vulnerable code not present) + [sarge] - phpmyadmin <not-affected> (Vulnerable code not present) CVE-2006-5717 (Multiple cross-site scripting (XSS) vulnerabilities in Zend Google Dat ...) NOT-FOR-US: Zend Google Data Client Library (ZendGData) CVE-2006-5716 (Directory traversal vulnerability in aff_news.php in FreeNews 2.1 allo ...) @@ -376628,7 +376628,6 @@ NOT-FOR-US: Sun Java System Directory Server CVE-2005-3268 (yiff server (yiff-server) 2.14.2 on Debian GNU/Linux runs as root and ...) - yiff 2.14.2-8 (bug #334616; low) - [sarge] - yiff <no-dsa> (Only a minor privacy leak) CVE-2005-3267 (Integer overflow in Skype client before 1.4.x.84 on Windows, before 1. ...) NOT-FOR-US: Skype CVE-2005-3266 === cut === -- Brian May <b...@debian.org>
