I reviewed libyang2 2.0.112-6ubuntu2 as checked into jammy. This shouldn't be considered a full audit but rather a quick gauge of maintainability. The libyang2 source package is a rename of the libyang based on the upstream 2.0 version which included a new parser; the libyang source package has not yet been removed from the archive.
libyang2 is a library for processing IETF YANG data modeling schemas, used primarily for expressing netowrk configuration for networking equipment. - CVE History: - Roughly fifteen or so CVEs affecting libyang. Upstream is generally responsive of reports. - Build-Depends - libpcre2 (ok) - No pre/post inst/rm scripts - No init scripts. - No systemd units. - No dbus services. - No setuid binaries. - Two binaries in PATH, used primarly for schema validation and development - No sudo fragments. - No polkit files. - No udev rules. - tests: - significant unit tests run during the build - very limited autopkgtests, that only exercise the cli tools - No cron jobs. - Build logs: - more build time tests on the cli tools could be run if the shunit2 package was installed - build logs mostly clean, some possible uninitialized value warnings (from -Wmaybe-uninitialized) - lintian warnings are fine - No processes spawned. - Memory management is generally okay, some error checking macros are present to assist with allocation errors. - File IO is okay. - Logging has complex infrastructure, but okay - Environment variable usage is okay. Alternate plugin and extension directories can be specified via env vars, but it's hard to see how this can be abused. - Uses ioctl in the cli tools for querying window size. - No obvious use of cryptography / random number sources. - Lint tool uses a known temp file name when recompiled with debugging macros enabled (disabled by default) - No obvious use of networking, parses ip addrs in config files - No use of WebKit. - No use of PolicyKit. - ccpcheck reported a large number of memory leaks plus a few double frees, but these look to be likely false positives. - Coverity flagged a few issues outside of the tests that also mostly look to be false positives. Overall code looks fine, if macro heavy, which seems to confuse static analyzers. Upstream is responsive to issues. Security team ACK for promoting libyang2 to main. ** Changed in: libyang2 (Ubuntu) Assignee: Ubuntu Security Team (ubuntu-security) => (unassigned) -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1958293 Title: [MIR]: libyang2 To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/libyang2/+bug/1958293/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs