I reviewed libsodium version 1.0.8-5 as checked into xenial, looking for
any deviations from Seth's original review since this is a different
version.
- No CVE history in our database
- libsodium provides a programmer- and packager-friendly library around
the NaCl family of cryptography APIs.
- Depends: debhelper, pkg-config, dh-autoreconf
- Does not itself do networking
- Extensive cryptopgrahy
- Does not daemonize
- No pre/post inst/rm
- No init scripts
- No dbus services
- No setuid files
- No binaries in the PATH
- No sudo fragments
- No udev rules
- A test suite is run during the build
- No cron jobs
- Clean build logs
- No subprocesses spawned
- Memory management is very careful.
- Does not itself do file IO beyond /dev/random or /dev/urandom
- No logging
- No environment variable use
- No privileged functions
- No networking
- No privileged portions of code
- No temp files
- No WebKit
- No PolKit
- Extensive cppcheck warnings; manual inspection of randomly selected
issues suggests failings in cppcheck (doesn't understand uint128_t and
assumes it is 32-bits wide so falsely flags bit shifts of 32-bits or
larger of this as errors)
Security team ACK for promoting libsodium to main for Xenial / Trusty.
** Changed in: libsodium (Ubuntu Trusty)
Status: New => In Progress
** Changed in: libsodium (Ubuntu Xenial)
Status: New => In Progress
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1621386
Title:
[MIR] libsodium
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/libsodium/+bug/1621386/+subscriptions
--
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
