[Summary]
- MIR Team ack
- Info: this will be pulled into main on the merge of qemu 4.2
@Server Team - none of the minor issues is critical (e.g. d/copyright, fine to
let Debian sort that out, no delta needed)
@Security - I'm not requesting a review (done in the past as part of qemu),
just an ack that from now on have this on your usual security-issue-monitoring
[Duplication]
- The code was in qemu but now is split, no duplication.
[Embedded sources and static linking]
- No embedded sources
[Security]
- doeis not run a daemon as root
- does not use webkit1,2
- does not use lib*v8 directly
- does not open a port
- does not process arbitrary web content
- does not use centralized online accounts
- does not integrate arbitrary javascript into the desktop
- does not deal with system authentication (eg, pam), etc)
- does parse data formats (network traffic from guest)
- There were CVE issues in the past, but after all the individual maintenance
of the lib was just one of the reasons to split it so that should be fine
- CVEs were reported above, and it will be continuing to be security critical
for guest breakout scenarios
@Security - I'm not requesting a review as you essentially have done that way
back when qemu was added.
Just an ack from you that you'll from now on have this on your usual
security-issue-monitoring would be nice to go on with this.
[Common blockers]
- does not FTBFS currently?
- As mentioned in the bug description it does not have a test suite, but that
is just upstream
- the slirp4netns tests makes this better than it was as part of qemu
- server team will subscribe
- not user visible (translations)
- no python concerns as no python is in the package
[Packaging red flags]
- no Ubuntu delta
- symbols tracking is in place
- d/watch in place
- updates should be "as qemu" which was fine so far
- current release is packaged
- Lintian warnings exist but are ok
- d/rules is as clean as possible
- no Built-Using
[Upstream red flags]
- no Errors/warnings during the build
- no Incautious use of malloc/sprintf (as it was in qemu)
- no use of sudo, gksu, pkexec, or LD_LIBRARY_PATH
- no user management
- no use of setuid
- no important bugs (crashers, etc) in Debian or Ubuntu
- no Dependency on webkit, qtwebkit, seed or libgoa-*
** Changed in: libslirp (Ubuntu)
Assignee: (unassigned) => Ubuntu Security Team (ubuntu-security)
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1854404
Title:
[MIR] libslirp (as it was part of QEMU)
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/libslirp/+bug/1854404/+subscriptions
--
ubuntu-bugs mailing list
[email protected]
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
