[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#892278: stretch-pu: package reportbug/7.1.7+deb9u1

Package: release.debian.org
Severity: normal
Tags: stretch
User: release.debian.org@packages.debian.org
Usertags: pu

Hi there,

as requested in #891918 I am hereby filing another stretch-pu update
for reportbug, so that we can fix #878088 in stable too. Please find
attached the debdiff.

Thanks,

Markus

diff -Nru reportbug-7.1.7/bin/reportbug reportbug-7.1.7+deb9u1/bin/reportbug
--- reportbug-7.1.7/bin/reportbug	2017-05-29 22:00:17.000000000 +0200
+++ reportbug-7.1.7+deb9u1/bin/reportbug	2018-03-03 22:33:28.000000000 +0100
@@ -32,6 +32,7 @@
 import optparse
 import re
 import locale
+import requests
 import subprocess
 import shlex
 import email
@@ -1926,6 +1927,36 @@
             listcc += ui.get_multiline(
                 'Enter any additional addresses this report should be sent to; press ENTER after each address.')
 
+        # If the bug is reported against a package with a version that possibly
+        # indicates a security update add the security or LTS team to CC
+        # after user confirmation
+        if pkgversion and package and not self.options.offline and mode > MODE_NOVICE and utils.is_security_update(package, pkgversion):
+            if ui.yes_no('Do you want to report a regression because of a security update? ',
+                         'Yes, please inform the LTS and security teams.',
+                         'No or I am not sure.', True):
+                distnumber = re.search('[+~]deb(\d+)u\d+', pkgversion).group(1)
+                support = 'none'
+                email_address = 'none'
+                try:
+                    r = requests.get('https://security-tracker.debian.org/tracker/distributions.json', timeout=self.options.timeout)
+                    data = r.json()
+                    for key, value in data.items():
+                        if distnumber == value['major-version']:
+                            support = value['support']
+                            email_address = value['contact']
+                            break
+
+                    if support != 'none' and utils.check_email_addr(email_address):
+                        listcc += [email_address]
+                    else:
+                        raise
+
+                except requests.exceptions.RequestException:
+                    ewrite('Unable to connect to security-tracker.debian.org.\n'
+                           'Please try again later or contact the LTS or security team via email directly.\n')
+                except:  # catch-all
+                    ewrite('No support team contact address could be identified.\n')
+
         if severity and rtype:
             severity = debbugs.convert_severity(severity, rtype)
 
diff -Nru reportbug-7.1.7/debian/changelog reportbug-7.1.7+deb9u1/debian/changelog
--- reportbug-7.1.7/debian/changelog	2017-05-29 22:00:17.000000000 +0200
+++ reportbug-7.1.7+deb9u1/debian/changelog	2018-03-03 22:33:28.000000000 +0100
@@ -1,3 +1,13 @@
+reportbug (7.1.7+deb9u1) stretch; urgency=medium
+
+  * Non-maintainer upload.
+  * Backport the fix for Debian bug #878088. Notify the security team or LTS
+    team about a possible regression if reporting a bug against a package
+    containing a security fix.
+  * python3-reportbug: Depend on python3-apt to fix #878088.
+
+ -- Markus Koschany <apo@debian.org>  Sat, 03 Mar 2018 22:33:28 +0100
+
 reportbug (7.1.7) unstable; urgency=medium
 
   * reportbug/utils.py
diff -Nru reportbug-7.1.7/debian/control reportbug-7.1.7+deb9u1/debian/control
--- reportbug-7.1.7/debian/control	2017-05-29 22:00:17.000000000 +0200
+++ reportbug-7.1.7+deb9u1/debian/control	2018-03-03 22:33:28.000000000 +0100
@@ -36,7 +36,7 @@
 Package: python3-reportbug
 Section: python
 Architecture: all
-Depends: ${misc:Depends}, ${python3:Depends}, apt, python3-debian, python3-debianbts (>= 1.13), file, python3-requests
+Depends: ${misc:Depends}, ${python3:Depends}, apt, python3-debian, python3-debianbts (>= 1.13), file, python3-requests, python3-apt
 Suggests: reportbug
 Description: Python modules for interacting with bug tracking systems
  reportbug is a tool designed to make the reporting of bugs in Debian
Binärdateien /tmp/BreEiHKSHs/reportbug-7.1.7/reportbug/__pycache__/__init__.cpython-35.pyc und /tmp/ijRwNIQr3y/reportbug-7.1.7+deb9u1/reportbug/__pycache__/__init__.cpython-35.pyc sind verschieden.
Binärdateien /tmp/BreEiHKSHs/reportbug-7.1.7/reportbug/__pycache__/__init__.cpython-36.pyc und /tmp/ijRwNIQr3y/reportbug-7.1.7+deb9u1/reportbug/__pycache__/__init__.cpython-36.pyc sind verschieden.
diff -Nru reportbug-7.1.7/reportbug/utils.py reportbug-7.1.7+deb9u1/reportbug/utils.py
--- reportbug-7.1.7/reportbug/utils.py	2017-05-29 22:00:17.000000000 +0200
+++ reportbug-7.1.7+deb9u1/reportbug/utils.py	2018-03-03 22:33:28.000000000 +0100
@@ -39,6 +39,8 @@
 import socket
 import subprocess
 import pipes
+import apt
+import gzip
 
 from .urlutils import open_url
 from string import ascii_letters, digits
@@ -1304,3 +1306,79 @@
         init = 'sysvinit (via /sbin/init)'
 
     return init
+
+def is_security_update(pkgname, pkgversion):
+    """Determine whether a given package is a security update.
+
+    Detection of security update versions works most reliably if the
+    package version under investigation is the currently installed
+    version.  If this is not the case, the probability of false
+    negatives increases.
+
+    Parameters
+    ----------
+    pkgname : str
+        package name
+    pkgversion : str
+        package version
+
+    Returns
+    -------
+    bool
+        True if there is evidence that this version is a security
+        update, otherwise False
+    """
+
+    # Check 1:
+    # If it does not follow the debXuY version number pattern, it is
+    # definitely no security update.
+    #
+    # This check is not sufficient to detect security updates reliably,
+    # since other stable updates also use the same version pattern.
+    regex = re.compile('(\+|~)deb(\d+)u(\d+)')
+    secversion = regex.search(pkgversion)
+    if not secversion:
+        return False
+
+    # Check 2:
+    # If the package comes from the Debian-Security package source, it
+    # is definitely a security update.
+    #
+    # This check does not identify all security updates, since some of
+    # them are distributed through the normal channels as part of a
+    # stable release update.
+    try:
+        p = apt.Cache()[pkgname]
+        if 'Debian-Security' in [o.label for o in
+                        p.versions[pkgversion].origins]:
+            return True
+    except:
+        pass
+
+    # Check 3:
+    # Inspect the package changelog if it mentions any vulnerability,
+    # identified by a CVE number, in the section of the latest version.
+    cl = None
+    for cl in ['/usr/share/doc/{}/changelog.Debian.gz'.format(pkgname),
+               '/usr/share/doc/{}/changelog.gz'.format(pkgname)]:
+        if os.path.exists(cl):
+            break
+
+    try:
+        with gzip.open(cl, 'rt') as f:
+            ln = f.readline()
+            if pkgversion not in ln:
+                raise KeyError
+
+            for ln in f.readlines():
+                # stop reading at the end of the first section
+                if ln.rstrip() != '' and (ln.startswith(' -- ') or not ln.startswith(' ')):
+                    break
+
+                if 'CVE-20' in ln.upper():
+                    return True
+    except:
+        pass
+
+    # guess 'no security update, but normal stable update' by default
+    return False
Reply to: