[Git][security-tracker-team/security-tracker][master] merge-cve-files: fix crash when there's an experimental tag

Emilio Pozuelo Monfort (@pochu) pochu at debian.org
Mon Mar 20 16:01:03 GMT 2023



Emilio Pozuelo Monfort pushed to branch master at Debian Security Tracker / security-tracker


Commits:
7838c85c by Emilio Pozuelo Monfort at 2023-03-20T17:00:21+01:00
merge-cve-files: fix crash when there's an experimental tag

If CVE/list has a CVE such as:

CVE-2023-1234
	[experimental] - foo 1.0-1
	- foo 1.0-2

And we attempt to fix an annotation such as

CVE-2023-1234
	[bullseye] - foo 0.1-1+deb11u1

that will crash when we are iterating over the experimental annotation
as next_annotation would be the sid one with release==None, and we would
be comparing internRelease(bullseye) with internRelease(None), which
is not supported.

This is happening with the current data/next-point-update.txt

- - - - -


1 changed file:

- bin/merge-cve-files


Changes:

=====================================
bin/merge-cve-files
=====================================
@@ -87,6 +87,13 @@ def merge_annotations(annotations, new_annotation):
             annotations[idx] = new_annotation
             break
 
+        # if we found an experimental annotation, it will be followed by a 'sid'
+        # one, so next_annotation.release will be None in the next case. That
+        # comparison will break, so we avoid it by continuing. If new_annotation
+        # was for experimental, we would have already replaced it in the above check.
+        if annotation.release == 'experimental':
+            continue
+
         # if the next annotation's release is the same, we continue to replace
         # it in the next iteration. otherwise if we found the right place, we
         # insert the new annotation



View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/7838c85c6f748fd9bc92a01dcd1d81ab36c2f991

-- 
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/7838c85c6f748fd9bc92a01dcd1d81ab36c2f991
You're receiving this email because of your account on salsa.debian.org.


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/debian-security-tracker-commits/attachments/20230320/4c722f8f/attachment.htm>


More information about the debian-security-tracker-commits mailing list