Feature request: Add a handler for CVE URLs

Bug #1775329 reported by Alex Murray on 2018-06-06
10
This bug affects 1 person
Affects Status Importance Assigned to Milestone
gnome-terminal (Ubuntu)
Low
Jeremy Bicha
Bionic
Low
Jeremy Bicha

Bug Description

Provide automatic link handling for CVE identifiers back to the Ubuntu Security team's CVE database (useful when looking at package changelog's which have security fixes etc).

CVE References

tags: added: bionic patch

The attachment "Debdiff against current bionic version adding this feature" seems to be a debdiff. The ubuntu-sponsors team has been subscribed to the bug report so that they can review and hopefully sponsor the debdiff. If the attachment isn't a patch, please remove the "patch" flag from the attachment, remove the "patch" tag, and if you are member of the ~ubuntu-sponsors, unsubscribe the team.

[This is an automated message performed by a Launchpad user owned by ~brian-murray, for any issue please contact him.]

Jeremy Bicha (jbicha) wrote :

Hmm, this is an interesting idea.

Maybe it should only link to the Ubuntu Security tracker if gnome-terminal is running on Ubuntu or a distro derived from Ubuntu. For instance, Debian has its own tracker like
https://security-tracker.debian.org/tracker/CVE-2018-4246

Jeremy Bicha (jbicha) on 2018-07-27
Changed in gnome-terminal (Ubuntu Bionic):
importance: Undecided → Low
Changed in gnome-terminal (Ubuntu):
importance: Undecided → Low
status: New → Triaged
Changed in gnome-terminal (Ubuntu Bionic):
status: New → Triaged
Egmont Koblinger (egmont-gmail) wrote :

I agree it's a nice idea.

One nitpick: All the source code goes right next to handling LP regexes, so I'd place and number the patch itself in the "series" file right next to it, too.

This patch would be useful for Debian too, but they don't have 60_add_lp_handler.patch which this patch builds on.

Perhaps their order should be swapped, so that CVE comes first, and this is the one that converts the body of action_copy_match_cb() into an "if" branch. Then LP comes on top of this for Ubuntu only.

Indeed Debian and Ubuntu would use different URLs for CVEs. Maybe you could make the patch itself the same, using a macro passed to configure/make, or define that in another one-liner patch. Not sure if that simplifies anything in your build systems, just a simple idea up for you to consider.

Alex Murray (alexmurray) wrote :

The other option would be to do it "properly" the way upstream want - ie. to have the user be able to configure their one linkification.

I am happy to rework the patch - is there any interest in carrying this just in Ubuntu or would the preference be to push it to Debian and get it into Ubuntu that way? Also do we know if Debian are interested - since I'd rather not rework the patch a lot unless there was a clear path to getting it into Debian first.

Egmont Koblinger (egmont-gmail) wrote :

> The other option would be to do it "properly" the way upstream want

I can't recall/find such a request in upstream gnome-terminal's tracker, I don't think we (gnome-terminal upstream developers) have any plans on adding this feature. IMHO downstream distro-specific patches are fine here.

> Also do we know if Debian are interested

Jeremy is maintaining both the Debian and Ubuntu patches, that why I thought he might want to do it this way. Anyway, I leave this up to you guys to figure out.

Egmont Koblinger (egmont-gmail) wrote :

I wanted to say "Jeremy is maintaining both the Debian and Ubuntu *packages* ..."

Egmont Koblinger (egmont-gmail) wrote :

Haha, indeed. Thanks! It's been inactive for 9 years, though.

Alex Murray (alexmurray) wrote :

Ok so any guidance as to how to proceed - Jeremy do you have a preference for how this should work? Would you like it to also support Debian in a similar manner and link to the Debian CVE tracker? In this case would you prefer runtime detection (via say /etc/os-release) or compile-time selection of which CVE tracker to link to?

Iain Lane (laney) wrote :

Assigning to Jeremy as the outstanding questions are for him and his nomination to bionic is causing this bug to show up on the desktop team's tracking list but it didn't go through the normal review process.

Changed in gnome-terminal (Ubuntu):
assignee: nobody → Jeremy Bicha (jbicha)
Changed in gnome-terminal (Ubuntu Bionic):
assignee: nobody → Jeremy Bicha (jbicha)
To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.