Merge ~rodrigo-zaiden/ubuntu-cve-tracker:feature/triage-cve-icu into ubuntu-cve-tracker:master

Hey Rodrigo,

These changes look pretty good. The only change I would make is that, because the fixes landed before the a given ubuntu version was released, we mark those as 'not-affected' rather than 'released' (unless our team was the one to upload to the devel release). The idea here is that for example because focal had icu 66.1-2ubuntu1 or newer available when focal was released, at no time was a user of focal with any of icu's packages installed vulnerable to CVE-2020-21913. If we had fixed the issue after focal had been released via focal-security, then we would mark it as 'released', to more properly indicate that the vulnerability had affected that release, but with the update, now does not.

(In the end, it's not a huge difference; in either case if the user has that version or newer installed, they know they are not vulnerable to that CVE.)

The analysis of when both CVEs were address does look correct. If you're ever unsure, you should be able to verify by code inspection, and indeed, icu 66.1-2ubuntu2 has CVE-2020-10531.patch as the last applied patch, and you can go further by looking at the buildlog for the package to ensure that it was applied:

  https://launchpad.net/ubuntu/+source/icu/66.1-2ubuntu1
=> amd64 build record:
  https://launchpad.net/ubuntu/+source/icu/66.1-2ubuntu1/+build/18846484
=> amd64 build log:
  https://launchpadlibrarian.net/469373607/buildlog_ubuntu-focal-amd64.icu_66.1-2ubuntu1_BUILDING.txt.gz

In there, you can see the line:

  dpkg-source: info: applying CVE-2020-10531.patch

(in this case, you can also see the added testcase, UnicodeStringTest::TestLargeAppend ge exercised as well, confirming the patch application.)

That said, normally the changelog information is trustworthy enough to rely on, but that is how you would validate if you had any concerns about accuracy.

Thanks!

> Hey Rodrigo,
>
> These changes look pretty good. The only change I would make is that, because
> the fixes landed before the a given ubuntu version was released, we mark those
> as 'not-affected' rather than 'released' (unless our team was the one to
> upload to the devel release). The idea here is that for example because focal
> had icu 66.1-2ubuntu1 or newer available when focal was released, at no time
> was a user of focal with any of icu's packages installed vulnerable to
> CVE-2020-21913. If we had fixed the issue after focal had been released via
> focal-security, then we would mark it as 'released', to more properly indicate
> that the vulnerability had affected that release, but with the update, now
> does not.
>
> (In the end, it's not a huge difference; in either case if the user has that
> version or newer installed, they know they are not vulnerable to that CVE.)
>
> The analysis of when both CVEs were address does look correct. If you're ever
> unsure, you should be able to verify by code inspection, and indeed, icu
> 66.1-2ubuntu2 has CVE-2020-10531.patch as the last applied patch, and you can
> go further by looking at the buildlog for the package to ensure that it was
> applied:
>
> https://launchpad.net/ubuntu/+source/icu/66.1-2ubuntu1
> => amd64 build record:
> https://launchpad.net/ubuntu/+source/icu/66.1-2ubuntu1/+build/18846484
> => amd64 build log:
> https://launchpadlibrarian.net/469373607/buildlog_ubuntu-focal-
> amd64.icu_66.1-2ubuntu1_BUILDING.txt.gz
>
> In there, you can see the line:
>
> dpkg-source: info: applying CVE-2020-10531.patch
>
> (in this case, you can also see the added testcase,
> UnicodeStringTest::TestLargeAppend ge exercised as well, confirming the patch
> application.)
>
> That said, normally the changelog information is trustworthy enough to rely
> on, but that is how you would validate if you had any concerns about accuracy.
>
> Thanks!

Hi Steve,

Thanks a lot for the review and guide on how to check for a fix in a release using the build log.

The "not-affected" tag makes sense, my bad that I didn't think of using it before.
I amended the commit to update the review (if this is not the correct procedure, please let me know)
I noticed that I was using an incorrect version for impish (devel) release on CVE-2020-21913 so it is also updated.

If possible, would you please, re-check if it is correct now?

Thanks,
Rodrigo

This looks good, merging.

Re versions, that's okay. Usually we want the version that the fix first made it into the Ubuntu archive, but realistically, as long as the version is <= the version in that specific release, people who use tools based on UCT data to check whether they are vulnerable or not will correctly determine that they are not vulnerable.

Similarly for the upstream version where it was fixed, because the vast majority of our packages are derived from the same package in debian, we often encode the version that the fix first entered debian's unstable or experimental archives in that field.

But those are all fine details that don't affect the correctness of this merge proposal.

Thanks!

Oh bah, I had to rebase my merge because I was behind on master, but forget to preserve the branch in the rebase, so the end result looks like a fast-forward merge. It's merged in https://git.launchpad.net/ubuntu-cve-tracker/commit/?id=fd4454cd9bc3a0677868d1abcd96e937f4dbfb9b