I reviewed php-json version 1.3.2-2 as checked into trusty. This should
not be considered a full security audit, but rather a quick gauge of
maintainability.
One of the dependencies of php-json is in universe, pkg-php-tools, not
main. pkg-php-tools needs to be addressed before php-json can be promoted.
- php-json provides a json parser for use in php programs
- Depends upon ucf, libjson-c2, php5
- Build-depends upon php5, pkg-config, pkg-php-tools, libjson-c-dev
- Does not daemonize
- Does not itself listen on the network
- Intended uses include handling untrusted network input in an always-on
fashion
- Package pre,post install,delete scripts clean up after each other
- No initscripts
- No Dbus services
- No setuid
- No binaries in /bin, /sbin/, /usr/bin, /usr/sbin
- No sudoers
- No udev rules
- No cronjobs
- Good tests run in build
- Clean build logs
- No subprocesses spawned
- Memory management looked safe
- Files that are opened for reading and writing are under control of API
users
- Logging looked safe
- No use of environment variables
- No management of privileges
- Does not perform networking itself
- No encryption
- No sql
- No tmp files
- No WebKit
- No PolicyKit
php-json is some complicated code; a large portion consists of an entirely
hand-written combined lexer / parser written as a state machine rather
than as a recursive descent parser (which would be easier to write by hand
than a state machine). So while I have suspicions that problems may exist
in the parsing code by the sheer complexity of it, it is well-written and
should be maintainable. The included tests lend to supporting the package.
Security team ACK for promoting php-json to main.
No investigation into php-pkg-tools has been made.
Thanks
** Changed in: php-json (Ubuntu)
Assignee: Seth Arnold (seth-arnold) => (unassigned)
--
You received this bug notification because you are a member of Ubuntu
Server Team, which is subscribed to php5 in Ubuntu.
https://bugs.launchpad.net/bugs/1242726
Title:
[MIR] php5-common is missing dependency on php5-json
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/php-json/+bug/1242726/+subscriptions
--
Ubuntu-server-bugs mailing list
Ubuntu-server-bugs@lists.ubuntu.com
Modify settings or unsubscribe at:
https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
