[Secure-testing-commits] r58182 - bin

Guido Guenther agx at moszumanska.debian.org
Fri Dec 1 14:19:09 UTC 2017

Author: agx
Date: 2017-12-01 14:19:09 +0000 (Fri, 01 Dec 2017)
New Revision: 58182

report-vuln: allow to invoke mailer

This allows to invoke the mailer directly like

    bin/report-vuln -M <pkg> <cve>...

the default behaviour is unchanged.

Modified: bin/report-vuln
--- bin/report-vuln	2017-12-01 12:04:20 UTC (rev 58181)
+++ bin/report-vuln	2017-12-01 14:19:09 UTC (rev 58182)
@@ -1,25 +1,18 @@
 #!/usr/bin/env python
-# generate bug report content for a given package name
-# and a number of CVE ids
+# generate bug report content/mail for a given package name and a
+# number of CVE ids
-# you could use it for example in combination with the
-# following shell function:
+# To invoke the mailer right away:
-# report-vuln(){
-#     TMPFILE="$HOME/reportbug.tmp"
-#     $HOME/debian/svn/secure-testing/bin/report-vuln -m "$@" > $TMPFILE
-#     mutt -H $TMPFILE
-#     rm $TMPFILE
-# }
+# $HOME/debian/svn/secure-testing/bin/report-vuln -M <pkg> <CVE>
-# in bash, this can be simply:
-# mutt -H <($HOME/debian/svn/secure-testing/bin/report-vuln -m <pkg> <CVE>)
 # export http_proxy if you need to use an http proxy to report bugs
+from __future__ import print_function
 import argparse
+from tempfile import NamedTemporaryFile
 import sys, re, urllib, os
 temp_id = re.compile('(?:CVE|cve)\-[0-9]{4}-XXXX')
@@ -118,10 +111,11 @@
     cve_suff = ''
     time_w = 'was'
     temp_id_cnt = 0
-    header = ''
+    ret = ''
     if mh:
-        header += '''To: submit at bugs.debian.org
+        ret += '''To: submit at bugs.debian.org
 Subject: %s: %s
 ''' % (pkg, ' '.join(cveid))
@@ -132,56 +126,55 @@
         time_w = 'were'
     if src:
-        header += '''Source: %s\n''' % (pkg)
+        ret += 'Source: %s\n' % (pkg)
-        header += '''Package: %s\n''' % (pkg)
+        ret += 'Package: %s\n' % (pkg)
     if affected is None:
         if blanks:
-            header += "Version: FILLINAFFECTEDVERSION\n"
+            ret += "Version: FILLINAFFECTEDVERSION\n"
-            header += "Version: %s\n" % affected
+            ret += "Version: %s\n" % affected
         if cc and len(cclist) > 0:
-            header += "X-Debbugs-CC: %s\n" % " ".join(cclist)
-    header += '''Severity: %s
+            ret += "X-Debbugs-CC: %s\n" % " ".join(cclist)
+    ret += '''Severity: %s
 Tags: security
-the following vulnerabilit%s %s published for %s.
+the following vulnerabilit%s %s published for %s.\n
 ''' % (severity, vuln_suff, time_w, pkg)
-    footer = '''If you fix the vulnerabilit%s please also make sure to include the
-CVE (Common Vulnerabilities & Exposures) id%s in your changelog entry.
-For further information see:''' % (vuln_suff, cve_suff)
-    print header
     for cnt, cve in enumerate(cveid):
         if not temp_id.match(cve):
-            print cve + '[' + str(cnt) + ']:'
-            print get_cve(cve)
+            ret += cve + '[' + str(cnt) + ']:\n'
+            ret += get_cve(cve) + '\n'
-            print '''Issue without CVE id #%d [%d]:''' % (temp_id_cnt, cnt)
+            ret += 'Issue without CVE id #%d [%d]:\n' % (temp_id_cnt, cnt)
             desc = description_from_list(cve, pkg, temp_id_cnt)
             if desc:
-                print desc + '\n'
+                ret += desc + '\n\n'
-                print 'No description has been specified\n'
+                ret += 'No description has been specified\n\n'
             temp_id_cnt += 1
-    print footer
-    print gen_index(cveid)
+    ret += '''If you fix the vulnerabilit%s please also make sure to include the
+CVE (Common Vulnerabilities & Exposures) id%s in your changelog entry.
+For further information see:\n''' % (vuln_suff, cve_suff)
+    ret += gen_index(cveid) + '\n'
     if temp_id_cnt > 0:
-        print '\nhttps://security-tracker.debian.org/tracker/source-package/%s' % (pkg)
-        print '(issues without CVE id are assigned a TEMP one, but it may change over time)\n'
+        ret += '\nhttps://security-tracker.debian.org/tracker/source-package/%s\n' % (pkg)
+        ret += '(issues without CVE id are assigned a TEMP one, but it may change over time)\n'
     if not blanks:
-        print '''\nPlease adjust the affected versions in the BTS as needed.\n'''
+        ret += '\nPlease adjust the affected versions in the BTS as needed.\n'
+    return ret
 def error(msg):
-    print 'error: ' + msg
+    print('error: ' + msg, file=sys.stderr)
 class NegateAction(argparse.Action):
@@ -220,6 +213,10 @@
                         help='list of addresses to add in CC (default: %(default)s)')
     parser.add_argument('--src', action="store_true", help='report against source package')
     parser.add_argument('-m', '--mail-header', action="store_true", help='generate a mail header')
+    parser.add_argument('-M', '--mail', action="store_true", help='invoke mailer right aways')
+    parser.add_argument('--mailer', action='store', default='mutt -H {}',
+                        help='Command executed. Must contain {} to be replaced '
+                        'by the filename of the draft bugreport')
     parser.add_argument('pkg', help='affected package')
     parser.add_argument('cve', nargs='+', help='relevant CVE for this source package, may be used multiple time if the issue has multiple CVEs')
     args = parser.parse_args()
@@ -239,7 +236,23 @@
         if not c.match(arg) and not temp_id.match(arg):
             error(arg + ' does not seem to be a valid CVE id')
-    gen_text(pkg, cve, affected=args.affected, blanks=args.blanks, severity=args.severity, cc=args.cc, cclist=args.cclist, src=args.src, mh=args.mail_header)
+    text = gen_text(pkg, cve,
+                    affected=args.affected,
+                    blanks=args.blanks,
+                    severity=args.severity,
+                    cc=args.cc,
+                    cclist=args.cclist,
+                    src=args.src,
+                    mh=args.mail_header or args.mail)
+    if args.mail:
+        with NamedTemporaryFile(prefix='report-vuln', suffix='.txt') as bugmail:
+            bugmail.write(text)
+            bugmail.flush()
+            os.system(args.mailer.format(bugmail.name))
+    else:
+        print(text)
 if __name__ == '__main__':

More information about the Secure-testing-commits mailing list