Feature request: Add a handler for CVE URLs

Bug #1775329 reported by Alex Murray
10
This bug affects 1 person
Affects Status Importance Assigned to Milestone
gnome-terminal (Ubuntu)
Triaged
Low
Alex Murray

Bug Description

Provide automatic link handling for CVE identifiers back to the Ubuntu Security team's CVE database (useful when looking at package changelog's which have security fixes etc).

Tags: bionic patch

CVE References

Revision history for this message
Alex Murray (alexmurray) wrote :
tags: added: bionic patch
Revision history for this message
Ubuntu Foundations Team Bug Bot (crichton) wrote :

The attachment "Debdiff against current bionic version adding this feature" seems to be a debdiff. The ubuntu-sponsors team has been subscribed to the bug report so that they can review and hopefully sponsor the debdiff. If the attachment isn't a patch, please remove the "patch" flag from the attachment, remove the "patch" tag, and if you are member of the ~ubuntu-sponsors, unsubscribe the team.

[This is an automated message performed by a Launchpad user owned by ~brian-murray, for any issue please contact him.]

Revision history for this message
Jeremy Bícha (jbicha) wrote :

Hmm, this is an interesting idea.

Maybe it should only link to the Ubuntu Security tracker if gnome-terminal is running on Ubuntu or a distro derived from Ubuntu. For instance, Debian has its own tracker like
https://security-tracker.debian.org/tracker/CVE-2018-4246

Jeremy Bícha (jbicha)
Changed in gnome-terminal (Ubuntu Bionic):
importance: Undecided → Low
Changed in gnome-terminal (Ubuntu):
importance: Undecided → Low
status: New → Triaged
Changed in gnome-terminal (Ubuntu Bionic):
status: New → Triaged
Revision history for this message
Egmont Koblinger (egmont-gmail) wrote :

I agree it's a nice idea.

One nitpick: All the source code goes right next to handling LP regexes, so I'd place and number the patch itself in the "series" file right next to it, too.

This patch would be useful for Debian too, but they don't have 60_add_lp_handler.patch which this patch builds on.

Perhaps their order should be swapped, so that CVE comes first, and this is the one that converts the body of action_copy_match_cb() into an "if" branch. Then LP comes on top of this for Ubuntu only.

Indeed Debian and Ubuntu would use different URLs for CVEs. Maybe you could make the patch itself the same, using a macro passed to configure/make, or define that in another one-liner patch. Not sure if that simplifies anything in your build systems, just a simple idea up for you to consider.

Revision history for this message
Alex Murray (alexmurray) wrote :

The other option would be to do it "properly" the way upstream want - ie. to have the user be able to configure their one linkification.

I am happy to rework the patch - is there any interest in carrying this just in Ubuntu or would the preference be to push it to Debian and get it into Ubuntu that way? Also do we know if Debian are interested - since I'd rather not rework the patch a lot unless there was a clear path to getting it into Debian first.

Revision history for this message
Egmont Koblinger (egmont-gmail) wrote :

> The other option would be to do it "properly" the way upstream want

I can't recall/find such a request in upstream gnome-terminal's tracker, I don't think we (gnome-terminal upstream developers) have any plans on adding this feature. IMHO downstream distro-specific patches are fine here.

> Also do we know if Debian are interested

Jeremy is maintaining both the Debian and Ubuntu patches, that why I thought he might want to do it this way. Anyway, I leave this up to you guys to figure out.

Revision history for this message
Egmont Koblinger (egmont-gmail) wrote :

I wanted to say "Jeremy is maintaining both the Debian and Ubuntu *packages* ..."

Revision history for this message
Alex Murray (alexmurray) wrote :
Revision history for this message
Egmont Koblinger (egmont-gmail) wrote :

Haha, indeed. Thanks! It's been inactive for 9 years, though.

Revision history for this message
Alex Murray (alexmurray) wrote :

Ok so any guidance as to how to proceed - Jeremy do you have a preference for how this should work? Would you like it to also support Debian in a similar manner and link to the Debian CVE tracker? In this case would you prefer runtime detection (via say /etc/os-release) or compile-time selection of which CVE tracker to link to?

Revision history for this message
Iain Lane (laney) wrote :

Assigning to Jeremy as the outstanding questions are for him and his nomination to bionic is causing this bug to show up on the desktop team's tracking list but it didn't go through the normal review process.

Changed in gnome-terminal (Ubuntu):
assignee: nobody → Jeremy Bicha (jbicha)
Changed in gnome-terminal (Ubuntu Bionic):
assignee: nobody → Jeremy Bicha (jbicha)
Revision history for this message
Jeremy Bícha (jbicha) wrote :

I believe Debian would appreciate the feature linking to Debian's CVE database there.

I'm fine with either runtime detection or compile-time selection. If it's compile-time, I'd expect we would set it in debian/rules with something like
https://salsa.debian.org/gnome-team/gnome-software/blob/debian/master/debian/rules#L46

Sorry I didn't see the follow-up questions until today.

Revision history for this message
Jeremy Bícha (jbicha) wrote :

I'm dropping the bionic task for now so that it doesn't clutter the Ubuntu Desktop Team's bionic tracker when this isn't ready for bionic yet.

no longer affects: gnome-terminal (Ubuntu Bionic)
Changed in gnome-terminal (Ubuntu):
assignee: Jeremy Bicha (jbicha) → Alex Murray (alexmurray)
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.