I reviewed libndp version 1.4-2 as checked into vivid. This shouldn't be
considered a full security audit but rather a quick gauge of code
maintainability.
- libndp provides routines to work with ipv6 neighbor discovery
- Build-Depends: debhelper
- Does not itself daemonize
- Does listen on external interfaces
- Does not itself run as a system user, though real use probably will
- No pre/post inst/rm
- No initscripts
- No dbus services
- No setuid
- /usr/bin/ndptool provides a live monitor of ND packets
- No sudo fragments
- No udev rules
- No cron job
- No test suite
- Clean build logs
- No subprocesses spawned
- Careful memory management
- No files opened
- Logging looked safe
- Environment variable NDP_LOG used to determine log level, looked safe
- No privileged operations
- No cryptography
- Extensive networking
- No privileged portions of code
- No temporary files
- Does not use WebKit
- Does not use PolicyKit
- Clean cppcheck
This code is relatively spartan; there was less sanity-checking of the
packet contents than I expected, but error-checking on function calls
looks correct. The code looks direct and to the point and while this is
somewhat involved networking code, it looked well-programmed.
It's a real pity there's no tests; maintenance on this might be
complicated by the relative rarity of full IPv6 deployments and a test
suite would go a long way toward providing some assurance that fixes
are applied correctly.
Security team ACK for promoting libndp to main.
Thanks
** Changed in: libndp (Ubuntu)
Assignee: Seth Arnold (seth-arnold) => (unassigned)
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1392385
Title:
[MIR] libndp
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/libndp/+bug/1392385/+subscriptions
--
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
