I reviewed urwid 2.0.1-2build3 as checked into focal. This shouldn't be
considered a full audit but rather a quick gauge of maintainability.
urwid is a console-based display and user interface framework/library
for python 2.7 and 3.4+
- CVE History:
- none found
- Build-Depends?
- nothing troubling found
- pre/post inst/rm scripts?
- n/a
- init scripts?
- n/a
- systemd units?
- n/a
- dbus services?
- n/a
- setuid binaries?
- n/a
- binaries in PATH?
- n/a
- sudo fragments?
- n/a
- udev rules?
- n/a
- unit tests / autopkgtests?
- there are some tests but no autopackage tests. The tests run fine when I
manually run them but I don't see them running during the build.
- cron jobs?
- n/a
- Build logs:
- lintian warns about old python versions
- Processes spawned?
- the default for Terminal is using the value of SHELL env var as the command
- it execs a command for it virtual terminal class and some for mouse pointer
integration
- it also execs some python for reraising exceptions
- Memory management?
- n/a
- File IO?
- paths appear to be constructed safely
- it's not really getting input from files
- umask is set to 0 when deamonizing
- umask not explicitly set for file creation
- Logging?
- looking isn't used much and looks ok
- Environment variable usage?
- env is not sanitized
- this could possibly be misused or produce unanticipated results but that
isn't happening as used by python-configshell-fb
- Use of privileged functions?
- Use of cryptography / random number sources etc?
- n/a
- Use of temp files?
- pipes located in /tmp by default, this isn't being used for our purposed
right now.
- Use of networking?
- I didn't focus on this very much becuause urwid as used by
python-configshell-fb doesn't use networking
- input is parsed one character at a time.
- Use of WebKit?
- Use of PolicyKit?
- n/a
- Any significant cppcheck results?
- No
- Any significant Coverity results?
- No
Bandit flagged creation of pipes in /tmp in web_display.py as potentially
unsafe. That functionality of the framework is not being used
by python-configshell-fb but it could probably be improved.
Security team ACK. My recommendation is that the web_display tmp files
be cleaned up to use python's tempfile but I don't think it needs to
block inclusion into main at this time because it isn't being used.
** Changed in: urwid (Ubuntu)
Assignee: Ubuntu Security Team (ubuntu-security) => (unassigned)
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1854362
Title:
[MIR] ceph-iscsi, tcmu, python-configshell-fb, python-rtslib-fb,
urwid, targetcli-fb
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/ceph-iscsi/+bug/1854362/+subscriptions
--
ubuntu-bugs mailing list
[email protected]
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
