I reviewed rust-hwlib 0.9.0~ppa3 as checked into plucky. This shouldn't be
considered a full audit but rather a quick gauge of maintainability.
Given the time frame for plucky and the findings we have already discussed
with regards to the vendored code, the Security team NACK for promoting
rust-hwlib 0.9.0~ppa3 in plucky to main.
It worth mentioning that it feels very promising that we can have (and
feasible maintain) this package in main in a next release very soon, once
we have the dependencies updated. Hopefully when we reach that time, we
could also have something better for the Rust ecosystem at all that we
could leverage.
An additional suggestion is to try to avoid using relative binary name as
in calls to 'dpkg', 'lsmod', and 'lsb_release'[1]. Using the full path
('/usr/bin/dpkg', '/usr/sbin/lsmod', and '/usr/bin/lsb_release') is
recommended to avoid the risk of trusting in PATH environment that could
be manipulated [2]
[1]:
https://github.com/canonical/hardware-api/blob/9a945111ee86b19910d88a106e95a72a897b370f/client/hwlib/src/collectors/os_info.rs#L27
[2]: https://cwe.mitre.org/data/definitions/426.html
** Changed in: Ubuntu Plucky
Assignee: Ubuntu Security Team (ubuntu-security) => (unassigned)
** Changed in: Ubuntu Plucky
Status: Confirmed => Won't Fix
** Changed in: Ubuntu Plucky
Status: Won't Fix => In Progress
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/2072561
Title:
[MIR] rust-hwlib
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+bug/2072561/+subscriptions
--
ubuntu-bugs mailing list
[email protected]
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
