I reviewed liburing 0.6-3 as checked into groovy. This shouldn't be
considered a full audit but rather a quick gauge of maintainability.
liburing is a C library to help setup and remove io_uring instances, used
to perform efficient asynchronous communication between userspace and the
kernel.
- No CVE History
- No security relevant Build-Depends
- debhelper-compat, procps
- No pre/post inst/rm scripts
- No init scripts
- No systemd units
- No dbus services
- No setuid binaries
- No binaries in PATH
- No sudo fragments
- No polkit files
- No udev rules
- No cron jobs
- Extensive unit tests / autopkgtests
- Package has more than 10x amount of test code than actual library code
- Runs both the unit test suite and example code as autopkgtests
- Autopkgtests currently fail and are ignored...
- Currently unit test failures are ignored with the following entry in
debian/rules - this should be resolved before this package is promoted
to main() as otherwise regressions could easily be introduced with no
warning
# XXX: The tests do not pass yet on Linux 5.5, and they are not being
# skipped either.
override_dh_auto_test:
dh_auto_test -- runtests || true
- Build logs:
- Build logs show unit test failures
- No significant lintian failures
- No processes spawned
- No dynamic memory management (except for at probe)
- No file IO
- No logging
- No environment variable usage
- No use of privileged functions
- No use of cryptography / random number sources etc
- No use of temp files
- No use of networking
- No use of WebKit
- No use of PolicyKit
- No significant cppcheck results
- only some warnings of memory leaks in the test code
- No significant Coverity results
- No significant shellcheck results
- No significant bandit results
Whilst still a very new library, liburing appears to be well written and
relatively defensive, and given its minimal scope, does not appear to
provide any real attack surface or similar. It is well tested, but the
current tests are not well maintained in Ubuntu.
Security team ACK for promoting liburing to main, conditional on ensuring
the autopkgtests are fixed so that they are in a known state and can be
used for regression testing etc on future updates.
** Tags added: security-review-done
** Changed in: liburing (Ubuntu)
Assignee: Ubuntu Security Team (ubuntu-security) => (unassigned)
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1878006
Title:
MIR: liburing
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/liburing/+bug/1878006/+subscriptions
--
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
