Ubuntu
update-manager package

CVE links in the updater are invalid

Bug #1374715 reported by George Bateman
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
update-manager (Ubuntu)
Fix Released
Medium
Brian Murray

Bug Description

The auto-updater was asking for permission to update Bash. The "Changes" message was as follows:
Changes for bash versions:
Installed version: 4.3-7ubuntu1.3
Available version: 4.3-7ubuntu1.4

Version 4.3-7ubuntu1.4:

  * SECURITY UPDATE: out-of-bounds memory access
    - debian/patches/CVE-2014-718x.diff: guard against overflow and fix
      off-by-one in parse.y and y.tab.c.
    - CVE-2014-7186
    - CVE-2014-7187
  * SECURITY IMPROVEMENT: use prefixes and suffixes for function exports
    - debian/patches/variables-affix.diff: add prefixes and suffixes in
      variables.c.

Each CVE link went to an URL such as http://cve.mitre.org/cgi-bin/cvename.cgi?name=2014-7186. This is an error page which states that the CVE_ID is invalid. I would have expected to see a bug description of some sort.
Manually changing the URL to http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-7186 changed the error message, which now claims the ID is valid but unrecognised. I assume this is for the reason suggested, that the problem has not been uploaded, and that this is now the correct URL.
Does the code that generates the links need to include "CVE-" in the URLs?

I assume that this will apply to all updates, not just Bash, but I can't yet verify this.

ProblemType: Bug
DistroRelease: Ubuntu 14.04
Package: update-manager 1:0.196.12
ProcVersionSignature: Ubuntu 3.13.0-36.63-generic 3.13.11.6
Uname: Linux 3.13.0-36-generic x86_64
ApportVersion: 2.14.1-0ubuntu3.4
Aptdaemon:

Architecture: amd64
CurrentDesktop: Unity
Date: Sat Sep 27 10:40:34 2014
ExecutablePath: /usr/bin/update-manager
GsettingsChanges:
 b'com.ubuntu.update-manager' b'show-details' b'true'
 b'com.ubuntu.update-manager' b'window-height' b'1000'
 b'com.ubuntu.update-manager' b'first-run' b'false'
 b'com.ubuntu.update-manager' b'window-width' b'1215'
 b'com.ubuntu.update-manager' b'launch-time' b'1411810242'
InstallationDate: Installed on 2014-07-31 (57 days ago)
InstallationMedia: Ubuntu 14.04 LTS "Trusty Tahr" - Release amd64 (20140417)
InterpreterPath: /usr/bin/python3.4
PackageArchitecture: all
SourcePackage: update-manager
UpgradeStatus: No upgrade log present (probably fresh install)

See original description

Related branches

lp:update-manager
Revision history for this message
George Bateman (george-bateman16) wrote :
description: updated
Revision history for this message
Brian Murray (brian-murray) wrote :

Although both links work for me according to the CVE website, CVE identifiers include the characters CVE so I think we should be including them in the URL.

https://cve.mitre.org/cve/identifiers/syntaxchange.html#new

"The new CVE-ID syntax is variable length and includes:

CVE prefix + Year + Arbitrary Digits"

Brian Murray (brian-murray)
Changed in update-manager (Ubuntu):
importance: Undecided → Medium
status: New → Triaged
assignee: nobody → Brian Murray (brian-murray)
Revision history for this message
George Bateman (george-bateman16) wrote :

Both links now work for me. I imagine that invalid links are allowed if and only if there is a CVE with the correct code, which would explain why this bug wasn't picked up in testing.
Nonetheless, I still think that we should add "CVE-" to ensure that the correct error messages are shown even before the CVE is uploaded.

Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package update-manager - 1:14.10.6

---------------
update-manager (1:14.10.6) utopic; urgency=medium

  * UpdateManager/ChangelogViewer.py: update URL for CVEs (LP: #1374715)
 -- Brian Murray <email address hidden> Tue, 30 Sep 2014 10:17:13 -0700

Changed in update-manager (Ubuntu):
status: Triaged → Fix Released
Revision history for this message
George Bateman (george-bateman16) wrote :

Thanks!

To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.