I reviewed swift-plugin-s3 version 1.11-2 as checked into zesty. This shouldn't be considered a security audit but rather a quick gauge of maintainability.
All the files appear to be python2.7, even though 'six' is used. - CVE-2015-8466 -- they were a little shaky on the process since they're not getting official OpenStack security support, but the patch is impressive, with ~90kb of fixes to test cases. - swift-plugin-s3 is a middleware layer that interprets s3 requests and translates them to swift requests. It's a fairly complicated glue layer between two already complicated APIs, that runs on top of HTTP. - Build-Depends: debhelper, dh-python, openstack-pkg-tools, python-all, python-pbr, python-setuptools, python-sphinx, python-boto, python-coverage, python-fixtures, python-hacking python-lxml, python-mock, python-nose, python-nose-exclude, python-openstack.nose-plugin, python-openstackclient, python-requests, python-requests-mock, python-six, python-swift - Uses md5, sha256 from hashlib, does not itself provide cryptography - Uses wsgi - Does not appear to daemonize outside of tests - pre/post inst/rm automatically added by dh_python2 - No init scripts - No dbus service - No setuid or setgid executables - No binaries in PATH - No sudo fragments - No udev rules - Huge test suite run during the build (seriously, it's impressive; 79%-100% test 'coverage' per file using line-based coverage counting; roughly three times as many lines of code in the tests than the bulk of the program). - No cronjobs - Build log is mostly boilerplate and test output - No subprocesses spawned - No file management - Simple logging - No environment variables used outside of the tests - No privileged syscalls used - The only cryptography used is hash functions - I believe the only networking is done via wsgi - As a middleware layer it's hard to follow the full path of network packet inputs; code looked careful but not paranoid. - No use of /tmp - No WebKit - No javascript - No PolicyKit This is complicated code. We'd need upstream's help to support this package. That said, it looked well written, the test suite's size is impressive, and the one CVE in their history appeared to be handled well despite an uncertain start. Here's the only note I took while reading: - _validate_expire_param() hard-codes a year-2038 bug into the program Security team ACK for promoting swift-plugin-s3 to main. Thanks ** CVE added: http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=2015-8466 ** Changed in: swift-plugin-s3 (Ubuntu) Assignee: Ubuntu Security Team (ubuntu-security) => (unassigned) -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1592465 Title: [MIR] swift-plugin-s3 To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/swift-plugin-s3/+bug/1592465/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
