I reviewed nghttp3 1.8.0-1 as checked into plucky. This shouldn't be
considered a full audit but rather a quick gauge of maintainability.
nghttp3 is an implementation of the HTTP3 protocol over QUIC in C. It does
not depend on any particular QUIC transport implementation.
- CVE History
- None
- Build-Depends
- Normal builddeps
- pre/post inst/rm scripts
- None
- init scripts
- None
- systemd units
- None
- dbus services
- None
- setuid binaries
- None
- binaries in PATH
- None
- sudo fragments
- None
- polkit files
- None
- udev rules
- None
- unit tests / autopkgtests
- Has a basic test suite that runs at build time. Does not have
autopkgtests.
- cron jobs
- None
- Build logs
- Normal build logs
- Processes spawned
- None
- Memory management
- The library seems to have many memory operations, such as memmove and
memcpy. The library itself also has its own functions with wrappers
around memcpy. Memory management overall seems to be OK.
- File IO
- None
- Logging
- Has debug logs if enabled. Seems to be normal, however, debug logs
should probably not be enabled in a production environment in any case.
- Environment variable usage
- None
- Use of privileged functions
- None
- Use of cryptography / random number sources etc
- None
- Use of temp files
- None
- Use of networking
- By itself, the library does not seem to make network connections, but
rather parses the HTTP3 streams. This is because the library relies on
an existing implementation of another QUIC transport stack to perform
flow control and connection management. Not an issue.
- Use of WebKit
- None
- Use of PolicyKit
- None
- Any significant cppcheck results
- None, only some warnings in test files.
- Any significant Coverity results
- Some coverity defects were identified. They were either in test/example
files or were identified as false positives, therefore they are not a
concern.
- Explicit null dereferenced
- This defect seems to be a false positive as the switch case is not
able to take the identified branch after clearing the qpack state.
- Overflowed return value
- This defect seems to be a false positive as the results have proper
checks to ensure that it can never become larger and overflow.
- Out-of-bounds write
- This also seems to be a false positive, as the iv in the vector can
contain multiple entries.
- Any significant shellcheck results
- Many shellcheck warnings, but all come from the build itself, such as
the configure script. Not an issue.
- Any significant bandit results
- None
- Any significant Semgrep results
- None
The nghttp3 library seems to have the same core maintainer as the nghttp2
library, therefore it makes sense for both projects to be similar. nghttp2
is already in main, and seems to have only had 4 security advisories.
However, while nghttp2 does have a SECURITY.md file, nghttp3 does not,
despite having the same security advisory reporting available as nghttp2.
This is not a big issue as security vulnerabilities can still be reported
through the same means, however it may cause confusion. An issue has been
filed upstream for this, but the issue in itself is not big enough to
prevent the package from being promoted.
The nghttp3 project is decently sized, and has been active for a few years.
With the track record of the nghttp2 project, there is more confidence in
the nghttp3 project as well because of it.
Although nghttp3 has not had any security issues, nghttp2 has had security
advisories and the upstream maintainers have responded to those issues
promptly. nghttp3 maintainers also seem to address issues that arise, such
as pull requests or GitHub issues, and while inactive issues are closed
after a period of inactivity, upstream seems to respond to all issues in a
timely manner, and the they seem to be addressed properly.
The repository itself does not seem to perform vulnerability scanning, and
the code itself is not the most maintainable due to the complexity of the
protocol implementation. This, however, should not bar the package from the
promotion given the considerations above, and the code itself includes
comments in various areas, as well as documentation. In any case, due to
the expected demand in the future, and as the library seems to be the only
library providing http3 support currently, it is important for the package
to receive better support in case of any unexpected breakages or
regressions, such as an autopkgtest suite.
Security team ACK for promoting nghttp3 to main, given that an autopkgtest
suite is implemented as described in the previous comment (#6).
** Changed in: nghttp3 (Ubuntu)
Status: New => In Progress
** Changed in: nghttp3 (Ubuntu)
Assignee: Ubuntu Security Team (ubuntu-security) => (unassigned)
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/2098797
Title:
[MIR] nghttp3
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/nghttp3/+bug/2098797/+subscriptions
--
ubuntu-bugs mailing list
[email protected]
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
