Bug#1001451: Candidate script updates
Hi,
On Tue, Jan 11, 2022 at 05:21:40PM +0100, Salvatore Bonaccorso wrote:
> Hi Neil,
>
> On Tue, Jan 11, 2022 at 11:20:16AM +0000, Neil Williams wrote:
> > Hi Salvatore,
> >
> > On Mon, 10 Jan 2022 17:10:15 +0100
> > Salvatore Bonaccorso <carnil@debian.org> wrote:
> >
> > > > So for that epiphany tracker, there is a typo in the d.changelog -
> > > > the automated link for CVE-2021-4508 is a 404.
> > > >
> > > > I've updated the script to catch this and report the error. From the
> > > > security-tracker source-package page for epiphany, it looks like the
> > > > d.changelog entry should be CVE-2021-45088 - a simple typo to omit
> > > > the final repeated digit.
> > > >
> > > > Currently, I'm handling this by advising that the script is re-run
> > > > using the offline support and a corrected list of CVE IDs.
> > > >
> > > > This also adds a --force-version option to the offline support, in
> > > > case sid has moved ahead of the fixed version by the time the CVE
> > > > list is updated.
> > >
> > > Ack, this works indeed in this case as the CVE-2021-4508 does not
> > > exist (yet). But in other cases typos are e.g. just wapping a number
> > > or misstype the year, or other typos, which lead to an existing CVE.
> > > So basically this all really boils down to, people working on
> > > security-tracker trying as much as possible, in the human limits :),
> > > to do a diligent work as possible.
> >
> > The script also prints out the CVE description and then tries to
> > identify any existing package link by checking the PackageAnnotation of
> > each CVE. It prints a warning if the source package of the CVE from the
> > changes input doesn't match the source package of the changes itself or
> > the source package(s) of other CVEs in the list. It can't always be an
> > error as the situation with embedded copies & removed|reintroduced
> > packages makes it hard for the script. However, it should be obvious
> > from the output if a typo has been made.
> >
> > I've also added output if a typo matches a CVE that is an NFU as
> > there are lot more of those in data/CVE/list e.g.
> >
> > $ cat test.changes| ./bin/grab-cve-in-fix --input
> > grab-cve-in-fix - INFO - Retrieving data STDIN ...
> > grab-cve-in-fix - INFO - CVE-2021-45085: (XSS can occur in GNOME Web
> > (aka Epiphany) before 40.4 and 41.x before ...)
> > grab-cve-in-fix - INFO - CVE-2021-45086: (XSS can occur in GNOME Web
> > (aka Epiphany) before 40.4 and 41.x before ...)
> > grab-cve-in-fix - INFO - CVE-2021-45087: (XSS can occur in GNOME Web
> > (aka Epiphany) before 40.4 and 41.x before ...)
> > grab-cve-in-fix - INFO - CVE-2021-3757: (immer is vulnerable to
> > Improperly Controlled Modification of Object Pr ...)
> > grab-cve-in-fix - ERROR - CVE CVE-2021-3757 is not attributed to a
> > Debian package: ['NOT-FOR-US', 'NOTE']
> >
> > (test.changes in this case was edited to change the typo to
> > CVE-2021-3757 to demonstrate the output).
>
> Thanks!
>
> I noted another case which triggers an error but in this case should
> not (I think the same issue might be present in merge-cve-list, but
> need to double check):
>
> ../gragcvefix/bin/grab-cve-in-fix --tracker https://tracker.debian.org/news/1294112/accepted-systemd-2502-1-source-into-unstable/
> grab-cve-in-fix - INFO - Retrieving data from distro-tracker...
> grab-cve-in-fix - INFO - CVE-2021-3997:
> grab-cve-in-fix - ERROR - CVE CVE-2021-3997 is not attributed to a Debian package: ['RESERVED']
nevermind, the problem here was PEBKAC. merge-cve-list will later on
stuble still over RESERVED, but I need to respin my tests with the
scripts first before I can give sensible feedback. The above was
nonsense.
Regards,
Salvatore
Reply to: