I reviewed lmdb 0.9.23-0ubuntu1 as checked into eoan. This shouldn't be
considered a full audit but rather a quick gauge of maintainability.
lmdb is a software library that provides a high-performance embedded
transactional database in the form a key-value store.
- No CVE History
- Build-Depends
- debhelper
- doxygen
- No pre/post inst/rm scripts
- No init scripts
- No systemd units
- No dbus services
- No setuid binaries
- binaries in PATH
- /usr/bin/mdb_copy
- /usr/bin/mdb_dump
- /usr/bin/mdb_load
- /usr/bin/mdb_stat
- No sudo fragments
- No udev rules
- A couple of tests available in the source code:
- mtest.c: tests for main DB. It's the only test executed during build
(./mtest && ./mdb_stat testdb)
- mtest2.c: tests for subDB
- mtest3.c: tests for sorted duplicated DBs
- mtest4.c: tests for sorted duplicated DBs with fixed-size keys
- mtest5.c: tests for sorted duplicated DBs using cursor_put
- mtest6.c: tests for DB splits and merges
- No cron jobs
- Build logs:
- Lots of warnings during build, mostly related to doxygen macro definitions
- The warnings are attached.
- No Processes spawned
- Memory management
- Lots of dynamic memory allocation and memory copying. In general they look
safe, they are checking for NULL, strings are also NUL terminated and they
are freeing memory after use.
- Lots of File IO
- some paths come from argv but buffer is allocated dynamically based on
user's input.
- Logging
- Binaries in path are logging only to stderr
- No Environment variable usage
- No Use of privileged functions
- No Use of cryptography / random number sources
- srand used in test code
- No Use of temp files
- No Use of networking
- No Use of WebKit
- No Use of PolicyKit
- No significant cppcheck results
- Coverity results
- Some NULL pointer derefence
- Some pthread lock not being unlocked
- Use after free
- Resource leak
- Out-of-bounds access
- I will be forwarding this to upstream to get more feedback if any of them
is a high priority issue.
- Talked to upstream and they confirmed all are false positives.
The code is well maintained and upstream is responsive.
Security team ACK for promoting lmdb to main.
** Attachment added: "build warnings"
https://bugs.launchpad.net/ubuntu/+source/lmdb/+bug/1833745/+attachment/5275933/+files/log.txt
--
You received this bug notification because you are a member of Desktop
Packages, which is subscribed to lmdb in Ubuntu.
https://bugs.launchpad.net/bugs/1833745
Title:
[MIR] required new dependency of appstream
Status in lmdb package in Ubuntu:
New
Bug description:
Availability
============
Built for all supported architectures. One upstream release ahead of Debian.
Rationale
=========
Now a required build and runtime dependency of appstream in -proposed in Eoan
https://github.com/ximion/appstream/commit/358e9394631b87797f56dcb7e09e459b4044e631#commitcomment-33995178
Quote "Compiling AppStream without LMDB is not really possible."
Security
========
No known CVEs.
https://security-tracker.debian.org/tracker/source-package/lmdb
Quality assurance
=================
- Desktop Packages team is subscribed.
- dh_auto_test run at build time for supported architectures.
- No functional outstanding bugs in Ubuntu or Debian. Upstream 'issue'
tracker is active.
https://bugs.launchpad.net/ubuntu/+source/lmdb
https://bugs.debian.org/cgi-bin/pkgreport.cgi?src=lmdb
https://www.openldap.org/its/index.cgi/Software%20Bugs?page=1;expression=lmdb;page=1
Dependencies
============
No universe binary dependencies
Standards compliance
====================
4.1.5.0 , debhelper compat 9
Maintenance
===========
Actively maintained:
http://www.openldap.org/devel/gitweb.cgi?p=openldap.git;a=history;f=libraries/liblmdb;hb=HEAD
Not team maintained in Debian.
https://tracker.debian.org/pkg/lmdb
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/lmdb/+bug/1833745/+subscriptions
--
Mailing list: https://launchpad.net/~desktop-packages
Post to : desktop-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~desktop-packages
More help : https://help.launchpad.net/ListHelp
