I reviewed libjcat 0.1.3-1 as checked into groovy.  This shouldn't be
considered a full audit but rather a quick gauge of maintainability. Since
libjcat is mostly code that was previously in fwupd, which itself is
already in main, this review is mostly focussed on finding anything
particularly amiss.

libjcat is a library for reading and writing gzip-compressed JSON catalog
files. These catalog files can store GPG/PKCS-7 or SHA-256 checksums for
each file.

- CVE History:
  - CVE-2020-10759 - still unfixed in focal but there are no users of
  - libjcat in focal so this is a low priority.
- Build-Depends
  - Uses gnutls / libgpgme11 for crypto / checksums
- No pre/post inst/rm scripts
- No init scripts
- No systemd units
- No dbus services
- No setuid binaries
- binaries in PATH
  - jcat binary package provides /usr/bin/jcat-tool
    - This is used to inspect and modify jcat files from the command-line
- No sudo fragments
- No polkit files
- No udev rules
- unit tests / autopkgtests
  - libjcat includes a pretty extensive test suite that is compiled and run
    during the package build - some basic autopkgtests also exist and I was
    able to run them locally as well
- No cron jobs
- Build logs are clean with no significant warnings / errors

- Doesn't appear to spawn any subprocesses
- Memory management is done via glib APIs using autoptr's etc and looks
  quite defensive and correct
- File IO uses GIO and is only directly used by jcat-tool
- Logging is done via glib APIs and looks clean / careful
- Environment variables are not read, only set for glib debugging by
  jcat-tool
- No Use of privileged functions
- Uses gnutls for PKCS-7 handling and libgpgme for GPG handling - this
  appears to be done correctly too
- No Use of temp files
- No Use of networking
- No Use of WebKit
- No Use of PolicyKit

- 3 cppcheck errors but this is due to cppcheck not handling GOBJECT/Glib
  API macros properly
- No significant Coverity results

libjcat appears to be well written and maintained, with good code quality
and a good track record of responsible and timely handling of security
issues.

Security team ACK for promoting libjcat to main.


** Tags added: security-review-done

** Changed in: libjcat (Ubuntu)
     Assignee: Ubuntu Security Team (ubuntu-security) => (unassigned)

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1884003

Title:
  [MIR] libjcat

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/libjcat/+bug/1884003/+subscriptions

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

Reply via email to