Re: [PATCH] report-vuln: allow to invoke mailer

To: debian-lts@lists.debian.org, team@security.debian.org
Subject: Re: [PATCH] report-vuln: allow to invoke mailer
From: Guido Günther <agx@sigxcpu.org>
Date: Fri, 1 Dec 2017 15:21:00 +0100
Message-id: <[🔎] 20171201142100.bouhkvi5npqqiz2e@bogon.m.sigxcpu.org>
Mail-followup-to: Guido Günther <agx@sigxcpu.org>, debian-lts@lists.debian.org, team@security.debian.org
In-reply-to: <20171130093613.zacjduzdv26qvozz@bogon.m.sigxcpu.org>
References: <20171130093613.zacjduzdv26qvozz@bogon.m.sigxcpu.org>
Hi,
On Thu, Nov 30, 2017 at 10:36:13AM +0100, Guido Günther wrote:
> This allows to invoke the mailer directly like
> 
>     bin/report-vuln -M <pkg> <cve>...
> 
> the default behaviour is unchanged.
> ---
> Helps at least me to get out bug mails quicker.

I went ahead and committed this. If it causes any problems please ping
me or plain revert it.
Cheers,
 -- Guido
 
> 
>  bin/report-vuln | 95 ++++++++++++++++++++++++++++++++-------------------------
>  1 file changed, 54 insertions(+), 41 deletions(-)
> 
> diff --git a/bin/report-vuln b/bin/report-vuln
> index 5e053f88ea..9e20f4778b 100755
> --- a/bin/report-vuln
> +++ b/bin/report-vuln
> @@ -1,25 +1,18 @@
>  #!/usr/bin/env python
>  #
> -# generate bug report content for a given package name
> -# and a number of CVE ids
> +# generate bug report content/mail for a given package name and a
> +# number of CVE ids
>  #
> -# you could use it for example in combination with the
> -# following shell function:
> +# To invoke the mailer right away:
>  #
> -# report-vuln(){
> -#     TMPFILE="$HOME/reportbug.tmp"
> -#     $HOME/debian/svn/secure-testing/bin/report-vuln -m "$@" > $TMPFILE
> -#     mutt -H $TMPFILE
> -#     rm $TMPFILE
> -# }
> -#
> -# in bash, this can be simply:
> -#
> -# mutt -H <($HOME/debian/svn/secure-testing/bin/report-vuln -m <pkg> <CVE>)
> +# $HOME/debian/svn/secure-testing/bin/report-vuln -M <pkg> <CVE>
>  #
>  # export http_proxy if you need to use an http proxy to report bugs
>  
> +from __future__ import print_function
> +
>  import argparse
> +from tempfile import NamedTemporaryFile
>  import sys, re, urllib, os
>  
>  temp_id = re.compile('(?:CVE|cve)\-[0-9]{4}-XXXX')
> @@ -118,10 +111,11 @@ def gen_text(pkg, cveid, blanks=False, severity=None, affected=None, cc=False, c
>      cve_suff = ''
>      time_w = 'was'
>      temp_id_cnt = 0
> -    header = ''
> +    ret = ''
> +
>  
>      if mh:
> -        header += '''To: submit@bugs.debian.org
> +        ret += '''To: submit@bugs.debian.org
>  Subject: %s: %s
>  
>  ''' % (pkg, ' '.join(cveid))
> @@ -132,56 +126,55 @@ Subject: %s: %s
>          time_w = 'were'
>  
>      if src:
> -        header += '''Source: %s\n''' % (pkg)
> +        ret += 'Source: %s\n' % (pkg)
>      else:
> -        header += '''Package: %s\n''' % (pkg)
> +        ret += 'Package: %s\n' % (pkg)
>  
>      if affected is None:
>          if blanks:
> -            header += "Version: FILLINAFFECTEDVERSION\n"
> +            ret += "Version: FILLINAFFECTEDVERSION\n"
>          else:
> -            header += "Version: %s\n" % affected
> +            ret += "Version: %s\n" % affected
>          if cc and len(cclist) > 0:
> -            header += "X-Debbugs-CC: %s\n" % " ".join(cclist)
> -    header += '''Severity: %s
> +            ret += "X-Debbugs-CC: %s\n" % " ".join(cclist)
> +    ret += '''Severity: %s
>  Tags: security
>  
>  Hi,
>  
> -the following vulnerabilit%s %s published for %s.
> +the following vulnerabilit%s %s published for %s.\n
>  ''' % (severity, vuln_suff, time_w, pkg)
>  
> -    footer = '''If you fix the vulnerabilit%s please also make sure to include the
> -CVE (Common Vulnerabilities & Exposures) id%s in your changelog entry.
> -
> -For further information see:''' % (vuln_suff, cve_suff)
> -
> -    print header
>      for cnt, cve in enumerate(cveid):
>          if not temp_id.match(cve):
> -            print cve + '[' + str(cnt) + ']:'
> -            print get_cve(cve)
> +            ret += cve + '[' + str(cnt) + ']:\n'
> +            ret += get_cve(cve) + '\n'
>          else:
> -            print '''Issue without CVE id #%d [%d]:''' % (temp_id_cnt, cnt)
> +            ret += 'Issue without CVE id #%d [%d]:\n' % (temp_id_cnt, cnt)
>              desc = description_from_list(cve, pkg, temp_id_cnt)
>              if desc:
> -                print desc + '\n'
> +                ret += desc + '\n\n'
>              else:
> -                print 'No description has been specified\n'
> +                ret += 'No description has been specified\n\n'
>              temp_id_cnt += 1
>  
> -    print footer
> -    print gen_index(cveid)
> +    ret += '''If you fix the vulnerabilit%s please also make sure to include the
> +CVE (Common Vulnerabilities & Exposures) id%s in your changelog entry.
> +
> +For further information see:\n''' % (vuln_suff, cve_suff)
> +    ret += gen_index(cveid) + '\n'
>  
>      if temp_id_cnt > 0:
> -        print '\nhttps://security-tracker.debian.org/tracker/source-package/%s' % (pkg)
> -        print '(issues without CVE id are assigned a TEMP one, but it may change over time)\n'
> +        ret += '\nhttps://security-tracker.debian.org/tracker/source-package/%s\n' % (pkg)
> +        ret += '(issues without CVE id are assigned a TEMP one, but it may change over time)\n'
>  
>      if not blanks:
> -        print '''\nPlease adjust the affected versions in the BTS as needed.\n'''
> +        ret += '\nPlease adjust the affected versions in the BTS as needed.\n'
> +
> +    return ret
>  
>  def error(msg):
> -    print 'error: ' + msg
> +    print ('error: ' + msg, file=sys.stderr)
>      sys.exit(1)
>  
>  class NegateAction(argparse.Action):
> @@ -220,6 +213,10 @@ def main():
>                          help='list of addresses to add in CC (default: %(default)s)')
>      parser.add_argument('--src', action="store_true", help='report against source package')
>      parser.add_argument('-m', '--mail-header', action="store_true", help='generate a mail header')
> +    parser.add_argument('-M', '--mail', action="store_true", help='invoke mailer right aways')
> +    parser.add_argument('--mailer', action='store', default='mutt -H {}',
> +                        help='Command executed. Must contain {} to be replaced '
> +                        'by the filename of the draft bugreport')
>      parser.add_argument('pkg', help='affected package')
>      parser.add_argument('cve', nargs='+', help='relevant CVE for this source package, may be used multiple time if the issue has multiple CVEs')
>      args = parser.parse_args()
> @@ -239,7 +236,23 @@ def main():
>          if not c.match(arg) and not temp_id.match(arg):
>              error(arg + ' does not seem to be a valid CVE id')
>  
> -    gen_text(pkg, cve, affected=args.affected, blanks=args.blanks, severity=args.severity, cc=args.cc, cclist=args.cclist, src=args.src, mh=args.mail_header)
> +    text = gen_text(pkg, cve,
> +                    affected=args.affected,
> +                    blanks=args.blanks,
> +                    severity=args.severity,
> +                    cc=args.cc,
> +                    cclist=args.cclist,
> +                    src=args.src,
> +                    mh=args.mail_header or args.mail)
> +
> +    if args.mail:
> +        with NamedTemporaryFile(prefix='report-vuln', suffix='.txt') as bugmail:
> +            bugmail.write(text)
> +            bugmail.flush()
> +            os.system(args.mailer.format(bugmail.name))
> +    else:
> +        print(text)
> +
>  
>  if __name__ == '__main__':
>      main()
> -- 
> 2.15.0
>
Reply to:
Next by Date: Wheezy update of tor?
Next by thread: Wheezy update of tor?
Index(es):
- Date
- Thread