I reviewed msgpack-python version 0.3.0-0ubuntu1 as checked into
saucy. This shouldn't be considered a full security audit, but rather
a quick gauge of code quality.
- msgpack-python provides a binary-encoding interchange format optimized
to save bytes compared to more verbose encoding formats (small integers
may be encoded in a single byte if their range fits).
- Build-depends cython, usual Python, python-six, python-nose,
python-pytest
- Does not itself use cryptography
- Does not itself use networking
- No daemons, no sockets, no init scripts, no dbus services, no setuid
programs, no binaries, no sudo fragments
- Good test suite checks many boundary conditions of the binary format
- No cron jobs
- Since much of the compiled source is automatically generated, there's
more warnings than would be ideal (especially signed / unsigned
comparisons, often a rife source of bugs), but I did not spot any
problems at the warning sites
- No subprocesses are spawned
- Memory allocation is aimed for speed of processing, default starts with
allocating a megabyte for buffer use, and without constraints can grow
to consume all memory available to the process. The authors recommend
constraining the memory allocations when handling untrusted input.
- Only file operations are through Python duck-typing
- No environment variables
- No logging
- No privileged portions of code
- No cryptography
- No webkit
This code has more than the usual amount of commented-out sections,
more than the usual amount of TODO and FIXME comments, and far more C
pre-processor tricks than the usual program. This protocol was designed
to save bytes where it could and the end result, at least in the Python
implementation, is an extremely complicated parser.
This tool would not be my first choice of API -- or protocol. Python
Thrift feels more mature and the simplicity of its protocol feels far
preferable to me than the huge diversity of types msgpack-python supports
in effort to squeeze every byte.
However, that said, I did not spot any security problems, and the test
suite would give me confidence that any patches we may need have been
written correctly.
Security team ACK for main.
** Changed in: msgpack-python (Ubuntu)
Assignee: Seth Arnold (seth-arnold) => (unassigned)
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1207003
Title:
[MIR] msgpack-python
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/msgpack-python/+bug/1207003/+subscriptions
--
ubuntu-bugs mailing list
[email protected]
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
