-- For LIBONIG --
[Summary]
Other than the dark shadow of "sigh another regex lib" no issue seems to be
present in the packaging. MIR Team Ack.
A security review is needed as there is CVE history. It seems to be already
monitored and fixed for the use cases around PHP so this might be a quick one.
Optional:
- Add an autopkgtest for onigurama to not only test on builds but also
on dependency changes.
[Duplication]
Well this is a sore point in regex libraries already. These are already in main
- libre2
- pcre2
- pcre3
But it seems it is always very intense for projects to switch between any of
those, therefore we already have three in main. And it seems jq (as well as
php-mbstring) have no code to support alternative backends.
Therefore - yes there are other regex libs, but none for the use case required
here.
[Dependencies]
OK:
- no other Dependencies to MIR due to this
- -dev has no further deps that would be a problem
[Embedded sources and static linking]
OK:
- no embedded source present
- no static linking
[Security]
OK:
- history of CVEs does not look too concerning
- there is quite a bunch of CVEs, in 2017 and 2019 a burst of them
was identified. Amplified by the common use of libonig in some PHP
environments which makes this more exposed than e.g. the use in
commandline jq here.
The issues were all handled in time and are fixed by now according to
the Ubutnu CVE Tracker
See [1] for the full list.
But it is worth to say that due to its use in universe php modules
this already seems to get enhance security coverage, see [2][3][4][5]
- does not run a daemon as root
(not on its own, it is just a lib)
- does not use webkit1,2
- does not use lib*v8 directly
- does not open a port
- does not process arbitrary web content
- does not use centralized online accounts
- does not integrate arbitrary javascript into the desktop
- does not deal with system authentication (eg, pam), etc)
Problems:
- does parse data formats
- The above shows that there can and have been security issues with it, but also
that it seems security already monitors and fixes these issues for its use in
PHP. A review is needed, but might end quickly with "yeah we do that anyway"
[Common blockers]
OK:
- does not FTBFS currently
- does have a test suite that runs at build time
- test suite fails will fail the build upon error.
- The package has a team bug subscriber
- no translation present, but none needed for this case (user visible)?
- not a python/go package, no extra constraints to consider int hat regard
Problems:
- does not have a test suite that runs as autopkgtest
[Packaging red flags]
OK:
- Ubuntu does not carry a delta
- symbols tracking is in place
- d/watch is present and looks ok
- Upstream update history is good
- Debian update history is good
- the current release is packaged
- promoting this does not seem to cause issues for MOTUs that so far
maintained the package
- no massive Lintian warnings
- d/rules is rather clean
- Does not have Built-Using
[Upstream red flags]
OK:
- no Errors/warnings during the build
only a few "-Wmaybe-uninitialized"
- no incautious use of malloc/sprintf (as far as I can check it)
- no use of sudo, gksu, pkexec, or LD_LIBRARY_PATH
- no use of user nobody
- no use of setuid
- no important open bugs (crashers, etc) in Debian or Ubuntu
- no dependency on webkit, qtwebkit, seed or libgoa-*
- no embedded source copies
- not part of the UI for extra checks
[1]: https://cve.mitre.org/cgi-bin/cvekey.cgi?keyword=Oniguruma
[2]: https://ubuntu.com/security/notices/USN-4088-1
[3]: https://ubuntu.com/security/notices/USN-3902-1
[4]: https://ubuntu.com/security/notices/USN-3902-2
[5]: https://ubuntu.com/security/notices/USN-4460-1
** Changed in: libonig (Ubuntu)
Assignee: Christian Ehrhardt (paelzer) => Ubuntu Security Team
(ubuntu-security)
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1889248
Title:
[MIR] mdevctl, jq, libonig
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/jq/+bug/1889248/+subscriptions
--
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
