snap USN notifications reporting binaries with different versions than source as out of date when they are not

Bug #1841848 reported by Jamie Strandboge
8
This bug affects 1 person
Affects Status Importance Assigned to Milestone
USN Tool
Invalid
Undecided
Unassigned
Ubuntu CVE Tracker
Fix Released
Undecided
Alex Murray
review-tools
Fix Released
Undecided
Jamie Strandboge

Bug Description

$ apt-cache showsrc
Package: libreoffice
...
Version: 1:6.0.7-0ubuntu0.18.04.9
...

$ apt-cache policy libreoffice-impress
libreoffice-impress:
  Installed: (none)
  Candidate: 1:6.0.7-0ubuntu0.18.04.9
  Version table:
     1:6.0.7-0ubuntu0.18.04.9 500
        500 http://us.archive.ubuntu.com/ubuntu bionic-security/main amd64 Packages
        500 http://us.archive.ubuntu.com/ubuntu bionic-updates/main amd64 Packages
     1:6.0.3-0ubuntu1 500
        500 http://us.archive.ubuntu.com/ubuntu bionic/main amd64 Packages

In the above two, the source version and the binary version match, but with uno-libs3, built from this source, it is not (the epoch is dropped):

$ apt-cache policy uno-libs3
uno-libs3:
  Installed: (none)
  Candidate: 6.0.7-0ubuntu0.18.04.9
  Version table:
     6.0.7-0ubuntu0.18.04.9 500
        500 http://us.archive.ubuntu.com/ubuntu bionic-security/main amd64 Packages
        500 http://us.archive.ubuntu.com/ubuntu bionic-updates/main amd64 Packages
     6.0.3-0ubuntu1 500
        500 http://us.archive.ubuntu.com/ubuntu bionic/main amd64 Packages

snapcraft correctly add to snap/manifest.yaml the epoch-less version:

stage-packages:
- uno-libs3=6.0.7-0ubuntu0.18.04.9

Until recently, usndb didn't have enough information for the review-tools to handle this situation since it only contained the source version, 'affected binaries' (ie, a subset of binary debs) and a list of urls (and urls drop the epoch), so the review-tools would try to guess by adding the epoch, which means that 6.0.7-0ubuntu0.18.04.9 < 1:6.0.7-0ubuntu0.18.04.9 and misreporting the issue.

Recently usndb added "allbinaries" which lists all the debs, but unfortunately it is guessing the epoch as well, so the review-tools can't use this and fallback to guessing with older USNs. Eg, the problem is that usndb is adding the epoch when it shouldn't:

...
"bionic": {
  "allbinaries": {
    "libreoffice-impress": {
      "version": "1:6.0.7-0ubuntu0.18.04.9"
    },
    ...
    "uno-libs3": {
      "version": "1:6.0.7-0ubuntu0.18.04.9"
    },
    ...

For the review-tools to be fixed, several things need to happen:
- the review-tools should use "allbinaries" when it is available and fallback to guessing when it is not
- the ubuntu-cve-tracker needs to be adjusted to put the right versions in "allbinaries"
- the review-tools can improve the situation immediately by building up a list of exceptional cases by looking at Packages files for the LTSs and then overriding. This would improve the guesswork/fallback situation moving forward.

Related branches

Changed in ubuntu-cve-tracker:
status: New → Triaged
Changed in review-tools:
status: New → Triaged
description: updated
Changed in usn-tool:
status: New → Invalid
Alex Murray (alexmurray)
Changed in ubuntu-cve-tracker:
assignee: nobody → Alex Murray (alexmurray)
Revision history for this message
Alex Murray (alexmurray) wrote :
Revision history for this message
Jamie Strandboge (jdstrand) wrote :

> For the review-tools to be fixed, several things need to happen:
> - the review-tools should use "allbinaries" when it is available and fallback to guessing when it is not

This is now implemented in master

- the ubuntu-cve-tracker needs to be adjusted to put the right versions in "allbinaries"

alex-murray is preparing a fix for this

Revision history for this message
Jamie Strandboge (jdstrand) wrote :

> - the review-tools can improve the situation immediately by building up a list of exceptional cases by looking at Packages files for the LTSs and then overriding. This would improve the guesswork/fallback situation moving forward.

This is now implemented in master. We can make an accurate guess in some cases with epochs and the tools will now do that. When the binary version is sufficiently different from the source version, the tools will now ignore that binary/version when consider to notify since we can't report accurately.

Eg, r862 of egmde-confined-desktop has the fixes but the developers were sent a notification. With master, they won't:

$ review-tools.check-notices ./egmde-confined-desktop_862.snap
{
  "egmde-confined-desktop": {
    "862": {}
  }
}

I created some test snaps that mimic egmde-confined-desktop's manifest.yaml that can be seen here:

$ review-tools.check-notices ./test-check-notices-needed_0.1_amd64.snap # actually out of date
{
  "test-check-notices-needed": {
    "0.1": {
      "libreoffice-common": [
        "4102-1"
      ],
      "libreoffice-core": [
        "4102-1"
      ],
      "libreoffice-gtk3": [
        "4102-1"
      ],
      "libreoffice-style-galaxy": [
        "4102-1"
      ],
      "libreoffice-style-tango": [
        "4102-1"
      ],
      "uno-libs3": [
        "4102-1"
      ],
      "ure": [
        "4102-1"
      ]
    }
  }
}

$ review-tools.check-notices ./test-check-notices_0.1_amd64.snap # up to date
{
  "test-check-notices": {
    "0.1": {}
  }
}

Changed in review-tools:
status: Triaged → Fix Committed
assignee: nobody → Jamie Strandboge (jdstrand)
Revision history for this message
Jamie Strandboge (jdstrand) wrote :

The fixes to the review-tools are in master and pushed to the beta channel. This is enough for the notification service to pick up so marking as Fix Released.

Changed in review-tools:
status: Fix Committed → Fix Released
Revision history for this message
Alex Murray (alexmurray) wrote :

The fixes to ubuntu-cve-tracker are in master so future USNs should contain the proper binary versions.

Changed in ubuntu-cve-tracker:
status: Triaged → Fix Released
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.