review-tools

USNs notification service is sending emails to every revision uploader, even if the revision is not affected by the corresponding security notice

Bug #2007424 reported by Emilia Torino
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
review-tools
Fix Released
Undecided
Unassigned

Bug Description

This was reported in the public forum https://forum.snapcraft.io/t/disabling-security-emails/32166/17

The issue here is that review-tools is adding to the pkg_db "uploaders" every revision "uploader_email" https://git.launchpad.net/review-tools/tree/reviewtools/store.py#n298 without checking first if the given revision was affected by the security notices: https://git.launchpad.net/review-tools/tree/reviewtools/store.py#n264.

Steps to reproduce: add a revision to ./tests/test-store-unittest-1.db which is not affected by the USNs in ./tests/test-usn-unittest-build-pkgs-only.db, and set the revision "uploader_email" to another person rather than the affected ones (e.g. <email address hidden>). Such collaborator will still receive the notification email but should not:

$ PYTHONPATH=./ ./bin/snap-updates-available --usn-db='./tests/test-usn-unittest-build-pkgs-only.db' --store-db='./tests/test-store-unittest-1.db'
From: Snap Store <email address hidden>
To: <affected revision uploader>, <email address hidden>
Bcc: <email address hidden>, <email address hidden>
Subject: 0ad was built with outdated Ubuntu packages

A scan of this snap shows that it was built with packages from the Ubuntu
archive that have since received security updates. The following lists new
USNs for affected build packages in each snap revision:

Revision r11 (amd64; channels: stable, candidate, beta)
 * snapcraft: 5501-1

Revision r12 (i386; channels: stable, candidate, beta)
 * snapcraft: 5501-1

Revision r13 (amd64; channels: edge)
 * snapcraft: 5501-1

Revision r14 (i386; channels: edge)
 * snapcraft: 5501-1

Revision r15 (amd64; channels: edge)
 * snapcraft: 5501-1

Revision r16 (i386; channels: edge)
 * snapcraft: 5501-1

Simply rebuilding the snap will pull in the new security updates and
resolve this. If your snap also contains vendored code, now might be a
good time to review it for any needed updates.

Thank you for your snap and for attending to this matter.

References:
 * https://ubuntu.com/security/notices/USN-5501-1/

Related branches

~emitorino/review-tools:fix_uploaders_to_only_list_affected_revisions
Alex Murray: Approve
Diff: 131 lines (+71/-2)
4 files modified
reviewtools/store.py (+3/-1)
reviewtools/tests/test_store.py (+39/-1)
tests/test-rocks-store-unittest-1.db (+14/-0)
tests/test-store-unittest-1.db (+15/-0)
Emilia Torino (emitorino)
Changed in review-tools:
status: New → Confirmed
Emilia Torino (emitorino)
Changed in review-tools:
status: Confirmed → In Progress
Emilia Torino (emitorino)
Changed in review-tools:
status: In Progress → Fix Released
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.