[Bug 1854849] Re: [MIR] libscalar-list-utils-perl
** Changed in: libscalar-list-utils-perl (Ubuntu) Status: New => Fix Committed -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1854849 Title: [MIR] libscalar-list-utils-perl To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/libscalar-list-utils-perl/+bug/1854849/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1854849] Re: [MIR] libscalar-list-utils-perl
I reviewed libscalar-list-utils-perl 1:1.53-1 as checked into focal. This shouldn't be considered a full audit but rather a quick gauge of maintainability. The guts of this perl module is in ListUtil.xs which is turned into C code. I did run that portion of the build through coverity, which did not complain about anything I found to be concerning. libscalar-list-utils-perl is a replacement for the default List::Util distribution that is built into perl core and adds some additional subroutines. - CVE History: - no CVEs found - Build-Depends: - perl - pre/post inst/rm scripts? - not applicable - init scripts? - not applicable - systemd units? - not applicable - dbus services? - not applicable - setuid binaries? - not applicable - binaries in PATH? - not applicable - sudo fragments? - not applicable - udev rules? - not applicable - unit tests / autopkgtests? - there is a fairly comprehensive test suite - cron jobs? - not applicable - Build logs: - Everything looks fine - Processes spawned? - not applicable - Memory management? - I do not see anything that looks problematic - File IO? - not applicable - Logging? - not applicable - Environment variable usage? - not applicable - Use of privileged functions? - not applicable - Use of cryptography / random number sources etc? - not applicable - Use of temp files? - not applicable - Use of networking? - not applicable - Use of WebKit? - not applicable - Use of PolicyKit? - not applicable - Any significant cppcheck results? - not applicable - Any significant Coverity results? - not applicable Security team ACK for promoting libscalar-list-utils-perl to main. ** Changed in: libscalar-list-utils-perl (Ubuntu) Assignee: Ubuntu Security Team (ubuntu-security) => (unassigned) -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1854849 Title: [MIR] libscalar-list-utils-perl To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/libscalar-list-utils-perl/+bug/1854849/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1854849] Re: [MIR] libscalar-list-utils-perl
[Summary] - All looks pretty straight forward, MIR Team ack - Needs security review (assigned) [Duplication] I first thought https://metacpan.org/pod/List::Util would be something else that sounds similar but it IS the same. I found no other such perl lib in main. And while one could say "just do it without the lib" it is fine that such helpers exist. [Embedded sources and static linking] - no embedded sources - no (static) liking (perl) [Security] - no history of CVEs - no daemon as root - doesn't use webkit1,2 - doesn't use lib*v8 directly - doesn't opens a port - doesn't processe arbitrary web content - does not use centralized online accounts - does not integrate arbitrary javascript into the desktop - doesn't deal with system authentication (eg, pam), etc) But it - parses data formats And that in a way that if there is a bug in the code of the lib all applications using it would be affected. Since the need pulling this in is for mail-auth we should ask security to take a look, it isn't too huge so it might be fast. [Common blockers] - no FTBFS issues - tests are present - no translation, but also not user visible - no python package for further constraints on that [Packaging red flags] - no Ubuntu delta atm - perl has no symbols tracking - d/watch is ok - regularly updated in Debian - the current release is packaged - not causing a MOTU problem - a few, but no massive Lintian warnings - d/rules is as small as it can be - no golang constraints to consider - Desktop team is already subscribed [Upstream red flags] - no Errors/warnings during the build - no incautious use of malloc/sprintf - no use of sudo, gksu, pkexec, or LD_LIBRARY_PATH - no use of User nobody - no use of setuid - no known Important bugs (crashers, etc) in Debian or Ubuntu - no Dependency on webkit, qtwebkit, seed or libgoa-* - not part of UI design ** Changed in: libscalar-list-utils-perl (Ubuntu) Assignee: Christian Ehrhardt (paelzer) => (unassigned) ** Changed in: libscalar-list-utils-perl (Ubuntu) Assignee: (unassigned) => Ubuntu Security Team (ubuntu-security) -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1854849 Title: [MIR] libscalar-list-utils-perl To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/libscalar-list-utils-perl/+bug/1854849/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1854849] Re: [MIR] libscalar-list-utils-perl
** No longer affects: libmail-dkim-perl (Ubuntu) ** Changed in: libscalar-list-utils-perl (Ubuntu) Assignee: (unassigned) => Christian Ehrhardt (paelzer) -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1854849 Title: [MIR] libscalar-list-utils-perl To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/libscalar-list-utils-perl/+bug/1854849/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1854849] Re: [MIR] libscalar-list-utils-perl
Hi Heather, the MIR bugs are filed against the package that has to be evaluated. Thanks to your explanations that is clear now and I fixed it up in the bug tasks. ** Also affects: libscalar-list-utils-perl (Ubuntu) Importance: Undecided Status: New ** Changed in: libmail-dkim-perl (Ubuntu) Status: New => Invalid -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1854849 Title: [MIR] libscalar-list-utils-perl To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/libmail-dkim-perl/+bug/1854849/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1854849] Re: [MIR] libscalar-list-utils-perl
libscalar-list-utils-perl is being requested to satisfy a dependency of libmail-authenticationresults-perl. libmail-authenticationresults-perl also has an open MIR to satisfy a dependency of libmail-dkim-perl: https://bugs.launchpad.net/ubuntu/+source/libmail-dkim-perl/+bug/1853175 -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1854849 Title: [MIR] libscalar-list-utils-perl To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/libmail-dkim-perl/+bug/1854849/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs