Re: [PATCH 3/3] report-vuln: Support generation of mail headers
Hi,
On Wed, Nov 29, 2017 at 04:24:54PM +0100, Salvatore Bonaccorso wrote:
> Hi Guido,
>
> On Wed, Nov 29, 2017 at 01:48:02PM +0100, Guido Günther wrote:
> > Address the bts already and put the CVEs in the subject.
> >
> > ---
> > This can be further improved regards temp id handling, providing a
> > better subject in case of only a single CVE, etc. but already makes like
> > simpler. O.k. to apply?
>
> Looks fine as long the -m remains the non-default for now and
> bin/report-vuln just can be used to generate templates as before.
Withou '-m' the output is as it was before.
>
> Would it be possible though to change the generated subject to include
> the source package name (or binary package name, depending on the
> mode) as provided, and append after a : just the CVEs space separated?
>
> That is rather than
>
> Subject: CVE-id1, CVE-id2, ...
>
> more like
>
> Subject: srcpkg: CVE-id1 CVE-id2 ...
Attached patch does just that.
> Agree, that is a matter of taste of the person filling the bug though,
> so we might not reach agreement on the desired formatting :)
> everybody is doing something different. Some examples of subjects,
> just from recent IRC bot on #debian-devel-changes:
>
> #879732: CVE-2017-15874 / CVE-2017-15873
> #882648: exim4: CVE-2017-16943: use-after-free vulnerability while reading mail header
> #882034: ruby-redis-store: CVE-2017-1000248
> #878840: icu: CVE-2017-14952: Double free in i18n/zonemeta.cpp
> #881445: ruby-ox: CVE-2017-15928: Segmentation fault in the parse_obj
I intend to fetch the first sentence from the CVE report at one point
(if there's only a single CVE) but this needs some more rework of the
script to avoid duplication.
Cheers,
-- Guido
>From c36a060dd0a39f036307c5fedc4d67eeefa9de32 Mon Sep 17 00:00:00 2001
Message-Id: <c36a060dd0a39f036307c5fedc4d67eeefa9de32.1511970512.git.agx@sigxcpu.org>
From: =?UTF-8?q?Guido=20G=C3=BCnther?= <agx@sigxcpu.org>
Date: Wed, 29 Nov 2017 12:28:39 +0100
Subject: [PATCH] report-vuln: Support generation of mail headers
To: debian-lts@lists.debian.org
---
bin/report-vuln | 22 +++++++++++++++-------
1 file changed, 15 insertions(+), 7 deletions(-)
diff --git a/bin/report-vuln b/bin/report-vuln
index a20f6ae764..5e053f88ea 100755
--- a/bin/report-vuln
+++ b/bin/report-vuln
@@ -8,14 +8,14 @@
#
# report-vuln(){
# TMPFILE="$HOME/reportbug.tmp"
-# $HOME/debian/svn/secure-testing/bin/report-vuln "$@" > $TMPFILE
-# mutt -i $TMPFILE submit@bugs.debian.org
+# $HOME/debian/svn/secure-testing/bin/report-vuln -m "$@" > $TMPFILE
+# mutt -H $TMPFILE
# rm $TMPFILE
# }
#
# in bash, this can be simply:
#
-# mutt -i <($HOME/debian/svn/secure-testing/bin/report-vuln) submit@bugs.debian.org
+# mutt -H <($HOME/debian/svn/secure-testing/bin/report-vuln -m <pkg> <CVE>)
#
# export http_proxy if you need to use an http proxy to report bugs
@@ -113,11 +113,18 @@ def get_cve(id):
return ret + '\n'
-def gen_text(pkg, cveid, blanks=False, severity=None, affected=None, cc=False, cclist=None, src=False):
+def gen_text(pkg, cveid, blanks=False, severity=None, affected=None, cc=False, cclist=None, src=False, mh=False):
vuln_suff = 'y'
cve_suff = ''
time_w = 'was'
temp_id_cnt = 0
+ header = ''
+
+ if mh:
+ header += '''To: submit@bugs.debian.org
+Subject: %s: %s
+
+''' % (pkg, ' '.join(cveid))
if len(cveid) > 1:
cve_suff = 's'
@@ -125,9 +132,9 @@ def gen_text(pkg, cveid, blanks=False, severity=None, affected=None, cc=False, c
time_w = 'were'
if src:
- header = '''Source: %s\n''' % (pkg)
+ header += '''Source: %s\n''' % (pkg)
else:
- header = '''Package: %s\n''' % (pkg)
+ header += '''Package: %s\n''' % (pkg)
if affected is None:
if blanks:
@@ -212,6 +219,7 @@ def main():
parser.add_argument('--cc-list', dest='cclist', default=['team@security.debian.org', 'secure-testing-team@lists.alioth.debian.org'],
help='list of addresses to add in CC (default: %(default)s)')
parser.add_argument('--src', action="store_true", help='report against source package')
+ parser.add_argument('-m', '--mail-header', action="store_true", help='generate a mail header')
parser.add_argument('pkg', help='affected package')
parser.add_argument('cve', nargs='+', help='relevant CVE for this source package, may be used multiple time if the issue has multiple CVEs')
args = parser.parse_args()
@@ -231,7 +239,7 @@ def main():
if not c.match(arg) and not temp_id.match(arg):
error(arg + ' does not seem to be a valid CVE id')
- gen_text(pkg, cve, affected=args.affected, blanks=args.blanks, severity=args.severity, cc=args.cc, cclist=args.cclist, src=args.src)
+ gen_text(pkg, cve, affected=args.affected, blanks=args.blanks, severity=args.severity, cc=args.cc, cclist=args.cclist, src=args.src, mh=args.mail_header)
if __name__ == '__main__':
main()
--
2.15.0
Reply to: