Merge ~rodrigo-zaiden/ubuntu-cve-tracker:feature/triage-cve-icu into ubuntu-cve-tracker:master
Proposed by
Rodrigo Figueiredo Zaiden
Status: | Merged |
---|---|
Merged at revision: | fd4454cd9bc3a0677868d1abcd96e937f4dbfb9b |
Proposed branch: | ~rodrigo-zaiden/ubuntu-cve-tracker:feature/triage-cve-icu |
Merge into: | ubuntu-cve-tracker:master |
Diff against target: |
58 lines (+16/-15) 2 files modified
active/CVE-2020-21913 (+8/-7) active/CVE-2021-30535 (+8/-8) |
Related bugs: |
Reviewer | Review Type | Date Requested | Status |
---|---|---|---|
Steve Beattie | Approve | ||
Alex Murray | Pending | ||
Review via email: mp+410174@code.launchpad.net |
Commit message
CVE-2020-
Description of the change
Updated triage info based mainly on https:/
and, additionally, with info found in ICU github repo
Would you, please, verify if the approach is correct?
To post a comment you must log in.
Hey Rodrigo,
These changes look pretty good. The only change I would make is that, because the fixes landed before the a given ubuntu version was released, we mark those as 'not-affected' rather than 'released' (unless our team was the one to upload to the devel release). The idea here is that for example because focal had icu 66.1-2ubuntu1 or newer available when focal was released, at no time was a user of focal with any of icu's packages installed vulnerable to CVE-2020-21913. If we had fixed the issue after focal had been released via focal-security, then we would mark it as 'released', to more properly indicate that the vulnerability had affected that release, but with the update, now does not.
(In the end, it's not a huge difference; in either case if the user has that version or newer installed, they know they are not vulnerable to that CVE.)
The analysis of when both CVEs were address does look correct. If you're ever unsure, you should be able to verify by code inspection, and indeed, icu 66.1-2ubuntu2 has CVE-2020- 10531.patch as the last applied patch, and you can go further by looking at the buildlog for the package to ensure that it was applied:
https:/ /launchpad. net/ubuntu/ +source/ icu/66. 1-2ubuntu1 /launchpad. net/ubuntu/ +source/ icu/66. 1-2ubuntu1/ +build/ 18846484 /launchpadlibra rian.net/ 469373607/ buildlog_ ubuntu- focal-amd64. icu_66. 1-2ubuntu1_ BUILDING. txt.gz
=> amd64 build record:
https:/
=> amd64 build log:
https:/
In there, you can see the line:
dpkg-source: info: applying CVE-2020- 10531.patch
(in this case, you can also see the added testcase, UnicodeStringTe st::TestLargeAp pend ge exercised as well, confirming the patch application.)
That said, normally the changelog information is trustworthy enough to rely on, but that is how you would validate if you had any concerns about accuracy.
Thanks!