I reviewed argon2 version 0~20161029-1.1 as checked into bionic. This
isn't a full security audit but rather a quick gauge of maintainability.
Specifically I did not audit the implementation for correctness or
cryptographic security.
- argon2 is the winning entry in a recent "Password Hashing Competition",
modeled after the AES and SHA-3 competitions, run by the open
cryptography community. The intention is to make a new password hashing
algorithm and key derivation function.
- There are no CVEs in our database
- This package provides command line utilities and library suitable for
direct use.
- argon2 does not daemonize
- no pre/post inst/rm scripts
- no initscripts
- no systemd units
- no dbus services
- no setuid
- argon2 application in PATH
- no sudo fragments
- no udev rules
- a test suite is run during the build
- no cronjobs
- clean buildlogs
- no subprocesses are spawned
- memory management looked careful
- No file IO
- No environment variables
- No privileged operations
- Extensive cryptography
- No networking
- No privileged portions of code
- No temporary files
- No WebKit
- No JavaScript
- cppcheck has one false positive
- No PolicyKit
The API to use argon2 functions is more complicated than I'd like. Someone
somewhere is going to misuse this thing because it's too complex.
But the code quality was good.
Security team ACK for promoting argon2 to main.
Thanks
** Changed in: argon2 (Ubuntu)
Assignee: Ubuntu Security Team (ubuntu-security) => (unassigned)
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1746047
Title:
[MIR] argon2
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/argon2/+bug/1746047/+subscriptions
--
ubuntu-bugs mailing list
[email protected]
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
