I reviewed libdeflate 1.7-1 as checked into hirsute. This shouldn't be
considered a full audit but rather a quick gauge of maintainability.
libdeflate is a compression/decompression library for the Deflate
compression algorithm, along with associated command line tools. It is
written in C and does not provide any other language bindings.
- There does not appear to be any vulnerability history for libdeflate.
- The only odd build dependency is that it includes zlib1g-dev, but it
appears to use this for test comparisons.
- No pre/post inst/rm scripts.
- No init scripts.
- No systemd units.
- No dbus services.
- No setuid binaries.
- binaries in PATH:
libdeflate-tools adds libdeflate-g{,un}zip to path.
- No sudo fragments.
- No polkit files.
- No udev rules.
- A set of unit tests that exercise aspects of the library interface
are included, as well options for running under valgrind plus afl
fuzzing support. The unit tests are run during the package build.
There is one autopkgtest, a very simple limited smoke test.
- No cron jobs.
- Build logs:
- Several "profile count data file not found [-Wmissing-profile]"
compiler warnings as mentioned in the primary MIR review.
- No apparent processes spawned.
- Memory management is okay.
- For file I/O, the library expects users of the library to handle this.
The wrapper tools provided look okay, containing file handling in
a pair of helper functions.
- For logging, as a shared library it does not do any logging itself,
again relying on calling programs to log. The logging by programs is
to stderr and looks fine.
- The only environment variable usage is in test situations.
- The only use of privileged functions is by the tools to restore
permissions/ownership on the newly compressed or uncompressed file.
- No use of cryptography / random number sources (srand() is used for
test data generation).
- No use of temp files.
- No use of networking.
- No use of WebKit,
- No use of PolicyKit,
- No cppcheck findings, the only coverity issue in non-test code was
that the return value for posix_fadvise() was not checked in the
tools, not a severe issue.
Security team ACK for promoting libdeflate to main.
** Changed in: libdeflate (Ubuntu Hirsute)
Status: New => In Progress
** Changed in: libdeflate (Ubuntu Hirsute)
Assignee: Ubuntu Security Team (ubuntu-security) => (unassigned)
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1908502
Title:
[MIR] libdeflate
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/libdeflate/+bug/1908502/+subscriptions
--
ubuntu-bugs mailing list
[email protected]
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
