I reviewed libtraceevent 1:1.8.2-1 as checked into noble. This shouldn't be considered a full audit but rather a quick gauge of maintainability.
> libtraceevent - Linux kernel trace event library - CVE History: - none - Build-Depends? - nothing concerning - most dependencies are for building documentation - pre/post inst/rm scripts? - none - init scripts? - none - systemd units? - none - dbus services? - none - setuid binaries? - none - binaries in PATH? - none - sudo fragments? - none - polkit files? - none - udev rules? - none - cron jobs? - none - unit tests / autopkgtests? - in progress by owning team - Build logs: - missing MAN pages - documentation warnings make build logs noisy - W: libtraceevent source: build-depends-on-obsolete-package Build-Depends: pkg-config => pkgconf - Processes spawned? - ./src/parse-filter.c runs regexec - this is a library, secure implementation depends on downstream projects - Memory management? - heavy use - care seems to be taken - as a root process, bugs are unlikely to cause vulnerabilities - this is a library, secure implementation depends on downstream projects - File IO? - load_plugin() from ./src/event-plugin.c use dlopen - security depends on how downstream projects load plugins - assume plugins are root - Logging? - contains error handling messages - mostly in ./src/parse-filter.c - Environment variable usage? - TRACEEVENT_PLUGIN_DIR - HOME - Use of privileged functions? - none - Use of cryptography / random number sources etc? - none - Use of temp files? - none - Use of networking? - minimal use in ./src/event-parse.c - Use of WebKit? - none - Use of PolicyKit? - none - Any significant cppcheck and Coverityresults? - false positives - these looked relevant at first glance, but not after analysis - Any significant shellcheck results? - none, all reports are for manpages/tests/building - Any significant bandit results? - none Security team ACK for promoting libtraceevent to main. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/2051916 Title: [MIR] promote libtraceevent as a trace-cmd dependency To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/libtraceevent/+bug/2051916/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs