I reviewed libfyaml 0.9.2-1 as checked into resolute. This shouldn't be
considered a full audit but rather a quick gauge of maintainability.
libfyaml is a fully-featured YAML 1.2 and JSON parser/writer with
zero-copy operation.
- CVE History
- No CVEs reported so far
- Build-Depends
- Nothing worth of attention.
- No pre/post inst/rm scripts
- No init scripts
- No systemd units
- No dbus services
- No setuid binaries
- binaries in PATH
- /usr/bin/fy-tool
- No sudo fragments
- No polkit files
- No udev rules
- unit tests / autopkgtests
- the package appears to have a comprehensive testsuite. the test
suite is run at build time. Packaging fails in case any test
fails.
- No cron jobs
- Build logs
- Nothing meaningful to report
- No processes spawned
- Memory management
- memory management seems to be done properly. Return values
are properly checked and I did not see any low hanging fruit
anywhere.
- File IO
- The library performs file I/O operation with the purpose of
reading and writing a yaml file. This is expected by the nature of
the library and I did not find anything worth reporting.
- Logging
- Debug prints are only performed if FY_DEVMODE is defined. This is
not the case for the release builds.
- Diagnostic output is performed through the use of the fy_diag
struct whose default configuration emits its output via stderr.
The diag abstraction uses format functions but I did not find
anything problematic there.
- Environment variable usage
- The library uses some environment variables for the purpose of
testing with valgrind. Nothing to be reported here.
- No use of privileged functions
- No use of cryptography / random number sources etc
- No use of temp files
- No use of networking
- No use of WebKit
- No use of PolicyKit
- Any significant cppcheck results
- there is one possible memory leak in function
fy\_emitter\_create\_str\_internal() worth investigating. All
invocation I managed to check do not seem to satisfy the necessary
conditions to trigger the memory leak.
- Any significant Coverity results
- no coverity results
- Any significant shellcheck results
- A lot of false positives related to the test suite.
- No significant bandit results
- No significant govulncheck results
- No significant Semgrep results
The library seems to be well written and quite easy to read.
Security team ACK for promoting libfyaml to main.
** Changed in: libfyaml (Ubuntu)
Assignee: Ubuntu Security Team (ubuntu-security) => (unassigned)
--
You received this bug notification because you are a member of Ubuntu
Desktop Bugs, which is subscribed to appstream in Ubuntu.
https://bugs.launchpad.net/bugs/2131216
Title:
[MIR] libfyaml
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/appstream/+bug/2131216/+subscriptions
--
desktop-bugs mailing list
[email protected]
https://lists.ubuntu.com/mailman/listinfo/desktop-bugs
