I reviewed capnproto version 0.5.3-2ubuntu1 as checked into xenial. This should not be considered a full security audit but rather a quick gauge of maintainability.
- There are four CVEs: CVE-2015-2310 CVE-2015-2311 CVE-2015-2312 CVE-2015-2313 These were handled in what is perhaps the finest vendor response I've seen. - capnproto is a serialization and RPC mechanism - Build-Depends: debhelper, gcc, python-all, dpkg-dev, docbook-xsl, docbook-xml, xsltproc, dh-autoreconf, netbase - capnproto does not itself daemonize - No pre/post inst/rm scripts - No initscripts - No dbus services - No setuid binaries - Binaries in path: capnp, capnpc-c++, capnpc-capnp, capnpc symlink - No sudo fragments - No udev rules - No cron jobs - Small tests run during the build - Clean build logs - No subprocesses spawned - Memory management is careful - No file IO - No logging - No environment variables - No privileged operations - No cryptography - Shockingly doesn't appear to do any networking - I did not discover privileged portions of code - No temporary files - No WebKit - No javascript - cppcheck warnings were all false positives - No PolicyKit capnproto is highly complicated code; at one point, a comment even indicates that it's roughly akin to the compiler or C library in intention and complexity. It's also coded with clear discipline and all evidence points to the author's obsession with writing good software. Security team ACK for promoting capnproto to main. Thanks ** CVE added: http://www.cve.mitre.org/cgi- bin/cvename.cgi?name=2015-2310 ** CVE added: http://www.cve.mitre.org/cgi- bin/cvename.cgi?name=2015-2311 ** CVE added: http://www.cve.mitre.org/cgi- bin/cvename.cgi?name=2015-2312 ** CVE added: http://www.cve.mitre.org/cgi- bin/cvename.cgi?name=2015-2313 ** Changed in: capnproto (Ubuntu) Assignee: Ubuntu Security Team (ubuntu-security) => (unassigned) -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to capnproto in Ubuntu. https://bugs.launchpad.net/bugs/1367551 Title: [MIR] capnproto Status in capnproto package in Ubuntu: New Bug description: Can we please include this in main? unity-scopes-api has a dependency on capnproto. Source and bug tracking for this are here: https://github.com/kentonv/capnproto There are no dependencies other than C++ 11 (gcc 4.7 or later work). To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/capnproto/+bug/1367551/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : [email protected] Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
