I reviewed libestr version 0.1.9-0ubuntu1 as checked into trusty. This should not be considered a full security audit, but instead a quick gauge of code quality.
Thanks for the fast upgrade. - libestr provides a (length, data) string object and associated functions for C to address the anemic standard C string handling routines. It provides its own versions of many of the C standard routines. - Build-depends upon autotools - No networking - No cryptography - No daemons - No pre/post inst/rm scripts - No init scripts - No dbus services - No setuid binaries - No binaries - No sudo fragments - No udev rules - No cron jobs - Clean build logs - No test suite; the last several releases have changelog entries that indicate problems that would have been found with even small, functionality-only, unit test suites. - No spawned subprocesses - Sane memory management - No file IO - No logging - No environment variables - No privileged operations - No cryptography - No networking - No temporary files - No WebKit - No JavaScript - No PolicyKit The code is decent enough, though some fairly simple coding errors have been fixed in the last few releases, and while auditing 0.1.9 I discovered that flaws fixed in a previous release were not completely repaired. This code is not suitable for use with completely arbitrary inputs; there are no preventions in place for signed integer overflows. This library is intended to handle human-sized strings, not fully arbitrary inputs. This might be fine for e.g. rsyslog, which is unlikely to ever handle an input larger than ethernet's MTU of 1500 or 9000 bytes, give or take, but other code may not understand the limitations of this library. Billions of bytes is outright not acceptable. This code sorely needs a test suite. In the 0.1.5 version, I found three or four different faults in one function, and the newer version 0.1.9 version had only fixed one of the problems. At least two of the faults would have been discovered by only simple tests. A similar story exists for a different function (also from the older 0.1.5 version), with a significant functional bug and a further limitation that would have been obvious to a test suite author. There's little enough code here that we can take on maintenance of this codebase if necessary, but I fear that the complete lack of testing might freeze a broken ABI in place for years to come. We should prepare a test suite for this package well in advance of code freeze. (I know we don't block MIR requests for missing test suites, and I expect it feels like I'm harping on about this, but I feel that some of the code in this library has never been executed and had its output examined.) Security team ACK for including in main despite the above. Thanks -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1242561 Title: [MIR] libestr To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/libestr/+bug/1242561/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
