I reviewed libonig 6.9.5-2 as checked into groovy. This shouldn't be
considered a full audit but rather a quick gauge of maintainability.
libonig (or Oniguruma) is a regular expression library. It supports
different encodings.
- CVE History:
- libonig has been assigned 13 CVEs since 2017. All those CVEs were
fixed by upstream in a timely manner.
- As one would expect, most of the issues wer in the processing of
regexes, what could cause DoS, arbitrary code execution or even
information leakage.
- Since the beginning of the year the project has been part of oss-fuzz
and a lot of fixes have been applied.
- Build-Depends
- debhelper-compat
- No pre/post inst/rm scripts
- No init scripts
- No systemd units
- No dbus services
- No setuid binaries
- No binaries in PATH
- No sudo fragments
- No polkit files
- No udev rules
- Unit tests / autopkgtests
- There a 7 tests under test/ and 13 under sample/ that are ran during
build time, as mentioned previously.
- Under sample, it tests parsing regex from SQL, POSIX and others.
- No cron jobs
- Build logs:
- regparse.c:413:24: warning: pfetch_prev may be used uninitialized in this
function [-Wmaybe-uninitialized]
- regparse.c:3576:53: warning: c may be used uninitialized in this function
[-Wmaybe-uninitialized]
- This might end up triggering FTBFS.
- No processes spawned
- Lots of memory management
- Mostly uses xmalloc, xrealloc and other xFUNCTIONS.
- File IO
- A file IO in src/st.c, seems ok.
- Also in harnesses/base.c, lgtm.
- No logging
- No environment variable usage
- No use of privileged functions
- No use of cryptography / random number sources
- Use of temp files
- only used in src/st.c, not much file IO.
- No use of networking
- No use of WebKit
- No use of PolicyKit
- Coverity results:
- 17 high issues, most of them seem like real issues, we will be
reporting it to upstream.
- we don't think those issues should prevent this MIR moving forward.
- No significant cppcheck results, seem all false positives.
- A bunch of shellcheck results, but none in code that users probably
make use of.
The code has matured a lot in the past months, but still it is a regex
library and as always regexes can be tricky, so issues might still come up.
Security team ACK for promoting libonig to main.
** Tags added: security-review-done
** Changed in: libonig (Ubuntu)
Assignee: Ubuntu Security Team (ubuntu-security) => (unassigned)
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1889248
Title:
[MIR] mdevctl, jq, libonig
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/jq/+bug/1889248/+subscriptions
--
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
