I reviewed python-pykmip version 0.5.0-1 as checked into Ubuntu yakkety;
this shouldn't be considered a full security audit but rather a quick
gauge of maintainability.
- I did not notice python-pykmip CVEs in our tracking database
- python-pykmip provides a standardized user interface to hardware
security modules, and provides a software "hardware" security module;
this is marked deprecated, but might yet prove useful with proper access
control mechanisms in place.
- Build-depends: debhelper, dh-python, python-all, python-setuptools,
python-sphinx, python3-all, python3-setuptools, python-coverage,
python-cryptography, python-enum34, python-fixtures, python-mock,
python-pytest, python-six, python-sqlalchemy, python-testresources,
python-testscenarios, python-testtools, python3-coverage,
python3-cryptography, python3-fixtures, python3-mock, python3-pytest,
python3-six, python3-sqlalchemy, python3-subunit, python3-testresources,
python3-testscenarios, python3-testtools, subunit, testrepository,
- Does not daemonize as usual, hopefully whatever uses pykmip is prepared to
handle the usual daemonizing
- pre/post inst/rm are automatically generated dh_python* and
update-alternatives
- No initscript
- No dbus services
- No setuid
- python3-pykmip-server and python2-pykmip-server executables in PATH
- No sudo fragments
- No udev rules
- Relatively clean build logs
- No cronjobs
- Many tests in test suite run during build
- No subprocesses spawned
- Logging file opened via usual logging mechanisms
- Logging mechanisms looked safe
- Does not itself use environment variables
- No privileged operations
- Uses python's TLS facilities
- Listens on sockets
- I didn't review closely enough to discover if there are privileged areas
of code
- /tmp use that looks sketchy:
sqlite:////tmp/pykmip.database in KmipEngine()
This may justify further exploration, fixes.
- Does not use WebKit
- Does not use PolicyKit
- Does not use JS
The parts of this that I read looked professionally programmed; that said,
the sqlite:////tmp/pykmip.database is awkward and out of place.
Where does this get stored?
Before we can promote this package to main we need to be sure that this
database isn't stored in /tmp with a predictable name.
Thanks
** Changed in: python-pykmip (Ubuntu)
Assignee: Ubuntu Security Team (ubuntu-security) => (unassigned)
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1543754
Title:
[MIR] barbican, python-pykmip
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/barbican/+bug/1543754/+subscriptions
--
ubuntu-bugs mailing list
[email protected]
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
