I reviewed pysmi version 0.2.2-1 as checked into bionic. This should not be considered a full security audit but rather a quick gauge of maintainability.
- No CVEs in our database - pysmi can parse ASN1 mib files and emit json or python code to work with data in the described format; there's infrastructure in place to work around bugs in poorly-written mib files, hosted on http://mibs.snmplabs.com/ - Build-Depends: debhelper, dh-python, python-all, python3-all, python-ply, python3-ply, python-setuptools, python3-setuptools, python-pysnmp4, python3-pysnmp4, python3-sphinx, - No cryptography - Can do http / ftp / sftp - Does not daemonize - Auto-generated pre/post inst/rm scripts - No initscripts / systemd files - No DBus services - No setuid files - /usr/bin/mibdump in PATH - No sudo fragments - No udev rules - Many tests run during the build - No cronjobs - Clean build logs - No subprocesses spawned - File handling is slightly complicated: - well-known locations can hold files - applications can request loading from other locations, including zips, remote resources ,etc - some of these inputs influence code generation but conversations with the author gave me confidence that this is still something we can support - minimal logging, looks safe - No environment variable use - No privileged operations - No cryptography - Can retrieve files over the network via multiple protocols - No privileged portions of code - mkstemp is used when temporary files are created - No WebKit - No JavaScript - No PolicyKit Code generation is a higher-risk activity but the author answered my questions quickly and confidently and has a clear threat model in mind that I believe accurately reflects our needs. Security team ACK for promoting pysmi to main. Thanks ** Changed in: pysmi (Ubuntu) Assignee: Ubuntu Security Team (ubuntu-security) => (unassigned) -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1748572 Title: [MIR] pysmi, pycryptodome To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/pycryptodome/+bug/1748572/+subscriptions -- ubuntu-bugs mailing list [email protected] https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
