RedHatProductSecurity · jasinner · Sep 2, 2024
diff --git a/advisory_parser/parsers/chrome.py b/advisory_parser/parsers/chrome.py
@@ -22,15 +22,11 @@
 def parse_chrome_advisory(url):
     advisory_text = get_text_from_url(url)
 
-    # Workaround for advisories that do not use <div>s for each CVE entry. E.g.:
-    # https://chromereleases.googleblog.com/2018/04/stable-channel-update-for-desktop.html
-    advisory_text = re.sub(r"(.)\[\$", r"\1\n[$", advisory_text)
-
     if "Security Fixes" not in advisory_text:
         raise AdvisoryParserTextException("No security fixes found in {}".format(url))
 
     # Throw away parts of the text after the blog post
-    flaws_text = advisory_text.split("Labels:\nStable updates")[0].strip()
+    flaws_text = advisory_text.split("Labels:\nDesktop Update")[0].strip()
 
     # Parse out public date
     match = re.search("^Stable Channel Update for Desktop\n(.+)", flaws_text, re.MULTILINE)
@@ -50,23 +46,35 @@ def parse_chrome_advisory(url):
     except ValueError:
         raise AdvisoryParserTextException("Could not find fixed-in version in {}".format(url))
 
-    # Filter out lines that contain CVEs
-    cve_lines = [line.strip() for line in flaws_text.split("\n") if CVE_REGEX.search(line)]
+    # There is no newline character between Flaw descriptions. We use '[TBD][123456]' to delimit.
+    cve_lines = []
+    bug_ids = []
+    matches = list(re.finditer(r"\[[A-Z]+\]\[(\d{6,})\]", flaws_text))
+    no_of_matches = len(matches)
+    for match_index in range(no_of_matches - 1):
+        bug_ids.append(matches[match_index].group(1))
+        cve_lines.append(flaws_text[matches[match_index].end() : matches[match_index + 1].start()])
+    cve_lines.append(flaws_text[matches[no_of_matches - 1].end() :])
+    bug_ids.append(matches[no_of_matches - 1].group(1))
     if not cve_lines:
         raise AdvisoryParserTextException("Could not find any CVEs in {}".format(url))
 
+    if len(cve_lines) != len(bug_ids):
+        raise AdvisoryParserTextException("Number of CVE IDs did not match the number of bug IDs")
+
     flaws, warnings = [], []
+    line_index = 0
     for line in cve_lines:
         # Parse each line containing information about a CVE, e.g.:
-        # [$7500][590275] High CVE-2016-1652: XSS in X. Credit to anonymous.
+        # High CVE-2016-1652: XSS in X. Credit to anonymous.
         # First, split into two groups by first encountered colon.
         metadata, text = line.split(":", maxsplit=1)
         if not metadata or not text:
             warnings.append("Could not parse line: {}".format(line))
             continue
 
         # If a line contains Various, it describes internal fixes, e.g.:
-        # [563930] CVE-2015-6787: Various fixes from internal audits...
+        # CVE-2015-6787: Various fixes from internal audits...
         if "Various" in text:
             impact = "important"
         else:
@@ -81,10 +89,9 @@ def parse_chrome_advisory(url):
             impact = impact.replace("high", "important")
             impact = impact.replace("medium", "moderate")
 
-        bug_ids = re.findall(r"\d{6,}", metadata)
         cves = CVE_REGEX.findall(metadata)
-        if not bug_ids and not cves:
-            warnings.append("Could not find CVEs or bugs; skipping: {}".format(line))
+        if not cves:
+            warnings.append("Could not find CVEs skipping: {}".format(line))
             continue
 
         summary = text.split(".")[0].strip()
@@ -109,8 +116,9 @@ def parse_chrome_advisory(url):
         summary = "chromium-browser: " + summary
 
         description += "\n\nUpstream bug(s):\n"
-        for bug in bug_ids:
-            description += "\nhttps://code.google.com/p/chromium/issues/detail?id=" + bug
+        description += "\nhttps://code.google.com/p/chromium/issues/detail?id="
+        description += bug_ids[line_index]
+        line_index += 1
 
         com_url = (
             url if "blogspot.com" in url else re.sub(r"blogspot\.[^/]*/", "blogspot.com/", url)

diff --git a/tests/test_chrome_parser.py b/tests/test_chrome_parser.py
@@ -19,56 +19,57 @@ def load_test_data(fname):
 
 @patch("advisory_parser.parsers.chrome.get_text_from_url")
 def test_parser(get_text_from_url):
-    get_text_from_url.return_value = load_test_data("chrome_2017-06-15.txt")
-    url = "https://chromereleases.googleblog.com/2017/06/stable-channel-update-for-desktop_15.html"
+    get_text_from_url.return_value = load_test_data("chrome_2024-08-28.txt")
+    url = "https://chromereleases.googleblog.com/2024/08/stable-channel-update-for-desktop_28.html"
     flaws, warnings = parse_chrome_advisory(url)
 
     assert not warnings
-    assert len(flaws) == 3
+    assert len(flaws) == 4
     assert vars(flaws[0]) == {
-        "summary": "chromium-browser: Sandbox Escape in IndexedDB",
+        "summary": "chromium-browser: Type Confusion in V8",
         "cvss3": "8.8/CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
-        "description": "A sandbox escape flaw was found in the IndexedDB component of the Chromium browser.\n\nUpstream bug(s):\n\nhttps://code.google.com/p/chromium/issues/detail?id=725032",
-        "from_url": "https://chromereleases.googleblog.com/2017/06/stable-channel-update-for-desktop_15.html",
-        "fixed_in": {"chromium-browser": ["59.0.3071.104"]},
+        "description": "A type confusion flaw was found in the V8 component of the Chromium browser.\n\nUpstream bug(s):\n\nhttps://code.google.com/p/chromium/issues/detail?id=351865302",
+        "from_url": "https://chromereleases.googleblog.com/2024/08/stable-channel-update-for-desktop_28.html",
+        "fixed_in": {"chromium-browser": ["128.0.6613.113"]},
         "cvss2": None,
         "advisory_id": None,
         "impact": "important",
-        "cves": ["CVE-2017-5087"],
-        "public_date": datetime.datetime(2017, 6, 15, 0, 0),
+        "cves": ["CVE-2024-7969"],
+        "public_date": datetime.datetime(2024, 8, 28, 0, 0),
     }
     assert vars(flaws[1]) == {
-        "summary": "chromium-browser: Out of bounds read in V8",
+        "summary": "chromium-browser: Heap buffer overflow in Skia",
         "cvss3": "8.8/CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
-        "description": "An out of bounds read flaw was found in the V8 component of the Chromium browser.\n\nUpstream bug(s):\n\nhttps://code.google.com/p/chromium/issues/detail?id=729991",
-        "from_url": "https://chromereleases.googleblog.com/2017/06/stable-channel-update-for-desktop_15.html",
-        "fixed_in": {"chromium-browser": ["59.0.3071.104"]},
+        "description": "A heap buffer overflow flaw was found in the Skia component of the Chromium browser.\n\nUpstream bug(s):\n\nhttps://code.google.com/p/chromium/issues/detail?id=360265320",
+        "from_url": "https://chromereleases.googleblog.com/2024/08/stable-channel-update-for-desktop_28.html",
+        "fixed_in": {"chromium-browser": ["128.0.6613.113"]},
         "cvss2": None,
         "advisory_id": None,
         "impact": "important",
-        "cves": ["CVE-2017-5088"],
-        "public_date": datetime.datetime(2017, 6, 15, 0, 0),
+        "cves": ["CVE-2024-8193"],
+        "public_date": datetime.datetime(2024, 8, 28, 0, 0),
     }
     assert vars(flaws[2]) == {
-        "summary": "chromium-browser: Domain spoofing in Omnibox",
-        "cvss3": "6.5/CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N",
-        "description": "A domain spoofing flaw was found in the Omnibox component of the Chromium browser.\n\nUpstream bug(s):\n\nhttps://code.google.com/p/chromium/issues/detail?id=714196",
-        "from_url": "https://chromereleases.googleblog.com/2017/06/stable-channel-update-for-desktop_15.html",
-        "fixed_in": {"chromium-browser": ["59.0.3071.104"]},
+        "summary": "chromium-browser: Type Confusion in V8",
+        "cvss3": "8.8/CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
+        "description": "A type confusion flaw was found in the V8 component of the Chromium browser.\n\nUpstream bug(s):\n\nhttps://code.google.com/p/chromium/issues/detail?id=360533914",
+        "from_url": "https://chromereleases.googleblog.com/2024/08/stable-channel-update-for-desktop_28.html",
+        "fixed_in": {"chromium-browser": ["128.0.6613.113"]},
         "cvss2": None,
         "advisory_id": None,
-        "impact": "moderate",
-        "cves": ["CVE-2017-5089"],
-        "public_date": datetime.datetime(2017, 6, 15, 0, 0),
+        "impact": "important",
+        "cves": ["CVE-2024-8194"],
+        "public_date": datetime.datetime(2024, 8, 28, 0, 0),
+    }
+    assert vars(flaws[3]) == {
+        "summary": "chromium-browser: Heap buffer overflow in Skia",
+        "cvss3": "8.8/CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
+        "description": "A heap buffer overflow flaw was found in the Skia component of the Chromium browser.\n\nUpstream bug(s):\n\nhttps://code.google.com/p/chromium/issues/detail?id=360758697",
+        "from_url": "https://chromereleases.googleblog.com/2024/08/stable-channel-update-for-desktop_28.html",
+        "fixed_in": {"chromium-browser": ["128.0.6613.113"]},
+        "cvss2": None,
+        "advisory_id": None,
+        "impact": "important",
+        "cves": ["CVE-2024-8198"],
+        "public_date": datetime.datetime(2024, 8, 28, 0, 0),
     }
-
-
-@patch("advisory_parser.parsers.chrome.get_text_from_url")
-def test_parser_multi_cve(get_text_from_url):
-    get_text_from_url.return_value = load_test_data("chrome_2020-02-04.txt")
-    url = "https://chromereleases.googleblog.com/2017/06/stable-channel-update-for-desktop_15.html"
-    flaws, warnings = parse_chrome_advisory(url)
-
-    assert not warnings
-    assert len(flaws) == 41
-    assert flaws[5].cves == ["CVE-2019-19880", "CVE-2019-19925"]