I reviewed libyang2 2.0.112-6ubuntu2 as checked into jammy.
This shouldn't be considered a full audit but rather a quick gauge
of maintainability. The libyang2 source package is a rename of the
libyang based on the upstream 2.0 version which included a new parser;
the libyang source package has not yet been removed from the archive.
libyang2 is a library for processing IETF YANG data modeling schemas,
used primarily for expressing netowrk configuration for networking
equipment.
- CVE History:
- Roughly fifteen or so CVEs affecting libyang. Upstream is generally
responsive of reports.
- Build-Depends
- libpcre2 (ok)
- No pre/post inst/rm scripts
- No init scripts.
- No systemd units.
- No dbus services.
- No setuid binaries.
- Two binaries in PATH, used primarly for schema validation and
development
- No sudo fragments.
- No polkit files.
- No udev rules.
- tests:
- significant unit tests run during the build
- very limited autopkgtests, that only exercise the cli tools
- No cron jobs.
- Build logs:
- more build time tests on the cli tools could be run if the shunit2
package was installed
- build logs mostly clean, some possible uninitialized value warnings
(from -Wmaybe-uninitialized)
- lintian warnings are fine
- No processes spawned.
- Memory management is generally okay, some error checking macros are
present to assist with allocation errors.
- File IO is okay.
- Logging has complex infrastructure, but okay
- Environment variable usage is okay. Alternate plugin and extension
directories can be specified via env vars, but it's hard to see how
this can be abused.
- Uses ioctl in the cli tools for querying window size.
- No obvious use of cryptography / random number sources.
- Lint tool uses a known temp file name when recompiled with debugging
macros enabled (disabled by default)
- No obvious use of networking, parses ip addrs in config files
- No use of WebKit.
- No use of PolicyKit.
- ccpcheck reported a large number of memory leaks plus a few double
frees, but these look to be likely false positives.
- Coverity flagged a few issues outside of the tests that also mostly
look to be false positives.
Overall code looks fine, if macro heavy, which seems to confuse static
analyzers. Upstream is responsive to issues.
Security team ACK for promoting libyang2 to main.
** Changed in: libyang2 (Ubuntu)
Assignee: Ubuntu Security Team (ubuntu-security) => (unassigned)
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1958293
Title:
[MIR]: libyang2
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/libyang2/+bug/1958293/+subscriptions
--
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
