I reviewed rpds-py 0.20.0-0ubuntu3 as checked into oracular. This shouldn't be
considered a full audit but rather a quick gauge of maintainability.
> rpds.py: Python bindings to the Rust rpds crate for persistent data
> structures
- CVE History
- None
- overflow reported (issue #86 PR #87)
- see below
- Project has a SECURITY.md \o/
- Project uses GitHub's Private Security Reporting Feature \o/
- Bitdefender (Windows) incorrectly quarnatines rpds.py
- Build-Depends
- vendored dependencies
- pre/post inst/rm scripts
- yes, typical dh_python3 helper
- init scripts
- none
- systemd units
- none
- dbus services
- none
- setuid binaries
- none
- binaries in PATH
- none
- sudo fragments
- none
- polkit files
- none
- udev rules
- none
- unit tests / autopkgtests
- includes build tests and autopkgtests
- cron jobs
- none
- Build logs
- fine
- Processes spawned
- none
- Memory management
- single "unsafe" use of as_ptr in AsPyPointer()
- see comments at end
- File IO
- in Python, only in tests
- Logging
- none
- Environment variable usage
- none
- Use of privileged functions
- none
- Use of cryptography / random number sources etc
- none
- Use of temp files
- none
- Use of networking
- none
- Use of WebKit
- none
- Use of PolicyKit
- none
- Any significant cppcheck results
- none
- Any significant Coverity results
- none
- Any significant shellcheck results
- none
- Any significant bandit results
- none
- only in tests.
- Any significant govulncheck results
- none
- Any significant Semgrep results
- none
The overflows in https://github.com/crate-py/rpds/issues/86 should be
addressed. The proposed fix looks proper.
Magic numbers comes from Python's hashing algorithm implementation.
Note that this package vendors Rust packages. Vendored Rust packages are
(currently) not reviewed by Security MIRs. Auditing these vendored packages was
an explicit request from the MIR Team for this package. This is a broader
discussion that needs priority. In the `rustc` package, Security Engineer
cannot review all +600 vendored packages.
To Slyon's concern about parsing untrusted (user) source code, library footguns
in themselves are okay. How/if footguns are used in python-jsonschema is what
we would want to check. This feels okay on the surface.
Also note that per the MIR rules, Security Engineering is responsible for
tracking vulnerabilities in vendored code AND the owning team is responsible
for remediating vendored vulnerabilities reported by Security Engineering.
Currently, this process is not in effect. See SEC-4286 and
https://github.com/canonical/ubuntu-mir
Possibly `cargo audit` could be run as a build test.
Glad to see a MIR member who is not the owner review this.
Nice work adapting this from Debian to Ubuntu James 😎
Security team ACK for promoting rpds-py to main on the condition that owning
team applies PR #87 when it lands.
** Bug watch added: github.com/crate-py/rpds/issues #86
https://github.com/crate-py/rpds/issues/86
** Changed in: rpds-py (Ubuntu)
Assignee: Ubuntu Security Team (ubuntu-security) => (unassigned)
** Changed in: rpds-py (Ubuntu)
Status: New => In Progress
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/2072621
Title:
[MIR] rpds-py
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/rpds-py/+bug/2072621/+subscriptions
--
ubuntu-bugs mailing list
[email protected]
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
