libxmlb is a recently developed and released library written in C to
allow applications to perform fast XPath queries against an XML document
without having to parse the entire document into memory. This is
designed to only support a subset of XPath for the purposes for fwupd
and other utilities. Provides a command-line xb-tool application in
/usr/lib which is not intended for end-users to run.
- CVE history: no
- Build-Depends: gir1.2-glib-2.0, gobject-introspection, gtk-doc-tools,
libglib2.0-dev, libgirepository1.0-dev, meson, shared-mime-info, uuid-dev
- Does not daemonize
- No use of udev
- No pre/post inst/rm scripts
- No initscripts / systemd unit files
- No DBus services
- No setuid binaries
- No binaries added to PATH
- No sudo fragments
- No udev rules
- Unit tests run during package build - these look pretty comprehensive
- No cronjobs
- Clean build logs - no warnings during build other than for missing API
documentation
- No subprocesses are spawned
- Memory management looks good, no obvious issues - uses core GLib
memory management functionality and string types etc. Care is taken on
memory copies etc to ensure buffers are appropriately sized.
- xb-tool always sets GIO_USE_VFS to local and overwrites
G_MESSAGES_DEBUG for logging purposes
- No privileged operations
- No cryptography
- No network connections
- Temporary files only uses during unit tests
- No WebKit
- No JavaScript
- No PolicyKit
- Clean cppcheck
- 1 false positive error for an unintialised variable
Overall code is of high quality - also upstream has integrated support
for fuzzing so likely should be pretty robust against malicious inputs
from untrusted XML documents etc.
Security team ACK for promoting to main.
** Changed in: libxmlb (Ubuntu)
Assignee: Ubuntu Security Team (ubuntu-security) => (unassigned)
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1814997
Title:
[MIR] libxmlb
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/libxmlb/+bug/1814997/+subscriptions
--
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
