update: update openssl KnownVuln scan to handle all recent versions

Thanks to @bubu for reporting!
2024-11-18 20:50:10 +01:00 · 2017-07-06 13:25:14 +02:00 · 2017-07-06 13:25:14 +02:00 · 4a15208b84
commit 4a15208b84
parent 928633ddba
2 changed files with 34 additions and 2 deletions
--- a/fdroidserver/update.py
+++ b/fdroidserver/update.py
@ -513,8 +513,9 @@ def has_known_vulnerability(filename):
                    m = has_known_vulnerability.pattern.search(chunk)
                    if m:
                        version = m.group(1).decode('ascii')
-                        if version.startswith('1.0.1') and version[5] >= 'r' \
-                           or version.startswith('1.0.2') and version[5] >= 'f':
+                        if (version.startswith('1.0.1') and len(version) > 5 and version[5] >= 'r') \
+                           or (version.startswith('1.0.2') and len(version) > 5 and version[5] >= 'f') \
+                           or re.match(r'[1-9]\.[1-9]\.[0-9].*', version):
                            logging.debug('"%s" contains recent %s (%s)', filename, name, version)
                        else:
                            logging.warning('"%s" contains outdated %s (%s)', filename, name, version)
--- a/tests/openssl-version-check-test.py
+++ b/tests/openssl-version-check-test.py
@ -0,0 +1,31 @@
+#!/usr/bin/env python3
+#
+# implementing a version check of known bad OpenSSL versions, for example:
+# https://support.google.com/faqs/answer/6376725?hl=en
+#
+# This is used in update.has_known_vulnerability()
+
+import re
+import requests
+
+# this list was generated using:
+# for f in `curl  | grep -Eo '[0-9]\.[0-9]\.[0-9][a-z]?' | sort -u`; do echo "'$f',"; done
+versions = [
+]
+
+r = requests.get('https://www.openssl.org/news/changelog.html')
+
+safe = set()
+bad = set()
+
+for m in re.findall(b'[0-9]\.[0-9]\.[0-9][a-z]?', r.content):
+    version = str(m, encoding='utf-8')
+    if (version.startswith('1.0.1') and len(version) > 5 and version[5] >= 'r') \
+      or (version.startswith('1.0.2') and len(version) > 5 and version[5] >= 'f') \
+      or re.match(r'[1-9]\.[1-9]\.[0-9].*', version):
+        safe.add(version)
+    else:
+        bad.add(version)
+
+print('safe:', sorted(safe))
+print('bad:', sorted(bad))