I reviewed capnproto version 0.5.3-2ubuntu1 as checked into xenial. This should not be considered a full security audit but rather a quick gauge of maintainability.
- There are four CVEs: CVE-2015-2310 CVE-2015-2311 CVE-2015-2312 CVE-2015-2313 These were handled in what is perhaps the finest vendor response I've seen. - capnproto is a serialization and RPC mechanism - Build-Depends: debhelper, gcc, python-all, dpkg-dev, docbook-xsl, docbook-xml, xsltproc, dh-autoreconf, netbase - capnproto does not itself daemonize - No pre/post inst/rm scripts - No initscripts - No dbus services - No setuid binaries - Binaries in path: capnp, capnpc-c++, capnpc-capnp, capnpc symlink - No sudo fragments - No udev rules - No cron jobs - Small tests run during the build - Clean build logs - No subprocesses spawned - Memory management is careful - No file IO - No logging - No environment variables - No privileged operations - No cryptography - Shockingly doesn't appear to do any networking - I did not discover privileged portions of code - No temporary files - No WebKit - No javascript - cppcheck warnings were all false positives - No PolicyKit capnproto is highly complicated code; at one point, a comment even indicates that it's roughly akin to the compiler or C library in intention and complexity. It's also coded with clear discipline and all evidence points to the author's obsession with writing good software. Security team ACK for promoting capnproto to main. Thanks ** CVE added: http://www.cve.mitre.org/cgi- bin/cvename.cgi?name=2015-2310 ** CVE added: http://www.cve.mitre.org/cgi- bin/cvename.cgi?name=2015-2311 ** CVE added: http://www.cve.mitre.org/cgi- bin/cvename.cgi?name=2015-2312 ** CVE added: http://www.cve.mitre.org/cgi- bin/cvename.cgi?name=2015-2313 ** Changed in: capnproto (Ubuntu) Assignee: Ubuntu Security Team (ubuntu-security) => (unassigned) -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1367551 Title: [MIR] capnproto To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/capnproto/+bug/1367551/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
