[Bug 2051916] Re: [MIR] promote libtraceevent as a trace-cmd dependency

Tue, 26 Mar 2024 13:05:44 -0700 

I reviewed libtraceevent 1:1.8.2-1 as checked into noble. This shouldn't be
considered a full audit but rather a quick gauge of maintainability.

> libtraceevent - Linux kernel trace event library

- CVE History:
  - none
- Build-Depends?
  - nothing concerning
  - most dependencies are for building documentation
- pre/post inst/rm scripts?
  - none
- init scripts?
  - none
- systemd units?
  - none
- dbus services?
  - none
- setuid binaries?
  - none
- binaries in PATH?
  - none
- sudo fragments?
  - none
- polkit files?
  - none
- udev rules?
  - none
- cron jobs?
  - none
- unit tests / autopkgtests?
  - in progress by owning team
- Build logs:
  - missing MAN pages
    - documentation warnings make build logs noisy
  - W: libtraceevent source: build-depends-on-obsolete-package Build-Depends: 
pkg-config => pkgconf

- Processes spawned?
  - ./src/parse-filter.c runs regexec
    - this is a library, secure implementation depends on downstream projects
- Memory management?
  - heavy use
    - care seems to be taken
    - as a root process, bugs are unlikely to cause vulnerabilities
    - this is a library, secure implementation depends on downstream projects
- File IO?
  - load_plugin() from ./src/event-plugin.c use dlopen
    - security depends on how downstream projects load plugins
    - assume plugins are root
- Logging?
  - contains error handling messages
  - mostly in ./src/parse-filter.c
- Environment variable usage?
  - TRACEEVENT_PLUGIN_DIR
  - HOME
- Use of privileged functions?
  - none
- Use of cryptography / random number sources etc?
  - none
- Use of temp files?
  - none
- Use of networking?
  - minimal use in ./src/event-parse.c
- Use of WebKit?
  - none
- Use of PolicyKit?
  - none

- Any significant cppcheck and Coverityresults?
  - false positives
    - these looked relevant at first glance, but not after analysis
- Any significant shellcheck results?
  - none, all reports are for manpages/tests/building
- Any significant bandit results?
  - none

Security team ACK for promoting libtraceevent to main.

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/2051916

Title:
  [MIR] promote libtraceevent as a trace-cmd dependency

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/libtraceevent/+bug/2051916/+subscriptions


-- 
ubuntu-bugs mailing list
[email protected]
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

Reply via email to