I reviewed jq 1.6-2.1 as checked into hirsute. This shouldn't be
considered a full audit but rather a quick gauge of maintainability.
jq is a flexible command-line JSON processor. It ends up implementing
its own language for querying and manipulating JSON structures. As such,
there are times where it is used to parse and process untrusted input.
- The jq package has had a couple of CVEs, one for a one-byte heap
overflow, and one for unbounded stack usage in some situations.
Upstream has been reasonably responsive in addressing the issues in a
timely matter.
- No build depends of concern. It does use bison/flex for its
manipulation language parser and ruby for generating docs.
- No pre/post inst/rm scripts.
- No init scripts.
- No systemd units.
- No dbus services.
- No setuid binaries.
- The only binary provided is jq.
- No sudo fragments.
- No polkit files.
- No udev rules.
- No autopkgtests. jq provides a bunch of functional tests that are run
during the build, while wrapped by valgrind to find memory errors.
- No cron jobs.
- Lintian clean. The build produces some warnings, mostly around
the casting performed for the builtin language functions, as well
as some implicit case/switch fall-through that look to be "clever"
programming. (The generated lexer also had one signedness comparison
warning)
- Does not spawn processes.
- Memory management is okay. In most cases, allocation wrappers are used
that check for failures directly, and reference counting is used for
higher level JSON objects.
- As a general purpose command line tool, files are either read from
stdin or passed on the command line. It tries to be defensive in
its handling of JSON input. It also supports module loading, but this
is again specified via command line arguments.
- Error logging is handled through wrapper functions and avoids format
string issues.
- jq uses environment variables for module loading paths and for
specifying colorized output.
- No use of privileged functions.
- Does not appear to Use of cryptography / random number sources etc.
- Does not appear to use temp files.
- Does not use networking.
- No use of WebKit.
- No use of PolicyKit.
- Most issues coverity and cppcheck highlighted are either false
positives or non-issues that come about from "clever" programming.
- Only shellcheck issues are in build scripts and tests.
Generally, jq is implemented with thought and care. It attempts to
be cautious in its handling of input. The only concern that I have
about supporting jq is that it is dense and complex code, and for
future issues, backporting fixes may be difficult where significant
code changes have occurred. The extensive test suite helps mitigate
this somewhat.
Security team ACK for promoting jq to main.
** Changed in: jq (Ubuntu)
Status: New => In Progress
** Changed in: jq (Ubuntu)
Assignee: Ubuntu Security Team (ubuntu-security) => (unassigned)
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1889248
Title:
[MIR] mdevctl, jq, libonig
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/jq/+bug/1889248/+subscriptions
--
ubuntu-bugs mailing list
[email protected]
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
