I reviewed libjcat 0.1.3-1 as checked into groovy. This shouldn't be considered a full audit but rather a quick gauge of maintainability. Since libjcat is mostly code that was previously in fwupd, which itself is already in main, this review is mostly focussed on finding anything particularly amiss.
libjcat is a library for reading and writing gzip-compressed JSON catalog files. These catalog files can store GPG/PKCS-7 or SHA-256 checksums for each file. - CVE History: - CVE-2020-10759 - still unfixed in focal but there are no users of - libjcat in focal so this is a low priority. - Build-Depends - Uses gnutls / libgpgme11 for crypto / checksums - No pre/post inst/rm scripts - No init scripts - No systemd units - No dbus services - No setuid binaries - binaries in PATH - jcat binary package provides /usr/bin/jcat-tool - This is used to inspect and modify jcat files from the command-line - No sudo fragments - No polkit files - No udev rules - unit tests / autopkgtests - libjcat includes a pretty extensive test suite that is compiled and run during the package build - some basic autopkgtests also exist and I was able to run them locally as well - No cron jobs - Build logs are clean with no significant warnings / errors - Doesn't appear to spawn any subprocesses - Memory management is done via glib APIs using autoptr's etc and looks quite defensive and correct - File IO uses GIO and is only directly used by jcat-tool - Logging is done via glib APIs and looks clean / careful - Environment variables are not read, only set for glib debugging by jcat-tool - No Use of privileged functions - Uses gnutls for PKCS-7 handling and libgpgme for GPG handling - this appears to be done correctly too - No Use of temp files - No Use of networking - No Use of WebKit - No Use of PolicyKit - 3 cppcheck errors but this is due to cppcheck not handling GOBJECT/Glib API macros properly - No significant Coverity results libjcat appears to be well written and maintained, with good code quality and a good track record of responsible and timely handling of security issues. Security team ACK for promoting libjcat to main. ** Tags added: security-review-done ** Changed in: libjcat (Ubuntu) Assignee: Ubuntu Security Team (ubuntu-security) => (unassigned) -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1884003 Title: [MIR] libjcat To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/libjcat/+bug/1884003/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs