Re: faster tracker data processing

To: debian-security-tracker@lists.debian.org
Subject: Re: faster tracker data processing
From: Michael S Gilbert <michael.s.gilbert@gmail.com>
Date: Fri, 2 Oct 2009 19:11:46 -0400
Message-id: <[🔎] 20091002191146.16ee8140.michael.s.gilbert@gmail.com>
In-reply-to: <[🔎] ha4vkp$q7o$1@ger.gmane.org>
References: <[🔎] ha1cb8$5kp$1@ger.gmane.org> <[🔎] 20091001214911.427a9078.michael.s.gilbert@gmail.com> <[🔎] ha4vkp$q7o$1@ger.gmane.org>

On Fri, 02 Oct 2009 08:37:23 -0500 Raphael Geissert wrote:
> We could actually try to write some sort of automated system to contact the
> maintainer(s) when a new issue is published regarding their package. But I
> guess we would need a blacklisting system to avoid spamming some people or
> teams who are usually aware of those issues in advance (kernel sec team
> maybe? people working on the tracker, etc)

this would be good, but there is a danger of the bot going haywire and
potentially flooding the bts (i suppose you could set a shutoff limit
that would kill the bot if it submitted more than X per minute).  also,
maintainers may find a bot unfriendly or potentially offensive?  but it
may be worth trying it.

> >> If that's not desirable, maybe a concept of "HINT"s could be introduced,
> >> where the script that updates the CVE/list file from the CVE db
> >> automatically adds HINTs of possibly affected packages based on the
> >> embedded-code-copies files, the technique used by the check-new-issues
> >> (apt-cache search), and a simple file that could be used to associate
> >> full project names with a package name (say "Alvaro's Messenger" with
> >> "amsn"). The tracker would of course display the CVE as affecting the
> >> HINTed packages until the hints are removed from CVE/list.
> > 
> > this seems like a good idea, but i would be cautious.  taking people out
> > of the loop may be dangerous if not done correctly. i would suggest that
> > the final product of such a script would be at most a 'TODO:
> > check <package1>, <package2>, ... (not comprehensive)' so someone will
> > have a good starting point, but will be aware that the bot's output
> > isn't a complete list of potentially vulnerable packages.
> 
> I actually meant something more like:
> 
> CVE-2009-1234 (heap overflow in Alvaro's Messenger could...)
>         TODO: check
>         HINT: amsn
> CVE-2009-2345 (incorrect handling of null-terminated strings in foo...)
>         TODO: check
>         HINT: foo (if such a package existed)

i don't think its necessary to invent a new tag.  i meant:

  CVE-2009-1234 (heap overflow in Alvaro's Messenger could...)
          TODO: check amsn (and other packages)
  CVE-2009-2345 (incorrect handling of null-terminated strings in foo..)
          TODO: check foo (and other packages)

mike

Reply to:

Follow-Ups:
- Re: faster tracker data processing
  - From: Raphael Geissert <geissert@debian.org>

References:
- faster tracker data processing
  - From: Raphael Geissert <geissert@debian.org>
- Re: faster tracker data processing
  - From: Michael S Gilbert <michael.s.gilbert@gmail.com>
- Re: faster tracker data processing
  - From: Raphael Geissert <geissert@debian.org>

Prev by Date: Re: faster tracker data processing
Next by Date: Re: faster tracker data processing
Previous by thread: Re: faster tracker data processing
Next by thread: Re: faster tracker data processing
Index(es):
- Date
- Thread