I reviewed jemalloc 5.3.0-2build1 as checked into plucky. This shouldn't be
considered a full audit but rather a quick gauge of maintainability.
jemalloc is a general purpose malloc(3) implementation that emphasizes
fragmentation avoidance and scalable concurrency support.
- CVE History
- no CVE has been reported for this project
- Build-Depends
- debhelper-compat, docbook-xml <!nodoc>, docbook-xsl <!nodoc>,
xsltproc <!nodoc>
- No pre/post inst/rm scripts
- No init scripts
- No systemd units
- No dbus services
- No setuid binaries
- binaries in PATH
- /usr/bin/jeprof
- No sudo fragments
- No polkit files
- No udev rules
- unit tests / autopkgtests
- The package contains a simple Autopkgtest checking if it is
possible to build a binary, link it against libjemalloc and run it
successfully. More of a smoke test than a real test suite.
- The package contains a pretty good collection of unit tests. Those
tests are run at build time and the package will not build if any
of those fail.
- No cron jobs
- No significant build warnings etc
- Processes spawned
- /usr/bin/jeprof spawns:
- objdump
- nm
- addr2line
- c++filt
- dot
- gv
- evince
- kcachegrind
- ps2pdf
- curl
- No processes spawned by the library itself.
- Memory management
- due to its nature, it does a lot of memory management. an analysis
of the whole allocator is impractical, but I can say the code
appears to be well written and tested. I could not identify any
low hanging fruits.
- File IO
- the only file I/O performed by the library consists of dumping the
profile data to a file only with profiling enabled. It is possible
to specify arbitrary directories to write the profile data to. The
profiling behavior can be influenced via the environment variable
MALLOC_CONF which is ignored for setuid binaries.
- Logging
- Debug logging appears correctly handle output, avoiding format
string attacks.
- Environment variable usage
- One way to configure libjemalloc at runtime is via the env
variable "MALLOC_CONF". The parsing logic does not appear to
contain dangerous usage of string manipulation routines or
anything suspicious from a security analysis standpoint.
- Uses secure_getenv to ignore the environment variable in
setuid()/setgid() binaries and binaries with nonempty capability
set.
- Does not use any privileged function
- No use of cryptography / random number sources etc
- No use of temp files
- Use of networking
- /usr/bin/jeprof
Uses curl to download symbols and profiles.
- No use of webkig
- No use of PolicyKit
- Cppcheck results:
- Lots of false positives in the library code due to the use of some
macros wrongly detected as uninitialized.
- No significant shellcheck results
The library seems to be very well written. It has been adopted by
FreeBSD as the default malloc implementation.
Security team ACK for promoting jemalloc to main, given that the
profiling feature is disabled.
** Changed in: jemalloc (Ubuntu)
Status: New => In Progress
** Changed in: jemalloc (Ubuntu)
Assignee: Ubuntu Security Team (ubuntu-security) => (unassigned)
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/2088056
Title:
[MIR] jemalloc
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/jemalloc/+bug/2088056/+subscriptions
--
ubuntu-bugs mailing list
[email protected]
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
