[Bug 1865532] Re: [MIR] libxcrypt (dependency of glibc)

[Steve Beattie]

I reviewed libxcrypt 1:4.4.10-10ubuntu1 as checked into focal.  This shouldn't 
be
considered a full audit but rather a quick gauge of maintainability.

libxcrypt is a library for handling one-way hashing of passwords. It's
use here is to replace the deprecated glibc libcrypt library.

- Only CVE in history was a SuSE-specific issue.
- No non-build-infrastructure build dependencies.
- No pre/post inst/rm scripts.
- No init scripts.
- No systemd units.
- No dbus services.
- No setuid binaries.
- No binaries in PATH.
- No sudo fragments.
- No polkit files.
- No udev rules.
- Has a bunch of unit tests, invoked as part of the build
- No cron jobs.
- Only compiler warnings are about the compiler deciding not to inline
  some functions marked inline.
- No lintian failures.
- No processes spawned.
- Memory management looks sane:
  - Most memory operations are (unsurprisingly) memcpy(). Most math
    computations about how much to copy seem sensible. At least one instance
    of memcpy(dest, src, sizeof(src)), however.
  - alg-yescrypt-platform.c:73 uses malloc if mmap is not available (so
    not an issue on linux), but continues on in the function if malloc()
    fails.
- Only non-test file operation is opening /dev/urandom as a fallback for
  getrandom() failing.
- No logging is performed; this is expected to be handled by callers of
  the library detecting errors on return.
- No environment variable use.
- No privileged function use.
- Use of cryptography / random number sources etc?
  - It attempts to use getrandom() if available as a system CSPRNG,
    falling back to /dev/urandom if the syscall doesn't work.
  - Hash function implementations look sane and reasonable.
- No temp file usage.
- No networking use.
- No WebKit.
- No PolicyKit use.

- No cppcheck issues found.
- The only issues found by coverity were in the tests.
- The only issues found by shellcheck are in build tools or tests.

The decision to remove gnu libc's libcrypt, and let users and
distributions choose a library like libxcrypt was made by upstream:
https://sourceware.org/legacy-ml/libc-alpha/2017-08/msg01257.html

Security team ACK for promoting libxcrypt to main.

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1865532

Title:
  [MIR] libxcrypt (dependency of glibc)

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/libxcrypt/+bug/1865532/+subscriptions

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs