Bug#892278: stretch-pu: package reportbug/7.1.7+deb9u1
Package: release.debian.org
Severity: normal
Tags: stretch
User: release.debian.org@packages.debian.org
Usertags: pu
Hi there,
as requested in #891918 I am hereby filing another stretch-pu update
for reportbug, so that we can fix #878088 in stable too. Please find
attached the debdiff.
Thanks,
Markus
diff -Nru reportbug-7.1.7/bin/reportbug reportbug-7.1.7+deb9u1/bin/reportbug
--- reportbug-7.1.7/bin/reportbug 2017-05-29 22:00:17.000000000 +0200
+++ reportbug-7.1.7+deb9u1/bin/reportbug 2018-03-03 22:33:28.000000000 +0100
@@ -32,6 +32,7 @@
import optparse
import re
import locale
+import requests
import subprocess
import shlex
import email
@@ -1926,6 +1927,36 @@
listcc += ui.get_multiline(
'Enter any additional addresses this report should be sent to; press ENTER after each address.')
+ # If the bug is reported against a package with a version that possibly
+ # indicates a security update add the security or LTS team to CC
+ # after user confirmation
+ if pkgversion and package and not self.options.offline and mode > MODE_NOVICE and utils.is_security_update(package, pkgversion):
+ if ui.yes_no('Do you want to report a regression because of a security update? ',
+ 'Yes, please inform the LTS and security teams.',
+ 'No or I am not sure.', True):
+ distnumber = re.search('[+~]deb(\d+)u\d+', pkgversion).group(1)
+ support = 'none'
+ email_address = 'none'
+ try:
+ r = requests.get('https://security-tracker.debian.org/tracker/distributions.json', timeout=self.options.timeout)
+ data = r.json()
+ for key, value in data.items():
+ if distnumber == value['major-version']:
+ support = value['support']
+ email_address = value['contact']
+ break
+
+ if support != 'none' and utils.check_email_addr(email_address):
+ listcc += [email_address]
+ else:
+ raise
+
+ except requests.exceptions.RequestException:
+ ewrite('Unable to connect to security-tracker.debian.org.\n'
+ 'Please try again later or contact the LTS or security team via email directly.\n')
+ except: # catch-all
+ ewrite('No support team contact address could be identified.\n')
+
if severity and rtype:
severity = debbugs.convert_severity(severity, rtype)
diff -Nru reportbug-7.1.7/debian/changelog reportbug-7.1.7+deb9u1/debian/changelog
--- reportbug-7.1.7/debian/changelog 2017-05-29 22:00:17.000000000 +0200
+++ reportbug-7.1.7+deb9u1/debian/changelog 2018-03-03 22:33:28.000000000 +0100
@@ -1,3 +1,13 @@
+reportbug (7.1.7+deb9u1) stretch; urgency=medium
+
+ * Non-maintainer upload.
+ * Backport the fix for Debian bug #878088. Notify the security team or LTS
+ team about a possible regression if reporting a bug against a package
+ containing a security fix.
+ * python3-reportbug: Depend on python3-apt to fix #878088.
+
+ -- Markus Koschany <apo@debian.org> Sat, 03 Mar 2018 22:33:28 +0100
+
reportbug (7.1.7) unstable; urgency=medium
* reportbug/utils.py
diff -Nru reportbug-7.1.7/debian/control reportbug-7.1.7+deb9u1/debian/control
--- reportbug-7.1.7/debian/control 2017-05-29 22:00:17.000000000 +0200
+++ reportbug-7.1.7+deb9u1/debian/control 2018-03-03 22:33:28.000000000 +0100
@@ -36,7 +36,7 @@
Package: python3-reportbug
Section: python
Architecture: all
-Depends: ${misc:Depends}, ${python3:Depends}, apt, python3-debian, python3-debianbts (>= 1.13), file, python3-requests
+Depends: ${misc:Depends}, ${python3:Depends}, apt, python3-debian, python3-debianbts (>= 1.13), file, python3-requests, python3-apt
Suggests: reportbug
Description: Python modules for interacting with bug tracking systems
reportbug is a tool designed to make the reporting of bugs in Debian
Binärdateien /tmp/BreEiHKSHs/reportbug-7.1.7/reportbug/__pycache__/__init__.cpython-35.pyc und /tmp/ijRwNIQr3y/reportbug-7.1.7+deb9u1/reportbug/__pycache__/__init__.cpython-35.pyc sind verschieden.
Binärdateien /tmp/BreEiHKSHs/reportbug-7.1.7/reportbug/__pycache__/__init__.cpython-36.pyc und /tmp/ijRwNIQr3y/reportbug-7.1.7+deb9u1/reportbug/__pycache__/__init__.cpython-36.pyc sind verschieden.
diff -Nru reportbug-7.1.7/reportbug/utils.py reportbug-7.1.7+deb9u1/reportbug/utils.py
--- reportbug-7.1.7/reportbug/utils.py 2017-05-29 22:00:17.000000000 +0200
+++ reportbug-7.1.7+deb9u1/reportbug/utils.py 2018-03-03 22:33:28.000000000 +0100
@@ -39,6 +39,8 @@
import socket
import subprocess
import pipes
+import apt
+import gzip
from .urlutils import open_url
from string import ascii_letters, digits
@@ -1304,3 +1306,79 @@
init = 'sysvinit (via /sbin/init)'
return init
+
+def is_security_update(pkgname, pkgversion):
+ """Determine whether a given package is a security update.
+
+ Detection of security update versions works most reliably if the
+ package version under investigation is the currently installed
+ version. If this is not the case, the probability of false
+ negatives increases.
+
+ Parameters
+ ----------
+ pkgname : str
+ package name
+ pkgversion : str
+ package version
+
+ Returns
+ -------
+ bool
+ True if there is evidence that this version is a security
+ update, otherwise False
+ """
+
+ # Check 1:
+ # If it does not follow the debXuY version number pattern, it is
+ # definitely no security update.
+ #
+ # This check is not sufficient to detect security updates reliably,
+ # since other stable updates also use the same version pattern.
+ regex = re.compile('(\+|~)deb(\d+)u(\d+)')
+ secversion = regex.search(pkgversion)
+ if not secversion:
+ return False
+
+ # Check 2:
+ # If the package comes from the Debian-Security package source, it
+ # is definitely a security update.
+ #
+ # This check does not identify all security updates, since some of
+ # them are distributed through the normal channels as part of a
+ # stable release update.
+ try:
+ p = apt.Cache()[pkgname]
+ if 'Debian-Security' in [o.label for o in
+ p.versions[pkgversion].origins]:
+ return True
+ except:
+ pass
+
+ # Check 3:
+ # Inspect the package changelog if it mentions any vulnerability,
+ # identified by a CVE number, in the section of the latest version.
+ cl = None
+ for cl in ['/usr/share/doc/{}/changelog.Debian.gz'.format(pkgname),
+ '/usr/share/doc/{}/changelog.gz'.format(pkgname)]:
+ if os.path.exists(cl):
+ break
+
+ try:
+ with gzip.open(cl, 'rt') as f:
+ ln = f.readline()
+ if pkgversion not in ln:
+ raise KeyError
+
+ for ln in f.readlines():
+ # stop reading at the end of the first section
+ if ln.rstrip() != '' and (ln.startswith(' -- ') or not ln.startswith(' ')):
+ break
+
+ if 'CVE-20' in ln.upper():
+ return True
+ except:
+ pass
+
+ # guess 'no security update, but normal stable update' by default
+ return False
Reply to: