├── .gitignore ├── COPYING ├── ChangeLog ├── README.md ├── lpvs ├── lpvs-scan.pl ├── rpm_vercmp.py └── test └── test.pl /.gitignore: -------------------------------------------------------------------------------- 1 | # Object files 2 | *.o 3 | 4 | # Libraries 5 | *.lib 6 | *.a 7 | 8 | # Shared objects (inc. Windows DLLs) 9 | *.dll 10 | *.so 11 | *.so.* 12 | *.dylib 13 | 14 | # Executables 15 | *.exe 16 | *.out 17 | *.app 18 | -------------------------------------------------------------------------------- /COPYING: -------------------------------------------------------------------------------- 1 | GNU GENERAL PUBLIC LICENSE 2 | Version 2, June 1991 3 | 4 | Copyright (C) 1989, 1991 Free Software Foundation, Inc., 5 | 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA 6 | Everyone is permitted to copy and distribute verbatim copies 7 | of this license document, but changing it is not allowed. 8 | 9 | Preamble 10 | 11 | The licenses for most software are designed to take away your 12 | freedom to share and change it. By contrast, the GNU General Public 13 | License is intended to guarantee your freedom to share and change free 14 | software--to make sure the software is free for all its users. This 15 | General Public License applies to most of the Free Software 16 | Foundation's software and to any other program whose authors commit to 17 | using it. (Some other Free Software Foundation software is covered by 18 | the GNU Lesser General Public License instead.) You can apply it to 19 | your programs, too. 20 | 21 | When we speak of free software, we are referring to freedom, not 22 | price. Our General Public Licenses are designed to make sure that you 23 | have the freedom to distribute copies of free software (and charge for 24 | this service if you wish), that you receive source code or can get it 25 | if you want it, that you can change the software or use pieces of it 26 | in new free programs; and that you know you can do these things. 27 | 28 | To protect your rights, we need to make restrictions that forbid 29 | anyone to deny you these rights or to ask you to surrender the rights. 30 | These restrictions translate to certain responsibilities for you if you 31 | distribute copies of the software, or if you modify it. 32 | 33 | For example, if you distribute copies of such a program, whether 34 | gratis or for a fee, you must give the recipients all the rights that 35 | you have. You must make sure that they, too, receive or can get the 36 | source code. And you must show them these terms so they know their 37 | rights. 38 | 39 | We protect your rights with two steps: (1) copyright the software, and 40 | (2) offer you this license which gives you legal permission to copy, 41 | distribute and/or modify the software. 42 | 43 | Also, for each author's protection and ours, we want to make certain 44 | that everyone understands that there is no warranty for this free 45 | software. If the software is modified by someone else and passed on, we 46 | want its recipients to know that what they have is not the original, so 47 | that any problems introduced by others will not reflect on the original 48 | authors' reputations. 49 | 50 | Finally, any free program is threatened constantly by software 51 | patents. We wish to avoid the danger that redistributors of a free 52 | program will individually obtain patent licenses, in effect making the 53 | program proprietary. To prevent this, we have made it clear that any 54 | patent must be licensed for everyone's free use or not licensed at all. 55 | 56 | The precise terms and conditions for copying, distribution and 57 | modification follow. 58 | 59 | GNU GENERAL PUBLIC LICENSE 60 | TERMS AND CONDITIONS FOR COPYING, DISTRIBUTION AND MODIFICATION 61 | 62 | 0. This License applies to any program or other work which contains 63 | a notice placed by the copyright holder saying it may be distributed 64 | under the terms of this General Public License. The "Program", below, 65 | refers to any such program or work, and a "work based on the Program" 66 | means either the Program or any derivative work under copyright law: 67 | that is to say, a work containing the Program or a portion of it, 68 | either verbatim or with modifications and/or translated into another 69 | language. (Hereinafter, translation is included without limitation in 70 | the term "modification".) Each licensee is addressed as "you". 71 | 72 | Activities other than copying, distribution and modification are not 73 | covered by this License; they are outside its scope. The act of 74 | running the Program is not restricted, and the output from the Program 75 | is covered only if its contents constitute a work based on the 76 | Program (independent of having been made by running the Program). 77 | Whether that is true depends on what the Program does. 78 | 79 | 1. You may copy and distribute verbatim copies of the Program's 80 | source code as you receive it, in any medium, provided that you 81 | conspicuously and appropriately publish on each copy an appropriate 82 | copyright notice and disclaimer of warranty; keep intact all the 83 | notices that refer to this License and to the absence of any warranty; 84 | and give any other recipients of the Program a copy of this License 85 | along with the Program. 86 | 87 | You may charge a fee for the physical act of transferring a copy, and 88 | you may at your option offer warranty protection in exchange for a fee. 89 | 90 | 2. You may modify your copy or copies of the Program or any portion 91 | of it, thus forming a work based on the Program, and copy and 92 | distribute such modifications or work under the terms of Section 1 93 | above, provided that you also meet all of these conditions: 94 | 95 | a) You must cause the modified files to carry prominent notices 96 | stating that you changed the files and the date of any change. 97 | 98 | b) You must cause any work that you distribute or publish, that in 99 | whole or in part contains or is derived from the Program or any 100 | part thereof, to be licensed as a whole at no charge to all third 101 | parties under the terms of this License. 102 | 103 | c) If the modified program normally reads commands interactively 104 | when run, you must cause it, when started running for such 105 | interactive use in the most ordinary way, to print or display an 106 | announcement including an appropriate copyright notice and a 107 | notice that there is no warranty (or else, saying that you provide 108 | a warranty) and that users may redistribute the program under 109 | these conditions, and telling the user how to view a copy of this 110 | License. (Exception: if the Program itself is interactive but 111 | does not normally print such an announcement, your work based on 112 | the Program is not required to print an announcement.) 113 | 114 | These requirements apply to the modified work as a whole. If 115 | identifiable sections of that work are not derived from the Program, 116 | and can be reasonably considered independent and separate works in 117 | themselves, then this License, and its terms, do not apply to those 118 | sections when you distribute them as separate works. But when you 119 | distribute the same sections as part of a whole which is a work based 120 | on the Program, the distribution of the whole must be on the terms of 121 | this License, whose permissions for other licensees extend to the 122 | entire whole, and thus to each and every part regardless of who wrote it. 123 | 124 | Thus, it is not the intent of this section to claim rights or contest 125 | your rights to work written entirely by you; rather, the intent is to 126 | exercise the right to control the distribution of derivative or 127 | collective works based on the Program. 128 | 129 | In addition, mere aggregation of another work not based on the Program 130 | with the Program (or with a work based on the Program) on a volume of 131 | a storage or distribution medium does not bring the other work under 132 | the scope of this License. 133 | 134 | 3. You may copy and distribute the Program (or a work based on it, 135 | under Section 2) in object code or executable form under the terms of 136 | Sections 1 and 2 above provided that you also do one of the following: 137 | 138 | a) Accompany it with the complete corresponding machine-readable 139 | source code, which must be distributed under the terms of Sections 140 | 1 and 2 above on a medium customarily used for software interchange; or, 141 | 142 | b) Accompany it with a written offer, valid for at least three 143 | years, to give any third party, for a charge no more than your 144 | cost of physically performing source distribution, a complete 145 | machine-readable copy of the corresponding source code, to be 146 | distributed under the terms of Sections 1 and 2 above on a medium 147 | customarily used for software interchange; or, 148 | 149 | c) Accompany it with the information you received as to the offer 150 | to distribute corresponding source code. (This alternative is 151 | allowed only for noncommercial distribution and only if you 152 | received the program in object code or executable form with such 153 | an offer, in accord with Subsection b above.) 154 | 155 | The source code for a work means the preferred form of the work for 156 | making modifications to it. For an executable work, complete source 157 | code means all the source code for all modules it contains, plus any 158 | associated interface definition files, plus the scripts used to 159 | control compilation and installation of the executable. However, as a 160 | special exception, the source code distributed need not include 161 | anything that is normally distributed (in either source or binary 162 | form) with the major components (compiler, kernel, and so on) of the 163 | operating system on which the executable runs, unless that component 164 | itself accompanies the executable. 165 | 166 | If distribution of executable or object code is made by offering 167 | access to copy from a designated place, then offering equivalent 168 | access to copy the source code from the same place counts as 169 | distribution of the source code, even though third parties are not 170 | compelled to copy the source along with the object code. 171 | 172 | 4. You may not copy, modify, sublicense, or distribute the Program 173 | except as expressly provided under this License. Any attempt 174 | otherwise to copy, modify, sublicense or distribute the Program is 175 | void, and will automatically terminate your rights under this License. 176 | However, parties who have received copies, or rights, from you under 177 | this License will not have their licenses terminated so long as such 178 | parties remain in full compliance. 179 | 180 | 5. You are not required to accept this License, since you have not 181 | signed it. However, nothing else grants you permission to modify or 182 | distribute the Program or its derivative works. These actions are 183 | prohibited by law if you do not accept this License. Therefore, by 184 | modifying or distributing the Program (or any work based on the 185 | Program), you indicate your acceptance of this License to do so, and 186 | all its terms and conditions for copying, distributing or modifying 187 | the Program or works based on it. 188 | 189 | 6. Each time you redistribute the Program (or any work based on the 190 | Program), the recipient automatically receives a license from the 191 | original licensor to copy, distribute or modify the Program subject to 192 | these terms and conditions. You may not impose any further 193 | restrictions on the recipients' exercise of the rights granted herein. 194 | You are not responsible for enforcing compliance by third parties to 195 | this License. 196 | 197 | 7. If, as a consequence of a court judgment or allegation of patent 198 | infringement or for any other reason (not limited to patent issues), 199 | conditions are imposed on you (whether by court order, agreement or 200 | otherwise) that contradict the conditions of this License, they do not 201 | excuse you from the conditions of this License. If you cannot 202 | distribute so as to satisfy simultaneously your obligations under this 203 | License and any other pertinent obligations, then as a consequence you 204 | may not distribute the Program at all. For example, if a patent 205 | license would not permit royalty-free redistribution of the Program by 206 | all those who receive copies directly or indirectly through you, then 207 | the only way you could satisfy both it and this License would be to 208 | refrain entirely from distribution of the Program. 209 | 210 | If any portion of this section is held invalid or unenforceable under 211 | any particular circumstance, the balance of the section is intended to 212 | apply and the section as a whole is intended to apply in other 213 | circumstances. 214 | 215 | It is not the purpose of this section to induce you to infringe any 216 | patents or other property right claims or to contest validity of any 217 | such claims; this section has the sole purpose of protecting the 218 | integrity of the free software distribution system, which is 219 | implemented by public license practices. Many people have made 220 | generous contributions to the wide range of software distributed 221 | through that system in reliance on consistent application of that 222 | system; it is up to the author/donor to decide if he or she is willing 223 | to distribute software through any other system and a licensee cannot 224 | impose that choice. 225 | 226 | This section is intended to make thoroughly clear what is believed to 227 | be a consequence of the rest of this License. 228 | 229 | 8. If the distribution and/or use of the Program is restricted in 230 | certain countries either by patents or by copyrighted interfaces, the 231 | original copyright holder who places the Program under this License 232 | may add an explicit geographical distribution limitation excluding 233 | those countries, so that distribution is permitted only in or among 234 | countries not thus excluded. In such case, this License incorporates 235 | the limitation as if written in the body of this License. 236 | 237 | 9. The Free Software Foundation may publish revised and/or new versions 238 | of the General Public License from time to time. Such new versions will 239 | be similar in spirit to the present version, but may differ in detail to 240 | address new problems or concerns. 241 | 242 | Each version is given a distinguishing version number. If the Program 243 | specifies a version number of this License which applies to it and "any 244 | later version", you have the option of following the terms and conditions 245 | either of that version or of any later version published by the Free 246 | Software Foundation. If the Program does not specify a version number of 247 | this License, you may choose any version ever published by the Free Software 248 | Foundation. 249 | 250 | 10. If you wish to incorporate parts of the Program into other free 251 | programs whose distribution conditions are different, write to the author 252 | to ask for permission. For software which is copyrighted by the Free 253 | Software Foundation, write to the Free Software Foundation; we sometimes 254 | make exceptions for this. Our decision will be guided by the two goals 255 | of preserving the free status of all derivatives of our free software and 256 | of promoting the sharing and reuse of software generally. 257 | 258 | NO WARRANTY 259 | 260 | 11. BECAUSE THE PROGRAM IS LICENSED FREE OF CHARGE, THERE IS NO WARRANTY 261 | FOR THE PROGRAM, TO THE EXTENT PERMITTED BY APPLICABLE LAW. EXCEPT WHEN 262 | OTHERWISE STATED IN WRITING THE COPYRIGHT HOLDERS AND/OR OTHER PARTIES 263 | PROVIDE THE PROGRAM "AS IS" WITHOUT WARRANTY OF ANY KIND, EITHER EXPRESSED 264 | OR IMPLIED, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF 265 | MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. THE ENTIRE RISK AS 266 | TO THE QUALITY AND PERFORMANCE OF THE PROGRAM IS WITH YOU. SHOULD THE 267 | PROGRAM PROVE DEFECTIVE, YOU ASSUME THE COST OF ALL NECESSARY SERVICING, 268 | REPAIR OR CORRECTION. 269 | 270 | 12. IN NO EVENT UNLESS REQUIRED BY APPLICABLE LAW OR AGREED TO IN WRITING 271 | WILL ANY COPYRIGHT HOLDER, OR ANY OTHER PARTY WHO MAY MODIFY AND/OR 272 | REDISTRIBUTE THE PROGRAM AS PERMITTED ABOVE, BE LIABLE TO YOU FOR DAMAGES, 273 | INCLUDING ANY GENERAL, SPECIAL, INCIDENTAL OR CONSEQUENTIAL DAMAGES ARISING 274 | OUT OF THE USE OR INABILITY TO USE THE PROGRAM (INCLUDING BUT NOT LIMITED 275 | TO LOSS OF DATA OR DATA BEING RENDERED INACCURATE OR LOSSES SUSTAINED BY 276 | YOU OR THIRD PARTIES OR A FAILURE OF THE PROGRAM TO OPERATE WITH ANY OTHER 277 | PROGRAMS), EVEN IF SUCH HOLDER OR OTHER PARTY HAS BEEN ADVISED OF THE 278 | POSSIBILITY OF SUCH DAMAGES. 279 | 280 | END OF TERMS AND CONDITIONS 281 | 282 | How to Apply These Terms to Your New Programs 283 | 284 | If you develop a new program, and you want it to be of the greatest 285 | possible use to the public, the best way to achieve this is to make it 286 | free software which everyone can redistribute and change under these terms. 287 | 288 | To do so, attach the following notices to the program. It is safest 289 | to attach them to the start of each source file to most effectively 290 | convey the exclusion of warranty; and each file should have at least 291 | the "copyright" line and a pointer to where the full notice is found. 292 | 293 | 294 | Copyright (C) 295 | 296 | This program is free software; you can redistribute it and/or modify 297 | it under the terms of the GNU General Public License as published by 298 | the Free Software Foundation; either version 2 of the License, or 299 | (at your option) any later version. 300 | 301 | This program is distributed in the hope that it will be useful, 302 | but WITHOUT ANY WARRANTY; without even the implied warranty of 303 | MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the 304 | GNU General Public License for more details. 305 | 306 | You should have received a copy of the GNU General Public License along 307 | with this program; if not, write to the Free Software Foundation, Inc., 308 | 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. 309 | 310 | Also add information on how to contact you by electronic and paper mail. 311 | 312 | If the program is interactive, make it output a short notice like this 313 | when it starts in an interactive mode: 314 | 315 | Gnomovision version 69, Copyright (C) year name of author 316 | Gnomovision comes with ABSOLUTELY NO WARRANTY; for details type `show w'. 317 | This is free software, and you are welcome to redistribute it 318 | under certain conditions; type `show c' for details. 319 | 320 | The hypothetical commands `show w' and `show c' should show the appropriate 321 | parts of the General Public License. Of course, the commands you use may 322 | be called something other than `show w' and `show c'; they could even be 323 | mouse-clicks or menu items--whatever suits your program. 324 | 325 | You should also get your employer (if you work as a programmer) or your 326 | school, if any, to sign a "copyright disclaimer" for the program, if 327 | necessary. Here is a sample; alter the names: 328 | 329 | Yoyodyne, Inc., hereby disclaims all copyright interest in the program 330 | `Gnomovision' (which makes passes at compilers) written by James Hacker. 331 | 332 | , 1 April 1989 333 | Ty Coon, President of Vice 334 | 335 | This General Public License does not permit incorporating your program into 336 | proprietary programs. If your program is a subroutine library, you may 337 | consider it more useful to permit linking proprietary applications with the 338 | library. If this is what you want to do, use the GNU Lesser General 339 | Public License instead of this License. 340 | 341 | -------------------------------------------------------------------------------- /ChangeLog: -------------------------------------------------------------------------------- 1 | Version 0.4 2 | 3 | * Replaced propietary version comparison with tools/library 4 | functions available for .deb and .rpm packages 5 | * Avoid checking .deb packages in state 'rc' 6 | 7 | 8 | 20.02.2013 Lars Windolf 9 | 10 | Version 0.3 11 | 12 | * Added "lpvs" tool to launch scanner and other commands. 13 | * Allow skipping acknowledged vulnerabilities (~/.lpvs) 14 | 15 | 16 | 19.01.2013 Lars Windolf 17 | 18 | Version 0.2.1 19 | 20 | * Fixes error message on feed parsing error. 21 | (reported by JSC) 22 | * Allow for missing lsb_release tool on CentOS minimal install 23 | (reported by Mikhaul Emelchenkov) 24 | * Proper options parsing with getops 25 | * Changed license from Perl to GPLv2 or later 26 | * Set up github account 27 | 28 | 29 | 09.12.2012 Lars Windolf 30 | 31 | Version 0.2 32 | 33 | * New silent switch (-s) 34 | * New verbose switch (-v) 35 | * Works with older distros now 36 | * Fixes false positives 37 | 38 | 39 | 16.09.2012 Lars Windolf 40 | 41 | Version 0.1 42 | 43 | * Initial release 44 | * Support to check recent distributions of Ubuntu and CentOS 45 | -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | lpvs 2 | ==== 3 | 4 | Linux Package Vulnerability Scanner for CentOS and Ubuntu 5 | 6 | License: GPLv2 or later 7 | 8 | For more information visit the homepage http://lzone.de/lpvs 9 | 10 | Installation 11 | ============ 12 | 13 | Ensure to have Perl 5.10 and the required libraries installed: 14 | 15 | * XML::LibXSLT 16 | * XML::LibXML 17 | 18 | To install them on CentOS run the following command 19 | 20 | > yum install perl-XML-LibXML perl-XML-LibXSLT 21 | 22 | To install them on Ubuntu run the following command 23 | 24 | > apt-get install libxml-libxslt-perl 25 | 26 | Finally copy the "lpvs-scan.pl" to a location of your choice and provide it 27 | with the proper permissions. For example as root run: 28 | 29 | > cp lpvs lpvs-scan.pl /usr/local/bin 30 | > cd /usr/local/bin && chmod a+x lpvs lpvs-scan.pl 31 | -------------------------------------------------------------------------------- /lpvs: -------------------------------------------------------------------------------- 1 | #!/usr/bin/perl -w 2 | 3 | # Copyright (c) 2012-2013 Lars Windolf 4 | # 5 | # This program is free software; you can redistribute it and/or modify 6 | # it under the terms of the GNU General Public License as published by 7 | # the Free Software Foundation; either version 2 of the License, or 8 | # (at your option) any later version. 9 | # 10 | # This program is distributed in the hope that it will be useful, 11 | # but WITHOUT ANY WARRANTY; without even the implied warranty of 12 | # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the 13 | # GNU General Public License for more details. 14 | # 15 | # You should have received a copy of the GNU General Public License 16 | # along with this program; if not, write to the Free Software 17 | # Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA 18 | 19 | use strict; 20 | use File::Basename; 21 | 22 | sub usage { 23 | print "\n"; 24 | print "Syntax: lpvs.pl [options]\n"; 25 | print "\n"; 26 | print "Commands:\n"; 27 | print "\n"; 28 | print " scan Perform a vulnerability scan\n"; 29 | print " ignore Whitelist a vulnerability\n"; 30 | print " help Give help on a command\n"; 31 | print "\n"; 32 | exit(1); 33 | } 34 | 35 | usage() if($#ARGV == -1); 36 | my $command = shift(@ARGV); 37 | 38 | if($command eq "help") { 39 | usage() if($#ARGV == 0); 40 | } 41 | elsif($command eq "scan") { 42 | # Scanner is separate script, so for historic reasons just launch it 43 | exec ((dirname $0) . "/lpvs-scan.pl") or die "Could not run scanner: $!"; 44 | } 45 | 46 | usage(); 47 | -------------------------------------------------------------------------------- /lpvs-scan.pl: -------------------------------------------------------------------------------- 1 | #!/usr/bin/perl -w 2 | 3 | # Copyright (c) 2012-2014 Lars Windolf 4 | # Copyright (C) 2004-2010 John Peacock 5 | # 6 | # This program is free software; you can redistribute it and/or modify 7 | # it under the terms of the GNU General Public License as published by 8 | # the Free Software Foundation; either version 2 of the License, or 9 | # (at your option) any later version. 10 | # 11 | # This program is distributed in the hope that it will be useful, 12 | # but WITHOUT ANY WARRANTY; without even the implied warranty of 13 | # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the 14 | # GNU General Public License for more details. 15 | # 16 | # You should have received a copy of the GNU General Public License 17 | # along with this program; if not, write to the Free Software 18 | # Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA 19 | 20 | use 5.010; 21 | use strict; 22 | use Term::ANSIColor; 23 | use XML::LibXSLT; 24 | use XML::LibXML; 25 | use LWP::UserAgent; 26 | use Getopt::Std; 27 | 28 | ################################################################################ 29 | # OS Configuration 30 | ################################################################################ 31 | 32 | my $apt_show_versions = 'apt-show-versions |grep "security upgradeable"'; 33 | my $aptitude = 'aptitude search "?and(~U,~Asecurity)"'; 34 | 35 | my %config = ( 36 | 'os' => { 37 | 'Ubuntu' => { 38 | 'pkgtype' => 'deb', 39 | 'pkgsource' => 'description', 40 | 'feed' => 'http://www.ubuntu.com/usn/rss.xml', 41 | 'upgrades' => [('/usr/lib/update-notifier/apt-check -p', $apt_show_versions, $aptitude)], 42 | 'revsplit' => '(-|~|ubuntu)' 43 | }, 44 | #'Debian' => { 45 | # 'pkgtype' => 'deb', 46 | # 'pkgsource' => 'link', 47 | # 'feed' => 'http://www.debian.org/security/dsa-long', 48 | # 'upgrades' => [('debsecan --format packages', $apt_show_versions, $aptitude)], 49 | # 'revsplit' => '(-|~)' 50 | #}, 51 | #'Redhat' => { 52 | # 'pkgtype' => 'rpm', 53 | # 'pkgsource' => 'link', 54 | # 'feed' => 'https://rhn.redhat.com/rpc/recent-errata.pxt' 55 | #}, 56 | 'CentOS' => { 57 | 'pkglist' => 'rpm -qa', 58 | 'pkgtype' => 'rpm', 59 | 'pkgquery' => 'rpm -q', 60 | 'pkgsource' => 'description', 61 | 'feed' => 'https://bodhi.fedoraproject.org/rss/updates/?type=security' 62 | # FIXME: define revsplit 63 | } 64 | }, 65 | 'pkg' => { 66 | 'deb' => { 67 | 'list' => 'dpkg -l | grep "^ii"', 68 | 'query' => 'dpkg -p', 69 | 'querytoversion' => 'Version:\s+(\S+)' 70 | }, 71 | 'rpm' => { 72 | 'list' => 'rpm -qa', 73 | 'query' => 'rpm -q --queryformat="%{VERSION}-%{RELEASE}.%{ARCH}" ', 74 | 'querytoversion' => '^(.*)$' 75 | } 76 | } 77 | ); 78 | 79 | my $verbose = 0; 80 | my $silent = 0; 81 | my $debug = 0; 82 | my %opts; 83 | 84 | getopts('hsvduV', \%opts); 85 | 86 | if($opts{'h'}) { 87 | print "\nUsage: $0 -hsvduV\n\n"; 88 | print " -h Print this help text.\n"; 89 | print " -s Silent mode. Only print warnings and errors.\n"; 90 | print " -v Verbose mode. Explains about skipped vulnerabilites.\n"; 91 | print " -d Debug mode. Explains about version comparisons.\n"; 92 | print " -u Check for security upgrades with OS specific check.\n"; 93 | print " -V Disable feed based checking.\n"; 94 | print "\n"; 95 | exit(0); 96 | } 97 | 98 | $silent = 1 if($opts{'s'}); 99 | $verbose = 1 if($opts{'v'}); 100 | $debug = 1 if($opts{'d'}); 101 | 102 | # Check for color support 103 | unless(-t 1 and `tput colors` >= 8) { 104 | $ENV{'ANSI_COLORS_DISABLED'} = 1; 105 | } 106 | 107 | ################################################################################ 108 | # Startup Checks 109 | ################################################################################ 110 | 111 | # First try lsb_release (we expect this to exist on Ubuntu, but have a fallback for CentOS) 112 | my $os = `lsb_release -is 2>/dev/null`; 113 | chomp $os; 114 | 115 | # CentOS fallback 116 | if(-f "/etc/redhat-release") { 117 | # /etc/redhat-release should have something like "CentOS release 5.x (xxx) 118 | my $tmp = `cat /etc/redhat-release`; 119 | if($tmp =~ /^CentOS\s+release\s+/) { 120 | $os = "CentOS"; 121 | } else { 122 | print STDERR "This Redhat-based distribution is not supported! Consider hacking $0 to add support.\n"; 123 | exit(1); 124 | } 125 | } 126 | 127 | if($os eq "") { 128 | print STDERR "Could not determine OS. Ensure 'lsb_release -s -i' works!\n"; 129 | exit(1); 130 | } 131 | 132 | unless(defined($config{'os'}->{$os})) { 133 | print STDERR "Sorry '$os' is currently not supported! Consider hacking $0 to add support.\n"; 134 | exit(1); 135 | } 136 | 137 | # Select configuration 138 | my $osConfig = $config{'os'}->{$os}; 139 | my $pkgConfig = $config{'pkg'}->{$osConfig->{'pkgtype'}}; 140 | 141 | my $packageList = `$pkgConfig->{'list'}`; 142 | print scalar $packageList =~ tr/\n// unless($silent); 143 | print " $os packages are installed.\n" unless($silent); 144 | 145 | ################################################################################ 146 | # Compare two versions 147 | # 148 | # $1 a safe version 149 | # $2 the version to check if it is safe 150 | # 151 | # Returns 152 | # -1 if first version is older 153 | # 0 for identical or package with higher revision 154 | # 1 if first version is newer 155 | ################################################################################ 156 | sub compare_versions { 157 | my ($version1, $version2) = @_; 158 | my $result = 0; 159 | 160 | # Split everything 161 | print "Compare $version1 <=> $version2... " if($debug); 162 | if($version1 ne $version2) { 163 | 164 | if($osConfig->{'pkgtype'} eq 'deb') { 165 | `dpkg --compare-versions "$version1" eq "$version2"`; 166 | if($? != 0) { 167 | `dpkg --compare-versions "$version1" lt "$version2"`; 168 | if($? == 0) { 169 | $result = -1; 170 | 171 | # We need to analyze revisions before deciding 172 | # this case to distinguish cases like those: 173 | # 174 | # 1.2.0-3ubuntu1.3 < 1.2.0-3.ubuntu1.2 (MATCH) 175 | # and 176 | # 1.2.0-3ubuntu1.3 < 1.5.0-4.ubuntu1.0 (MISS) 177 | # 178 | # So we compare versions and revisions 179 | if(defined($osConfig->{'revsplit'})) { 180 | my @tmp1 = split /$osConfig->{'revsplit'}/, $version1; 181 | my @tmp2 = split /$osConfig->{'revsplit'}/, $version2; 182 | $result = 0 if($tmp1[0] eq $tmp2[0]); 183 | print " revision detail: version #1: $tmp1[0] version #2: $tmp2[0] => " if($debug); 184 | } 185 | } else { 186 | $result = 1; 187 | } 188 | } elsif($osConfig->{'pkgtype'} eq 'rpm') { 189 | my $dir = dirname($0); 190 | `$dir/rpm_vercmp.py "$version1" "$version2"`; 191 | $result = $?; 192 | } else { 193 | die "No version comparison for this pkgtype yet."; 194 | } 195 | } 196 | } 197 | 198 | print $result . "\n" if($debug); 199 | return $result; 200 | } 201 | 202 | unless(defined($opts{'V'})) { 203 | 204 | ################################################################################ 205 | # Fetch Advisory Feed 206 | ################################################################################ 207 | 208 | print "Downloading advisory feed '$osConfig->{feed}' ...\n" unless($silent); 209 | 210 | my $ua = LWP::UserAgent->new; 211 | $ua->timeout(10); 212 | $ua->env_proxy; 213 | 214 | my $response = $ua->get($osConfig->{'feed'}); 215 | unless ($response->is_success) { 216 | die "Failed to fetch advisory feed! (".$response->status_line.")"; 217 | } 218 | 219 | # XSLT for Feed Normalization 220 | my $feed_xslt = < 222 | 226 | 227 | 228 | 229 | 230 | 231 | 232 | <xsl:apply-templates select="title"/> 233 | 234 | 235 | 236 | 237 | 238 | 239 | 240 | 241 | 242 | 243 | 244 | <xsl:apply-templates select="rss:title"/> 245 | 246 | 247 | 248 | 249 | 250 | 251 | 252 | 253 | 254 | 255 | 256 | EOT 257 | ; 258 | 259 | # Normalize Feed 260 | my $parser = XML::LibXML->new(); 261 | my $xslt = XML::LibXSLT->new(); 262 | my $source = $parser->parse_string($response->decoded_content); 263 | my $style_doc = $parser->parse_string($feed_xslt); 264 | my $stylesheet = $xslt->parse_stylesheet($style_doc); 265 | my $results = $stylesheet->transform($source); 266 | my $tmp = $stylesheet->output_string($results); 267 | my $doc = $parser->parse_string($stylesheet->output_string($results)); 268 | 269 | ################################################################################ 270 | # Process Advisories 271 | ################################################################################ 272 | 273 | foreach my $item ($doc->documentElement()->getChildrenByTagName("item")) { 274 | my $title = @{$item->getChildrenByTagName("title")}[0]->textContent; 275 | my $description = @{$item->getChildrenByTagName("description")}[0]->textContent; 276 | chomp $title; 277 | 278 | my $found = 0; 279 | my $vulnerable = 0; 280 | my %packages; 281 | 282 | # Skip vulnerability if acknowledged 283 | if($title =~ /^\s*([a-zA-Z0-9\-_\.]+):/) { 284 | if(-f "$ENV{HOME}/.lpvs/$1") { 285 | print color 'bold yellow'; 286 | print "$title (acknowledged)\n"; 287 | print color 'reset'; 288 | next; 289 | } 290 | } 291 | 292 | # Determine packages affected by advisory 293 | # 294 | # a) from with description text 295 | if($osConfig->{'pkgsource'} eq 'description') { 296 | if($osConfig->{'pkgtype'} eq 'deb') { 297 | # Ubuntu variant 298 | my @tmp = ($description =~ m#href=.https://launchpad.net/ubuntu/\+source/[^>]*>([^<]+)#g); 299 | do { 300 | my $package = shift(@tmp); 301 | my $version = shift(@tmp); 302 | ${$packages{$package}} = {} unless(defined(${$packages{$package}})); 303 | ${$packages{$package}}->{$version} = 1; 304 | } while(@tmp); 305 | } 306 | 307 | # in text RPM variant 308 | if($osConfig->{'pkgtype'} eq 'rpm') { 309 | my @tmp = ($description =~ m#[\s^](\S+\.rpm)[\s\$]#g); 310 | foreach my $rpm (@tmp) { 311 | if($rpm =~ /^(\w+)-([^-]+-[^-]+)\.rpm$/) { 312 | my ($package, $version) = ($1, $2); 313 | ${$packages{$package}} = {} unless(defined(${$packages{$package}})); 314 | ${$packages{$package}}->{$version} = 1; 315 | } 316 | } 317 | } 318 | 319 | # b) from title 320 | #} elsif($osConfig->{'pkgsource'} eq 'title') { 321 | } 322 | 323 | foreach my $package (keys %packages) { 324 | my $installed = 0; 325 | my $installedVersion; 326 | 327 | # Generic install check 328 | if($packageList =~ /$package/) { 329 | if(`$pkgConfig->{query} $package 2>/dev/null` =~ /$pkgConfig->{'querytoversion'}/) { 330 | # FIXME: RPM might return multiple installed package versions! 331 | $installedVersion = $1; 332 | $installed = 1; 333 | } 334 | } 335 | 336 | # Check for vulnerable version 337 | if($installed) { 338 | $found = 1; 339 | 340 | foreach my $version (keys %{${$packages{$package}}}) { 341 | my $result = compare_versions($version, $installedVersion); 342 | if($verbose) { 343 | print color 'bold green' if($result == 0); 344 | print color 'bold yellow' if($result == 1); 345 | print color 'bold green' if($result == -1); 346 | print color 'reset'; 347 | } 348 | 349 | # Simple case: one of the versions fixing the issue 350 | # is currently installed. We need no further checking 351 | if($result == 0) { 352 | $vulnerable = 0; 353 | last; 354 | } 355 | 356 | # The current version is older than at least one of 357 | # the suggested versions (old distro) 358 | $vulnerable = 1 if($result > 0); 359 | } 360 | if($vulnerable == 1) { 361 | print color 'bold red'; 362 | print "$title\n"; 363 | print " -> Vulnerable '$package' version $installedVersion installed!\n\n"; 364 | print color 'reset'; 365 | print " You should update to one the following versions:\n\n"; 366 | foreach my $version (keys %{${$packages{$package}}}) { 367 | print " $version\n"; 368 | } 369 | print "\n"; 370 | } 371 | 372 | } 373 | } 374 | 375 | # When we find no packages 376 | unless($silent) { 377 | unless($found) { 378 | if($verbose) { 379 | print color 'yellow'; 380 | print "$title\n"; 381 | } 382 | } else { 383 | unless($vulnerable) { 384 | print color 'bold green'; 385 | print "$title\n"; 386 | } 387 | } 388 | print color 'reset'; 389 | } 390 | } 391 | } 392 | 393 | # Check for other uninstalled security upgrades (not listed by security feed) 394 | if($opts{'u'}) { 395 | if(defined($osConfig->{'upgrades'})) { 396 | foreach(@{$osConfig->{'upgrades'}}) { 397 | my $output = `$_ 2>&1`; 398 | if($? eq 0) { 399 | print color 'bold yellow'; 400 | # FIXME: Useful warning output 401 | print "WARNING: '$_' reports additional available security upgrades:\n"; 402 | print $output . "\n"; 403 | print color 'reset'; 404 | last; 405 | } 406 | } 407 | } else { 408 | print "WARNING: Sorry, no upgrade check supported for this distro!\n"; 409 | } 410 | } 411 | 412 | print "Done.\n" unless($silent); 413 | -------------------------------------------------------------------------------- /rpm_vercmp.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/python 2 | 3 | 4 | # From http://stackoverflow.com/questions/3206319/how-do-i-compare-rpm-versions-in-python 5 | # 6 | # (c) 2014 Steve Kehlet 7 | 8 | import rpm 9 | import sys 10 | from rpmUtils.miscutils import stringToVersion 11 | 12 | if len(sys.argv) != 3: 13 | print "Usage: %s " 14 | sys.exit(1) 15 | 16 | def vercmp((e1, v1, r1), (e2, v2, r2)): 17 | return rpm.labelCompare((e1, v1, r1), (e2, v2, r2)) 18 | 19 | (e1, v1, r1) = stringToVersion(sys.argv[1]) 20 | (e2, v2, r2) = stringToVersion(sys.argv[2]) 21 | 22 | rc = vercmp((e1, v1, r1), (e2, v2, r2)) 23 | if rc > 0: 24 | #print "%s:%s-%s is newer" % (e1, v1, r1) 25 | sys.exit(-1) 26 | 27 | elif rc == 0: 28 | sys.exit(0) 29 | 30 | elif rc < 0: 31 | #print "%s:%s-%s is newer" % (e2, v2, r2) 32 | sys.exit(1) 33 | -------------------------------------------------------------------------------- /test/test.pl: -------------------------------------------------------------------------------- 1 | #!/usr/bin/perl -w 2 | 3 | sub versioncmp( $$ ) { 4 | my @A = ($_[0] =~ /([-.]|\d+|[^-.\d]+)/g); 5 | my @B = ($_[1] =~ /([-.]|\d+|[^-.\d]+)/g); 6 | 7 | my ($A, $B); 8 | while (@A and @B) { 9 | $A = shift @A; 10 | $B = shift @B; 11 | 12 | if ($A eq '-' and $B eq '-') { 13 | next; 14 | } elsif ( $A eq '-' ) { 15 | return -1; 16 | } elsif ( $B eq '-') { 17 | return 1; 18 | } elsif ($A eq '.' and $B eq '.') { 19 | next; 20 | } elsif ( $A eq '.' ) { 21 | return -1; 22 | } elsif ( $B eq '.' ) { 23 | return 1; 24 | } elsif ($A =~ /^\d+$/ and $B =~ /^\d+$/) { 25 | if ($A =~ /^0/ || $B =~ /^0/) { 26 | return $A cmp $B if $A cmp $B; 27 | } else { 28 | return $A <=> $B if $A <=> $B; 29 | } 30 | } else { 31 | $A = uc $A; 32 | $B = uc $B; 33 | return $A cmp $B if $A cmp $B; 34 | } 35 | } 36 | 37 | @A <=> @B; 38 | } 39 | 40 | sub test($$) { 41 | my ($v1, $v2) = @_; 42 | 43 | print "$v1 <=> $v2 = " . versioncmp($v1, $v2) . "\n"; 44 | } 45 | 46 | test("1ubuntu1.1", "1ubuntu0"); 47 | test("1ubuntu1.1", "1ubuntu1"); 48 | test("1ubuntu1.1", "1ubuntu2"); 49 | test("1ubuntu1.1", "1ubuntu1.0"); 50 | test("1ubuntu1.1", "1ubuntu1.1"); 51 | test("1ubuntu1.1", "1ubuntu1.2"); 52 | test("1ubuntu2.1", "1ubuntu0"); 53 | test("1ubuntu2.1", "1ubuntu1"); 54 | test("1ubuntu2.1", "1ubuntu2"); 55 | 56 | --------------------------------------------------------------------------------