I reviewed yaml-cpp version 0.6.2-4fakesync1 as packaged in
So, security team ACK on promoting yaml-cpp to main is granted provided
sarnold@hunt:~/ubuntu/security/audits/yaml-cpp/disco/audits$ cat bug.txt
I reviewed yaml-cpp version 0.6.2-4fakesync1 as packaged in
disco-proposed. This shouldn't be considered a full security audit but
rather a quick gauge of maintainability.
- There are six CVEs found since 2017 and as far as I can tell none have
been addressed since they were discovered. The library appears to be
entirely unsuitable for handling untrusted input. (And even for trusted
input, crashing rather than returning an error message is really poor
user experience.)
If we're going to have this in main, then we need to work with upstream
to provide the missing reliability.
- Build-Depends: cmake, debhelper
- Does no cryptography
- Does no networking
- Does not daemonize
- No pre/post inst/rm scripts
- No init scripts
- No systemd unit files
- No dbus service files
- No setuid files
- No executables in PATH
- No sudo fragments
- No udev rules
- Decent-sized test suite run during build
- No cron jobs
- Some CMake warnings, large number of warnings from test suite, nothing
too bad
- Does not spawn subprocesses
- Older c++ style memory management
- util/parse.cpp can take a filename in argv[1]
- Probably insufficient logging for real use, but logging looked safe
- No environment variable use
- No privileged functions
- No cryptography
- No networking
- No privleged portions of code
- No temp files
- No webkit
- cppcheck results only in test suite
- No policykit
The code is clean and simple, but perhaps too simple -- the six open
CVEs show insufficient handling for unexpected inputs. This library is
currently unsafe for use on untrusted inputs, and will probably give a
poor user experience for innocent typos.
So, security team ACK on promoting yaml-cpp to main is granted provided
that the requesting team:
- Promises to work with upstream developers to handle the six currently
open CVEs. Obviously I can't expect anyone to promise that upstream will
be receptive, but the responses to github issues appears like help would
be accepted positively.
If upstream doesn't respond, we'll need to either carry a delta or work
with Debian to carry a delta.
- Address the lack of FORTIFY_SOURCE in build log. I didn't investigate
how it came to lack FORTIFY_SOURCE, I just didn't see it in the logs
where I expected to see it.
Thanks
** Changed in: yaml-cpp (Ubuntu)
Assignee: Ubuntu Security Team (ubuntu-security) => (unassigned)
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1794692
Title:
[MIR] [mir] yaml-cpp
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/yaml-cpp/+bug/1794692/+subscriptions
--
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
