[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#892278: marked as done (stretch-pu: package reportbug/7.1.7+deb9u1)

Your message dated Sat, 14 Jul 2018 11:21:20 +0100
with message-id <1531563680.2095.30.camel@adam-barratt.org.uk>
and subject line Closing bugs for updates included in 9.5
has caused the Debian Bug report #892278,
regarding stretch-pu: package reportbug/7.1.7+deb9u1
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact owner@bugs.debian.org
immediately.)


-- 
892278: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=892278
Debian Bug Tracking System
Contact owner@bugs.debian.org with problems
--- Begin Message --- 
Package: release.debian.org
Severity: normal
Tags: stretch
User: release.debian.org@packages.debian.org
Usertags: pu

Hi there,

as requested in #891918 I am hereby filing another stretch-pu update
for reportbug, so that we can fix #878088 in stable too. Please find
attached the debdiff.

Thanks,

Markus

diff -Nru reportbug-7.1.7/bin/reportbug reportbug-7.1.7+deb9u1/bin/reportbug
--- reportbug-7.1.7/bin/reportbug	2017-05-29 22:00:17.000000000 +0200
+++ reportbug-7.1.7+deb9u1/bin/reportbug	2018-03-03 22:33:28.000000000 +0100
@@ -32,6 +32,7 @@
 import optparse
 import re
 import locale
+import requests
 import subprocess
 import shlex
 import email
@@ -1926,6 +1927,36 @@
             listcc += ui.get_multiline(
                 'Enter any additional addresses this report should be sent to; press ENTER after each address.')
 
+        # If the bug is reported against a package with a version that possibly
+        # indicates a security update add the security or LTS team to CC
+        # after user confirmation
+        if pkgversion and package and not self.options.offline and mode > MODE_NOVICE and utils.is_security_update(package, pkgversion):
+            if ui.yes_no('Do you want to report a regression because of a security update? ',
+                         'Yes, please inform the LTS and security teams.',
+                         'No or I am not sure.', True):
+                distnumber = re.search('[+~]deb(\d+)u\d+', pkgversion).group(1)
+                support = 'none'
+                email_address = 'none'
+                try:
+                    r = requests.get('https://security-tracker.debian.org/tracker/distributions.json', timeout=self.options.timeout)
+                    data = r.json()
+                    for key, value in data.items():
+                        if distnumber == value['major-version']:
+                            support = value['support']
+                            email_address = value['contact']
+                            break
+
+                    if support != 'none' and utils.check_email_addr(email_address):
+                        listcc += [email_address]
+                    else:
+                        raise
+
+                except requests.exceptions.RequestException:
+                    ewrite('Unable to connect to security-tracker.debian.org.\n'
+                           'Please try again later or contact the LTS or security team via email directly.\n')
+                except:  # catch-all
+                    ewrite('No support team contact address could be identified.\n')
+
         if severity and rtype:
             severity = debbugs.convert_severity(severity, rtype)
 
diff -Nru reportbug-7.1.7/debian/changelog reportbug-7.1.7+deb9u1/debian/changelog
--- reportbug-7.1.7/debian/changelog	2017-05-29 22:00:17.000000000 +0200
+++ reportbug-7.1.7+deb9u1/debian/changelog	2018-03-03 22:33:28.000000000 +0100
@@ -1,3 +1,13 @@
+reportbug (7.1.7+deb9u1) stretch; urgency=medium
+
+  * Non-maintainer upload.
+  * Backport the fix for Debian bug #878088. Notify the security team or LTS
+    team about a possible regression if reporting a bug against a package
+    containing a security fix.
+  * python3-reportbug: Depend on python3-apt to fix #878088.
+
+ -- Markus Koschany <apo@debian.org>  Sat, 03 Mar 2018 22:33:28 +0100
+
 reportbug (7.1.7) unstable; urgency=medium
 
   * reportbug/utils.py
diff -Nru reportbug-7.1.7/debian/control reportbug-7.1.7+deb9u1/debian/control
--- reportbug-7.1.7/debian/control	2017-05-29 22:00:17.000000000 +0200
+++ reportbug-7.1.7+deb9u1/debian/control	2018-03-03 22:33:28.000000000 +0100
@@ -36,7 +36,7 @@
 Package: python3-reportbug
 Section: python
 Architecture: all
-Depends: ${misc:Depends}, ${python3:Depends}, apt, python3-debian, python3-debianbts (>= 1.13), file, python3-requests
+Depends: ${misc:Depends}, ${python3:Depends}, apt, python3-debian, python3-debianbts (>= 1.13), file, python3-requests, python3-apt
 Suggests: reportbug
 Description: Python modules for interacting with bug tracking systems
  reportbug is a tool designed to make the reporting of bugs in Debian
Binärdateien /tmp/BreEiHKSHs/reportbug-7.1.7/reportbug/__pycache__/__init__.cpython-35.pyc und /tmp/ijRwNIQr3y/reportbug-7.1.7+deb9u1/reportbug/__pycache__/__init__.cpython-35.pyc sind verschieden.
Binärdateien /tmp/BreEiHKSHs/reportbug-7.1.7/reportbug/__pycache__/__init__.cpython-36.pyc und /tmp/ijRwNIQr3y/reportbug-7.1.7+deb9u1/reportbug/__pycache__/__init__.cpython-36.pyc sind verschieden.
diff -Nru reportbug-7.1.7/reportbug/utils.py reportbug-7.1.7+deb9u1/reportbug/utils.py
--- reportbug-7.1.7/reportbug/utils.py	2017-05-29 22:00:17.000000000 +0200
+++ reportbug-7.1.7+deb9u1/reportbug/utils.py	2018-03-03 22:33:28.000000000 +0100
@@ -39,6 +39,8 @@
 import socket
 import subprocess
 import pipes
+import apt
+import gzip
 
 from .urlutils import open_url
 from string import ascii_letters, digits
@@ -1304,3 +1306,79 @@
         init = 'sysvinit (via /sbin/init)'
 
     return init
+
+def is_security_update(pkgname, pkgversion):
+    """Determine whether a given package is a security update.
+
+    Detection of security update versions works most reliably if the
+    package version under investigation is the currently installed
+    version.  If this is not the case, the probability of false
+    negatives increases.
+
+    Parameters
+    ----------
+    pkgname : str
+        package name
+    pkgversion : str
+        package version
+
+    Returns
+    -------
+    bool
+        True if there is evidence that this version is a security
+        update, otherwise False
+    """
+
+    # Check 1:
+    # If it does not follow the debXuY version number pattern, it is
+    # definitely no security update.
+    #
+    # This check is not sufficient to detect security updates reliably,
+    # since other stable updates also use the same version pattern.
+    regex = re.compile('(\+|~)deb(\d+)u(\d+)')
+    secversion = regex.search(pkgversion)
+    if not secversion:
+        return False
+
+    # Check 2:
+    # If the package comes from the Debian-Security package source, it
+    # is definitely a security update.
+    #
+    # This check does not identify all security updates, since some of
+    # them are distributed through the normal channels as part of a
+    # stable release update.
+    try:
+        p = apt.Cache()[pkgname]
+        if 'Debian-Security' in [o.label for o in
+                        p.versions[pkgversion].origins]:
+            return True
+    except:
+        pass
+
+    # Check 3:
+    # Inspect the package changelog if it mentions any vulnerability,
+    # identified by a CVE number, in the section of the latest version.
+    cl = None
+    for cl in ['/usr/share/doc/{}/changelog.Debian.gz'.format(pkgname),
+               '/usr/share/doc/{}/changelog.gz'.format(pkgname)]:
+        if os.path.exists(cl):
+            break
+
+    try:
+        with gzip.open(cl, 'rt') as f:
+            ln = f.readline()
+            if pkgversion not in ln:
+                raise KeyError
+
+            for ln in f.readlines():
+                # stop reading at the end of the first section
+                if ln.rstrip() != '' and (ln.startswith(' -- ') or not ln.startswith(' ')):
+                    break
+
+                if 'CVE-20' in ln.upper():
+                    return True
+    except:
+        pass
+
+    # guess 'no security update, but normal stable update' by default
+    return False

--- End Message ---
--- Begin Message --- 
Version: 9.5

Hi,

The update referenced by each of these bugs was included in this
morning's stretch point release.

Regards,

Adam

--- End Message ---
Reply to: