Add a Sphinx role for linking CVEs to the ISC Knowledgebase

The new :cve: Sphinx role takes a CVE number as an argument and creates a hyperlink to the relevant ISC Knowledgebase document that might have more up-to-date or verbose information than the relevant release note. This makes reaching ISC Knowledgebase pages directly from the release notes easier. Make all CVE references in the release notes use the new Sphinx role.
2023-08-31 18:55:36 +02:00
parent c201835719
commit 41b857e567
7 changed files with 51 additions and 13 deletions
--- a/doc/arm/conf.py
+++ b/doc/arm/conf.py
@@ -40,6 +40,44 @@ except ImportError:


 GITLAB_BASE_URL = "https://gitlab.isc.org/isc-projects/bind9/-/"
+KNOWLEDGEBASE_BASE_URL = "https://kb.isc.org/docs/"
+
+
+# Custom Sphinx role enabling automatic hyperlinking to security advisory in
+# ISC Knowledgebase
+class CVERefRole(ReferenceRole):
+    def __init__(self, base_url: str) -> None:
+        self.base_url = base_url
+        super().__init__()
+
+    def run(self) -> Tuple[List[Node], List[system_message]]:
+        cve_identifier = "(CVE-%s)" % self.target
+
+        target_id = "index-%s" % self.env.new_serialno("index")
+        entries = [
+            ("single", "ISC Knowledgebase; " + cve_identifier, target_id, "", None)
+        ]
+
+        index = addnodes.index(entries=entries)
+        target = nodes.target("", "", ids=[target_id])
+        self.inliner.document.note_explicit_target(target)
+
+        try:
+            refuri = self.base_url + "cve-%s" % self.target
+            reference = nodes.reference(
+                "", "", internal=False, refuri=refuri, classes=["cve"]
+            )
+            if self.has_explicit_title:
+                reference += nodes.strong(self.title, self.title)
+            else:
+                reference += nodes.strong(cve_identifier, cve_identifier)
+        except ValueError:
+            error_text = "invalid ISC Knowledgebase identifier %s" % self.target
+            msg = self.inliner.reporter.error(error_text, line=self.lineno)
+            prb = self.inliner.problematic(self.rawtext, self.rawtext, msg)
+            return [prb], [msg]
+
+        return [index, target, reference], []


 # Custom Sphinx role enabling automatic hyperlinking to GitLab issues/MRs.
@@ -84,6 +122,7 @@ class GitLabRefRole(ReferenceRole):


 def setup(app):
+    roles.register_local_role("cve", CVERefRole(KNOWLEDGEBASE_BASE_URL))
    roles.register_local_role("gl", GitLabRefRole(GITLAB_BASE_URL))
    app.add_crossref_type("iscman", "iscman", "pair: %s; manual page")

--- a/doc/arm/reference.rst
+++ b/doc/arm/reference.rst
@@ -4052,8 +4052,7 @@ Tuning
   :short: Sets the resolver's lame cache.

   This is always set to 0. More information is available in the
-   `security advisory for CVE-2021-25219
-   <https://kb.isc.org/docs/cve-2021-25219>`_.
+   security advisory for :cve:`2021-25219`.

 .. namedconf:statement:: servfail-ttl
   :tags: server
--- a/doc/notes/notes-9.19.1.rst
+++ b/doc/notes/notes-9.19.1.rst
@@ -20,7 +20,7 @@ Security Fixes
  DNS-over-HTTPS (DoH) clients. This has been fixed.

  ISC would like to thank Thomas Amgarten from arcade solutions ag for
-  bringing this vulnerability to our attention. (CVE-2022-1183)
+  bringing this vulnerability to our attention. :cve:`2022-1183`
  :gl:`#3216`

 New Features
--- a/doc/notes/notes-9.19.14.rst
+++ b/doc/notes/notes-9.19.14.rst
@@ -17,7 +17,7 @@ Security Fixes

 - The overmem cleaning process has been improved, to prevent the cache from
  significantly exceeding the configured :any:`max-cache-size` limit.
-  (CVE-2023-2828)
+  :cve:`2023-2828`

  ISC would like to thank Shoham Danino from Reichman University, Anat
  Bremler-Barr from Tel-Aviv University, Yehuda Afek from Tel-Aviv University,
--- a/doc/notes/notes-9.19.17.rst
+++ b/doc/notes/notes-9.19.17.rst
@@ -18,7 +18,7 @@ Security Fixes
 - Previously, sending a specially crafted message over the control
  channel could cause the packet-parsing code to run out of available
  stack memory, causing :iscman:`named` to terminate unexpectedly.
-  This has been fixed. (CVE-2023-3341)
+  This has been fixed. :cve:`2023-3341`

  ISC would like to thank Eric Sesterhenn from X41 D-Sec GmbH for
  bringing this vulnerability to our attention. :gl:`#4152`
--- a/doc/notes/notes-9.19.5.rst
+++ b/doc/notes/notes-9.19.5.rst
@@ -18,7 +18,7 @@ Security Fixes
 - Previously, there was no limit to the number of database lookups
  performed while processing large delegations, which could be abused to
  severely impact the performance of :iscman:`named` running as a
-  recursive resolver. This has been fixed. (CVE-2022-2795)
+  recursive resolver. This has been fixed. :cve:`2022-2795`

  ISC would like to thank Yehuda Afek from Tel-Aviv University and Anat
  Bremler-Barr & Shani Stajnrod from Reichman University for bringing
@@ -27,20 +27,20 @@ Security Fixes
 - When an HTTP connection was reused to request statistics from the
  stats channel, the content length of successive responses could grow
  in size past the end of the allocated buffer. This has been fixed.
-  (CVE-2022-2881) :gl:`#3493`
+  :cve:`2022-2881` :gl:`#3493`

 - Memory leaks in code handling Diffie-Hellman (DH) keys were fixed that
  could be externally triggered, when using TKEY records in DH mode with
-  OpenSSL 3.0.0 and later versions. (CVE-2022-2906) :gl:`#3491`
+  OpenSSL 3.0.0 and later versions. :cve:`2022-2906` :gl:`#3491`

 - :iscman:`named` running as a resolver with the
  :any:`stale-answer-client-timeout` option set to ``0`` could crash
  with an assertion failure, when there was a stale CNAME in the cache
-  for the incoming query. This has been fixed. (CVE-2022-3080)
+  for the incoming query. This has been fixed. :cve:`2022-3080`
  :gl:`#3517`

 - Memory leaks were fixed that could be externally triggered in the
-  DNSSEC verification code for the EdDSA algorithm. (CVE-2022-38178)
+  DNSSEC verification code for the EdDSA algorithm. :cve:`2022-38178`
  :gl:`#3487`

 New Features
--- a/doc/notes/notes-9.19.9.rst
+++ b/doc/notes/notes-9.19.9.rst
@@ -19,14 +19,14 @@ Security Fixes
  available memory. This flaw was addressed by adding a new
  :any:`update-quota` option that controls the maximum number of
  outstanding DNS UPDATE messages that :iscman:`named` can hold in a
-  queue at any given time (default: 100). (CVE-2022-3094)
+  queue at any given time (default: 100). :cve:`2022-3094`

  ISC would like to thank Rob Schulhof from Infoblox for bringing this
  vulnerability to our attention. :gl:`#3523`

 - :iscman:`named` could crash with an assertion failure when an RRSIG
  query was received and :any:`stale-answer-client-timeout` was set to a
-  non-zero value. This has been fixed. (CVE-2022-3736)
+  non-zero value. This has been fixed. :cve:`2022-3736`

  ISC would like to thank Borja Marcos from Sarenet (with assistance by
  Iratxe Niño from Fundación Sarenet) for bringing this vulnerability to
@@ -36,7 +36,7 @@ Security Fixes
  :any:`stale-answer-client-timeout` option set to any value greater
  than ``0`` could crash with an assertion failure, when the
  :any:`recursive-clients` soft quota was reached. This has been fixed.
-  (CVE-2022-3924)
+  :cve:`2022-3924`

  ISC would like to thank Maksym Odinintsev from AWS for bringing this
  vulnerability to our attention. :gl:`#3619`