intel
diff --git a/Diff for: ‎.coveragerc
+13 b/Diff for: ‎.coveragerc
+13
diff --git a/Diff for: ‎.gitignore
+9 b/Diff for: ‎.gitignore
+9
diff --git a/Diff for: ‎LICENSE.md
+675 b/Diff for: ‎LICENSE.md
+675
diff --git a/Diff for: ‎MANUAL.md
+267 b/Diff for: ‎MANUAL.md
+267
diff --git a/Diff for: ‎README.md
+79 b/Diff for: ‎README.md
+79
@@ -0,0 +1,13 @@
+[run]
+source =
+    cve_bin_tool
+    test
+branch = True
+
+[report]
+exclude_lines =
+    no cov
+    no qa
+    noqa
+    pragma: no cover
+    if __name__ == .__main__.:
@@ -0,0 +1,9 @@
+*.swp
+*.pyc
+__pycache__/
+*.extracted
+.venv*
+*.egg-info/
+*.out
+htmlcov/
+.coverage
@@ -0,0 +1,267 @@
+CVE checker for binary code User Manual
+=======================================
+
+This tool scans for a number of common, vulnerable open source components
+(openssl, libpng, libxml2, expat and a few others) to let you know if your
+system includes common libraries with known vulnerabilities, known as CVEs
+(Common Vulnerabilities and Exposures).
+
+Usage:
+`cve-bin-tool <flags> <path to directory>`
+
+    Possible output levels:
+    -v (verbose): print scan results as they're found
+       (regular): print only final summary
+    -q (quiet):   suppress all output but exit with error
+                  number indicating number of files with CVE
+
+    Other options:
+    -x (extract): Autoextract compressed files
+
+For a quick overview of usage and how it works, you can also see [the readme file](README.md).
+
+
+Table of Contents
+-----------------
+- [CVE checker for binary code User Manual](#cve-checker-for-binary-code-user-manual)
+  - [Table of Contents](#table-of-contents)
+  - [How it works](#how-it-works)
+  - [Installing](#installing)
+  - [Fixing Known Issues / What should I do if it finds something?](#fixing-known-issues--what-should-i-do-if-it-finds-something)
+  - [Limitations](#limitations)
+  - [Output Samples](#output-samples)
+    - [Default Mode](#default-mode)
+    - [Verbose Mode](#verbose-mode)
+    - [Quiet Mode](#quiet-mode)
+  - [Feedback & Contributions](#feedback--contributions)
+  - [Security Issues](#security-issues)
+
+How it works
+------------
+This scanner looks at the strings found in binary files to see if they
+match vulnerable versions of a small set of popular open source libraries.
+
+It does not attempt to exploit issues or examine code in greater detail.
+As such, it cannot tell if someone has backported fixes to an otherwise
+vulnerable version, it merely provides a mapping between strings, versions, and
+known CVEs.
+
+A [list of currently available checkers](checkers/) can be found in the checkers
+directory, as can the [instructions on how to add a new
+checker](cve_bin_tool/checkers/README.md).  Support for new checkers can be requested
+via [GitHub
+issues](https://github.com/intel/cve-bin-tool/issues).
+(Please note, you will need to be logged in to add a new issue.)
+
+
+This tool gives a list of CVE numbers.  For those not familiar with the process, these can be looked up using a number of different tools, such as the [vulnerability search on the CVE Details website](https://www.cvedetails.com/vulnerability-search.php).  Each CVE filed contains a short summary of the issue (also printed when you use the -v flag in this tool), a set of severity scores that are combined to make a CVSS score, a list of products known to be affected, and links to more information (which may include links to sample exploits as well as patches to fix the issue).
+
+Installing
+----------
+
+`cve-bin-tool` can be installed via pip. If your `PATH` environment variable is
+properly configured, installation will result in `cve-bin-tool` being accessible
+globally. If not you can treat `cve-bin-tool` as `python -m cve_bin_tool.cli` in
+the documentation.
+
+```console
+pip install cve-bin-tool
+```
+
+If you want the latest and greatest between releases you can grab from GitHub.
+
+```console
+pip install git+https://github.com/intel/cve-bin-tool
+```
+
+CVE Binary Tool relies on a few command line utilities which are usually present
+on GNU/Linux systems but you may need to install.
+
+- file
+- strings
+- tar
+- unzip
+- rpm2cpio
+- cpio
+- ar
+- cabextract
+
+Fixing Known Issues / What should I do if it finds something?
+-------------------------------------------------------------
+
+The most recommended way to fix a given CVE is to upgrade the package to a
+non-vulnerable version.  Ideally, a CVE is only made public after a fix is
+available, although this is not always the case.
+
+If this is not possible for some reason, search for the CVE number to get
+information on possible workarounds and patches that could be backported to
+other versions.  Note that neither workarounds nor backported fixes can be
+detected by this tool, so your binary will continue to show up as vulnerable
+even though it may now be safely mitigated and the result a false positive.
+
+Limitations
+-----------
+
+When running this script, Python 3 is preferred over Python 2.7. This tool
+was developed for Linux and expects a number of common Linux utilities.  It
+can be run on Windows using cygwin or other option to ensure these utilities
+are installed.
+
+This tool does not scan for all possible known public vulnerabilities, it only
+scans for specific commonly vulnerable open source components.   A complete
+list of currently supported library checkers can be found in [the checkers 
+directory](https://github.com/intel/cve-bin-tool/tree/master/checkers).
+
+As the name implies, this tool is intended for use with binaries.  If you have
+access to a known list of package names and versions, you may wish to use
+another tool such as the [CVE check tool
+here](https://github.com/ikeydoherty/cve-check-tool) which covers a larger
+database of known public issues.
+
+Output Samples
+--------------
+
+The tool has several different output modes, from most information to least as follows:
+
+1. Verbose mode (-v) Prints scan results as they're found (while crawling a directory)
+2. Regular mode (no flag) prints only the final summary of findings
+3. Quiet mode (-q) suppresses all output but exits with an error number indicating the number of files with known CVEs.  This is intended for continuous integration and headless tests, while the other modes are all more human-friendly.
+
+Although the examples in this section show results for a single library to make them shorter and easier to read, the tool was designed to be run on entire directories and will scan all files in a directory if one is supplied.
+
+### Default Mode
+
+The default mode for the cve-bin-tool prints only a final summary of results,
+without CVE descriptions or information while the scan is progressing. It
+outputs a CSV with the results to stdout. In the form of `package name, version,
+CVE number, CVE severity`. Below is an example of it being run on curl:
+
+```
+terri@sandia:~/Code/cve-bin-tool$ cve-bin-tool /usr/bin/curl
+Connecting to NVD database and extracting the CVE list ... Please hold on.. This
+will take few minutes...
+Last Update: 2019-01-18
+Local database has been updated in the past 24h.
+New data not downloaded.  Remove old files to force the update.
+
+Overall CVE summary:
+There are 1 files with known CVEs detected
+Known CVEs in curl 7.58.0:
+curl,7.58.0,CVE-2018-0500,CRITICAL
+curl,7.58.0,CVE-2018-1000120,CRITICAL
+curl,7.58.0,CVE-2018-1000121,HIGH
+curl,7.58.0,CVE-2018-1000122,CRITICAL
+curl,7.58.0,CVE-2018-1000300,CRITICAL
+curl,7.58.0,CVE-2018-1000301,CRITICAL
+curl,7.58.0,CVE-2018-16839,CRITICAL
+curl,7.58.0,CVE-2018-16842,CRITICAL
+```
+
+This mode is meant to give the user enough information that they can
+investigate further, but it omits the severity information so that the tool can
+run more quickly without the additional database lookups.
+
+### Verbose Mode
+The verbose mode is another human-friendly mode.  Unlike default mode, it
+prints results per file as they're found, as well as printing the final
+summary, so you can see its progress as it traverses directories.  It also
+provides detailed descriptions of the CVEs found including severity so that
+users can make educated decisions about the risks of a given out-of-date
+library.
+
+> `1/18/2019` Verbose mode currently omits CVE descriptions
+
+Sample output on openssl1.0.2.g:
+
+```
+terri@sandia:~/Code/cve-bin-tool$ cve-bin-tool -v /usr/bin/openssl 
+/usr/bin/openssl contains openssl 1.0.2g
+Known CVEs in version 1.0.2g
+CVE-2017-3731 CVE-2017-3732 CVE-2016-7055 CVE-2016-7052 CVE-2016-6304 CVE-2016-2183 CVE-2016-6303 CVE-2016-6302 CVE-2016-2182 CVE-2016-2180 CVE-2016-2177 CVE-2016-2178 CVE-2016-2179 CVE-2016-2181 CVE-2016-6306 CVE-2016-2107 CVE-2016-2105 CVE-2016-2106 CVE-2016-2109 CVE-2016-2176  
+CVE-2016-2105 (7.5-H)
+        Integer overflow in the EVP_EncodeUpdate function in crypto/evp/encode.c in OpenSSL before 1.0.1t and 1.0.2 before 1.0.2h allows remote attackers to cause a denial of service (heap memory corruption) via a large amount of binary data.
+CVE-2016-2106 (7.5-H)
+        Integer overflow in the EVP_EncryptUpdate function in crypto/evp/evp_enc.c in OpenSSL before 1.0.1t and 1.0.2 before 1.0.2h allows remote attackers to cause a denial of service (heap memory corruption) via a large amount of data.
+CVE-2016-2107 (5.9-M)
+        The AES-NI implementation in OpenSSL before 1.0.1t and 1.0.2 before 1.0.2h does not consider memory allocation during a certain padding check, which allows remote attackers to obtain sensitive cleartext information via a padding-oracle attack against an AES CBC session, NOTE: this vulnerability exists because of an incorrect fix for CVE-2013-0169.
+CVE-2016-2109 (7.5-H)
+        The asn1_d2i_read_bio function in crypto/asn1/a_d2i_fp.c in the ASN.1 BIO implementation in OpenSSL before 1.0.1t and 1.0.2 before 1.0.2h allows remote attackers to cause a denial of service (memory consumption) via a short invalid encoding.
+CVE-2016-2176 (8.2-H)
+        The X509_NAME_oneline function in crypto/x509/x509_obj.c in OpenSSL before 1.0.1t and 1.0.2 before 1.0.2h allows remote attackers to obtain sensitive information from process stack memory or cause a denial of service (buffer over-read) via crafted EBCDIC ASN.1 data.
+CVE-2016-2177 (5.9-M)
+        OpenSSL through 1.0.2h incorrectly uses pointer arithmetic for heap-buffer boundary checks, which might allow remote attackers to cause a denial of service (integer overflow and application crash) or possibly have unspecified other impact by leveraging unexpected malloc behavior, related to s3_srvr.c, ssl_sess.c, and t1_lib.c.
+CVE-2016-2178 (5.5-M)
+        The dsa_sign_setup function in crypto/dsa/dsa_ossl.c in OpenSSL through 1.0.2h does not properly ensure the use of constant-time operations, which makes it easier for local users to discover a DSA private key via a timing side-channel attack.
+CVE-2016-2179 (7.5-H)
+        The DTLS implementation in OpenSSL before 1.1.0 does not properly restrict the lifetime of queue entries associated with unused out-of-order messages, which allows remote attackers to cause a denial of service (memory consumption) by maintaining many crafted DTLS sessions simultaneously, related to d1_lib.c, statem_dtls.c, statem_lib.c, and statem_srvr.c.
+CVE-2016-2180 (7.5-H)
+        The TS_OBJ_print_bio function in crypto/ts/ts_lib.c in the X.509 Public Key Infrastructure Time-Stamp Protocol (TSP) implementation in OpenSSL through 1.0.2h allows remote attackers to cause a denial of service (out-of-bounds read and application crash) via a crafted time-stamp file that is mishandled by the "openssl ts" command.
+CVE-2016-2181 (7.5-H)
+        The Anti-Replay feature in the DTLS implementation in OpenSSL before 1.1.0 mishandles early use of a new epoch number in conjunction with a large sequence number, which allows remote attackers to cause a denial of service (false-positive packet drops) via spoofed DTLS records, related to rec_layer_d1.c and ssl3_record.c.
+CVE-2016-2182 (9.8-C)
+        The BN_bn2dec function in crypto/bn/bn_print.c in OpenSSL before 1.1.0 does not properly validate division results, which allows remote attackers to cause a denial of service (out-of-bounds write and application crash) or possibly have unspecified other impact via unknown vectors.
+CVE-2016-2183 (5.3-M)
+        The DES and Triple DES ciphers, as used in the TLS, SSH, and IPSec protocols and other protocols and products, have a birthday bound of approximately four billion blocks, which makes it easier for remote attackers to obtain cleartext data via a birthday attack against a long-duration encrypted session, as demonstrated by an HTTPS session using Triple DES in CBC mode, aka a "Sweet32" attack.
+CVE-2016-6302 (7.5-H)
+        The tls_decrypt_ticket function in ssl/t1_lib.c in OpenSSL before 1.1.0 does not consider the HMAC size during validation of the ticket length, which allows remote attackers to cause a denial of service via a ticket that is too short.
+CVE-2016-6303 (9.8-C)
+        Integer overflow in the MDC2_Update function in crypto/mdc2/mdc2dgst.c in OpenSSL before 1.1.0 allows remote attackers to cause a denial of service (out-of-bounds write and application crash) or possibly have unspecified other impact via unknown vectors.
+CVE-2016-6304 (7.5-H)
+        Multiple memory leaks in t1_lib.c in OpenSSL before 1.0.1u, 1.0.2 before 1.0.2i, and 1.1.0 before 1.1.0a allow remote attackers to cause a denial of service (memory consumption) via large OCSP Status Request extensions.
+CVE-2016-6306 (5.9-M)
+        The certificate parser in OpenSSL before 1.0.1u and 1.0.2 before 1.0.2i might allow remote attackers to cause a denial of service (out-of-bounds read) via crafted certificate operations, related to s3_clnt.c and s3_srvr.c.
+CVE-2016-7052 (7.5-H)
+        crypto/x509/x509_vfy.c in OpenSSL 1.0.2i allows remote attackers to cause a denial of service (NULL pointer dereference and application crash) by triggering a CRL operation.
+CVE-2016-7055 (Error)
+
+CVE-2017-3731 (Error)
+
+CVE-2017-3732 (Error)
+
+
+Overall CVE summary: 
+There are 1 files with known CVEs detected
+Known cves in  ['openssl1.0.2g'] :
+['CVE-2016-2105', 'CVE-2016-2106', 'CVE-2016-2107', 'CVE-2016-2109', 'CVE-2016-2176', 'CVE-2016-2177', 'CVE-2016-2178', 'CVE-2016-2179', 'CVE-2016-2180', 'CVE-2016-2181', 'CVE-2016-2182', 'CVE-2016-2183', 'CVE-2016-6302', 'CVE-2016-6303', 'CVE-2016-6304', 'CVE-2016-6306', 'CVE-2016-7052', 'CVE-2016-7055', 'CVE-2017-3731', 'CVE-2017-3732']
+```
+
+Note that the ones listed as "Error" are new items where the database has not yet been updated with vulnerability information.  This information could easily be found by searching for the CVE numbers using a regular search engine or through a CVE website such as http://cvedetails.com
+
+Also, please note that the severities shown are the ones from the public CVE
+databases.  The actual severity for a given product may be different based on
+what parts of the library are used and what other mitigating factors may be in
+effect.
+
+
+### Quiet Mode
+
+As the name implies, quiet mode has no console output, and one must check the
+return code to see if any issues were found.
+
+Below is what it returns on bash when one file is found to have CVEs:
+```
+terri@sandia:~/Code/cve-bin-tool$ cve-bin-tool -q /usr/bin/openssl 
+terri@sandia:~/Code/cve-bin-tool$ echo $?
+1
+```
+
+Feedback & Contributions
+------------------------
+
+Bugs and feature requests can be made via [GitHub
+issues](https://github.com/intel/cve-bin-tool).  Be aware that these issues are
+not private, so take care when providing output to make sure you are not
+disclosing security issues in other products.
+
+Pull requests are also welcome via git.
+
+
+Security Issues
+---------------
+
+Security issues with the tool itself can be reported to Intel's security
+incident response team via
+[https://intel.com/security](https://intel.com/security).
+
+If in the course of using this tool you discover a security issue with someone
+else's code, please disclose responsibly to the appropriate party.
@@ -0,0 +1,79 @@
+CVE checker for binary code
+===========================
+
+This tool scans for a number of common, vulnerable open source components
+(openssl, libpng, libxml2, expat and a few others) to let you know if your
+system includes common libraries with known vulnerabilities.
+
+Usage:
+`python -m cve_bin_tool.cli <flags> <path to directory>`
+
+    Possible output levels:
+    -v (verbose): print scan results as they're found
+       (regular): print only final summary
+    -q (quiet):   suppress all output but exit with error
+                  number indicating number of files with CVE
+
+    Other options:
+    -x (extract): Autoextract compressed files
+
+When running this script, Python 3 is preferred over Python 2.7 because it has
+been more tested, but both versions should work.
+
+This readme is intended to be a quickstart guide for using the tool.  If you
+require more information, there is also a [user manual](MANUAL.md) available.
+
+How it works
+------------
+
+This scanner looks at the strings found in binary files to see if they
+match certain vulnerable versions of the following libraries and tools:
+
+* curl
+* expat
+* libnss
+* node.js
+* openssl
+* png
+* tiff
+* xerces
+* xml2
+* zlib
+
+All the checkers can be found in the checkers directory, as can the
+[instructions on how to add a new checker](cve_bin_tool/checkers/README.md).
+Support for new checkers can be requested via
+[GitHub issues](https://github.com/intel/cve-bin-tool/issues).
+
+Limitations
+-----------
+
+This scanner does not attempt to exploit issues or examine the code in greater
+detail; it only looks for library signatures and version numbers.  As such, it
+cannot tell if someone has backported fixes to a vulnerable version, and it
+will not work if library or version information was intentionally obfuscated.
+
+This tool is meant to be used as a quick-to-run, easily-automatable check in a
+non-malicious environment so that developers can be made aware of old libraries
+with security issues that have been compiled into their binaries.
+
+Feedback & Contributions
+------------------------
+
+Bugs and feature requests can be made via [GitHub
+issues](https://github.com/intel/cve-bin-tool).  Be aware that these issues are
+not private, so take care when providing output to make sure you are not
+disclosing security issues in other products.
+
+Pull requests are also welcome via git.
+
+Security Issues
+---------------
+
+Security issues with the tool itself can be reported to Intel's security
+incident response team via
+[https://intel.com/security](https://intel.com/security).
+
+If in the course of using this tool you discover a security issue with someone
+else's code, please disclose responsibly to the appropriate party.
+