I reviewed brotli version 1.0.2-3 as checked into bionic. This should not
be considered a full security audit but rather a quick gauge of
maintainability.
- brotli is a compression tool, both a library and command line
application
- There's two CVEs, perhaps only one fault, for use in Chrome and
Firefox. This is both a benefit (loads of people hammer these two
projects endlessly) and a risk (getting fixes for CVEs out of these
projects is extremely difficult.)
- Build-Depends: cmake, debhelper, dh-python, python, python-dev,
python-setuptools, python3, python3-dev, python3-setuptools
- Does not daemonize
- Does not itself do networking
- Automatically generated pre/post rm/inst scripts
- No init scripts
- No systemd files
- No DBus services
- No setuid files
- 'brotli' executable in PATH
- No sudo fragments
- No udev rules
- A large-feeling test suite is run during the build
- No cron jobs
- Clean build logs
- No subprocesses spawned
- Careful memory management
- Most file IO under control of callers; .bro file extension code looked
careful
- Clean logging
- No environment variable use
- Very limited privileged operations use; chmod() followed by two chown()
calls. Perhaps there's a weakness here as these repeatedly operate on
filenames rather than using fchmod(), fchown() on a single file
descriptor.
- No cryptography
- No networking
- No privileged portions of code
- No temporary files
- No webkit
- No policykit
- No javascript
- cppcheck is not as clean as it could be, but reflects common C idiom.
Brotli is very dense, highly domain-specific code. It may have algorithmic
flaws that are very difficult to spot on a cursory read; that said, calls
almost universally have error checking, and the comments are tasteful. We
will need to rely upon upstream for maintenance help but the software
itself looks professionally programmed.
Security team ACK for promoting brotli to main.
Thanks
** Changed in: brotli (Ubuntu)
Assignee: Ubuntu Security Team (ubuntu-security) => (unassigned)
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1737053
Title:
[MIR] brotli
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/brotli/+bug/1737053/+subscriptions
--
ubuntu-bugs mailing list
[email protected]
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
