[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: [PATCH 3/3] report-vuln: Support generation of mail headers



Hi,
On Wed, Nov 29, 2017 at 04:24:54PM +0100, Salvatore Bonaccorso wrote:
> Hi Guido,
> 
> On Wed, Nov 29, 2017 at 01:48:02PM +0100, Guido Günther wrote:
> > Address the bts already and put the CVEs in the subject.
> > 
> > ---
> > This can be further improved regards temp id handling, providing a
> > better subject in case of only a single CVE, etc. but already makes like
> > simpler. O.k. to apply?
> 
> Looks fine as long the -m remains the non-default for now and
> bin/report-vuln just can be used to generate templates as before.

Withou '-m' the output is as it was before.

> 
> Would it be possible though to change the generated subject to include
> the source package name (or binary package name, depending on the
> mode) as provided, and append after a : just the CVEs space separated?
> 
> That is rather than
> 
> Subject: CVE-id1, CVE-id2, ...
> 
> more like
> 
> Subject: srcpkg: CVE-id1 CVE-id2 ...

Attached patch does just that.

> Agree, that is a matter of taste of the person filling the bug though,
> so we might not reach agreement on  the desired formatting :)
> everybody is doing something different. Some examples of subjects,
> just from recent IRC bot on #debian-devel-changes:
> 
> #879732: CVE-2017-15874 / CVE-2017-15873
> #882648: exim4: CVE-2017-16943: use-after-free vulnerability while reading mail header
> #882034: ruby-redis-store: CVE-2017-1000248
> #878840: icu: CVE-2017-14952: Double free in i18n/zonemeta.cpp
> #881445: ruby-ox: CVE-2017-15928: Segmentation fault in the parse_obj

I intend to fetch the first sentence from the CVE report at one point
(if there's only a single CVE) but this needs some more rework of the
script to avoid duplication.

Cheers,
 -- Guido
>From c36a060dd0a39f036307c5fedc4d67eeefa9de32 Mon Sep 17 00:00:00 2001
Message-Id: <c36a060dd0a39f036307c5fedc4d67eeefa9de32.1511970512.git.agx@sigxcpu.org>
From: =?UTF-8?q?Guido=20G=C3=BCnther?= <agx@sigxcpu.org>
Date: Wed, 29 Nov 2017 12:28:39 +0100
Subject: [PATCH] report-vuln: Support generation of mail headers
To: debian-lts@lists.debian.org

---
 bin/report-vuln | 22 +++++++++++++++-------
 1 file changed, 15 insertions(+), 7 deletions(-)

diff --git a/bin/report-vuln b/bin/report-vuln
index a20f6ae764..5e053f88ea 100755
--- a/bin/report-vuln
+++ b/bin/report-vuln
@@ -8,14 +8,14 @@
 #
 # report-vuln(){
 #     TMPFILE="$HOME/reportbug.tmp"
-#     $HOME/debian/svn/secure-testing/bin/report-vuln "$@" > $TMPFILE
-#     mutt -i $TMPFILE submit@bugs.debian.org
+#     $HOME/debian/svn/secure-testing/bin/report-vuln -m "$@" > $TMPFILE
+#     mutt -H $TMPFILE
 #     rm $TMPFILE
 # }
 #
 # in bash, this can be simply:
 #
-# mutt -i <($HOME/debian/svn/secure-testing/bin/report-vuln) submit@bugs.debian.org
+# mutt -H <($HOME/debian/svn/secure-testing/bin/report-vuln -m <pkg> <CVE>)
 #
 # export http_proxy if you need to use an http proxy to report bugs
 
@@ -113,11 +113,18 @@ def get_cve(id):
 
     return ret + '\n'
 
-def gen_text(pkg, cveid, blanks=False, severity=None, affected=None, cc=False, cclist=None, src=False):
+def gen_text(pkg, cveid, blanks=False, severity=None, affected=None, cc=False, cclist=None, src=False, mh=False):
     vuln_suff = 'y'
     cve_suff = ''
     time_w = 'was'
     temp_id_cnt = 0
+    header = ''
+
+    if mh:
+        header += '''To: submit@bugs.debian.org
+Subject: %s: %s
+
+''' % (pkg, ' '.join(cveid))
 
     if len(cveid) > 1:
         cve_suff = 's'
@@ -125,9 +132,9 @@ def gen_text(pkg, cveid, blanks=False, severity=None, affected=None, cc=False, c
         time_w = 'were'
 
     if src:
-        header = '''Source: %s\n''' % (pkg)
+        header += '''Source: %s\n''' % (pkg)
     else:
-        header = '''Package: %s\n''' % (pkg)
+        header += '''Package: %s\n''' % (pkg)
 
     if affected is None:
         if blanks:
@@ -212,6 +219,7 @@ def main():
     parser.add_argument('--cc-list', dest='cclist', default=['team@security.debian.org', 'secure-testing-team@lists.alioth.debian.org'],
                         help='list of addresses to add in CC (default: %(default)s)')
     parser.add_argument('--src', action="store_true", help='report against source package')
+    parser.add_argument('-m', '--mail-header', action="store_true", help='generate a mail header')
     parser.add_argument('pkg', help='affected package')
     parser.add_argument('cve', nargs='+', help='relevant CVE for this source package, may be used multiple time if the issue has multiple CVEs')
     args = parser.parse_args()
@@ -231,7 +239,7 @@ def main():
         if not c.match(arg) and not temp_id.match(arg):
             error(arg + ' does not seem to be a valid CVE id')
 
-    gen_text(pkg, cve, affected=args.affected, blanks=args.blanks, severity=args.severity, cc=args.cc, cclist=args.cclist, src=args.src)
+    gen_text(pkg, cve, affected=args.affected, blanks=args.blanks, severity=args.severity, cc=args.cc, cclist=args.cclist, src=args.src, mh=args.mail_header)
 
 if __name__ == '__main__':
     main()
-- 
2.15.0


Reply to: