I reviewed intel-microcode version 2.20140913.1ubuntu2 as checked into vivid. This should not be considered a full security audit but rather a quick gauge of maintainability.
- intel-microcode provides scripts to load microcode during early boot and intel-supplied microcode - Build-Depends: debhelper, iucode-tool - No cryptography - No networking - Does not daemonize - No pre/post inst/rm - No init scripts - No dbus services - No setuid - No binaries - No sudo fragments - No udev rules - No test suite, unsurprisingly - No cronjobs - Clean build logs - Subprocesses are spawned extensively, shell scripts; nearly all looked safe - No memory management - Files written to are controlled by platform, e.g. /sys/devices/system/cpu/cpu*/microcode/reload and /sys/devices/system/cpu/microcode/reload - No environment variables - No cryptography - No networking - No privileged portions of code - The only temporary file handling is in a maintainer-only script debian/diff-latest-pack.sh -- it has predictable /tmp/ names; not a big deal if the packager using this tool is aware of the limitation. - No WebKit - No PolicyKit - No JavaScript - slight problem with static analysis, line 92 of debian/initramfs.hook is probably a bug. Here's the two issues I found with this package; the first is unlikely to be a real problem in actual service and the second hasn't actually caused problems despite being in deployed use -- but it's probably a bug all the same: debian/diff-latest-pack.sh -- it has predictable /tmp/ names; not a big deal if the packager using this tool is aware of the limitation. Line 92 of debian/initramfs.hook is probably a bug: if $(dpkg --compare-versions 3.9 le ${version}) ; then Please fix at the earliest convenience. Security team ACK for migrating to restricted or main as appropriate. ** Changed in: intel-microcode (Ubuntu) Assignee: Seth Arnold (seth-arnold) => (unassigned) ** Changed in: iucode-tool (Ubuntu) Assignee: Seth Arnold (seth-arnold) => (unassigned) -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1388889 Title: [MIR] intel-microcode & iucode-tool (multiverse -> restricted) To manage notifications about this bug go to: https://bugs.launchpad.net/intel/+bug/1388889/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs