I reviewed rust-coreutils 0.1.0+git20250801.cf79675-0ubuntu1 as checked
into questing. This shouldn't be considered a full audit but rather a quick
gauge of maintainability.
rust-coreutils is a cross-platform reimplementation of GNU coreutils in
rust. It is designed to be a drop-in replacement for the GNU counterpart.
- CVE History
- None
- The upstream repository does not currently specify a way to report
security issues, should they arise. Creating a `SECURITY.md` file is
recommended for this.
- Build-Depends
- Normal build depends
- The package contains a lot of rust vendored libraries. These do seem
to be specified in debian/control. There is confirmation of
commitment by the owning team to provide updates for vendored code,
so this is not seen as an issue.
- pre/post inst/rm scripts
- This package itself does not seem to contain any pre/post inst/rm
scripts.
- init scripts
- None
- systemd units
- None
- dbus services
- None
- setuid binaries
- None
- binaries in PATH
- A single binary with many symlinks.
- The implications with AppArmor have already been discussed, but this
should still be considered.
- sudo fragments
- None
- polkit files
- None
- udev rules
- None
- unit tests / autopkgtests
- The application seems to have a rather extensive unit test suite. No
autopkgtests, but this has also already been discussed in the MIR
report.
- cron jobs
- None
- Build logs
- Seems fine.
- Processes spawned
- The program seems to spawn a process as new commands for each core
utility.
- Some utilities seem to also create shell processes as part of their
operations, such as `split`. They seem to be created in a safe way.
- Some processes spawned as part of tests.
- Memory management
- While the program is written in rust, memory management inside specific
blocks such as unsafe wrappers seems to be fine.
- File IO
- The utilities seem to handled File IO properly. Due to certain
limitations, file management seems to have been divided between special
files such as FIFO, pipes, among others. This seems to be handled
properly as well.
- There seem to be certain limitations to the library being used for
CLI operations (clap), but the workarounds seem to be properly
documented with comments, and seem to be handled fine overall.
- One potentially problematic aspect to be considered is the
inconsistency in handling non-UTF-8 characters. Some utilities seem to
handle non-UTF-8 characters properly, while others do not seem to
handle these. It would be nice if the proper support for these
characters be added, but this does seem to be on the radar of upstream
developers.
- There also seem to be small inconsistencies between some commands.
- For example, `base32`/`base64`/... is not decoded with rust-coreutils
at all if the formatting is not correct, while the GNU counterpart
will decode it until reaching the incorrect formatting.
- Upstream seems to be aware of this particular issue.
- https://github.com/uutils/coreutils/issues/5698
- https://github.com/uutils/coreutils/issues/6008
- Other issues are also reported on GitHub, and upstream seems to
respond to issues well.
- There is also extensive usage of buffers/chunks to make operations when
it comes to file IO. Usage seems to be fine there as well overall.
- Logging
- The utilities seem to handle logging properly. Consistency with GNU is
prioritized, same with returned status codes upon exit.
- Environment variable usage
- Environment variable usage seems to be fine. Checks POSIXLY_CORRECT
in some cases to comply with POSIX. Some utilities also use env
variables (such as `env`) and they seem to be handled fine.
- Use of privileged functions
- Usage seems to be fine. When used in unsafe blocks, they are commented
with the special `SAFETY` keyword to justify their usage, although this
is not always the case. Overall, however, no issues were encountered.
- Use of cryptography / random number sources etc
- Usage seems to be fine. For example, in `shred` StdRng::from_os_rng is
used, and the RNG usage seems to be proper in other cases.
- Use of temp files
- Temp file usage also seems to be fine. `mktemp` implementation seems to
be fine as well
- Use of networking
- None
- Use of WebKit
- None
- Use of PolicyKit
- None
- Any significant cppcheck results
- None
- Any significant Coverity results
- Rust is not supported by Coverity at the time of writing.
- Quite a few vulnerabilities were detected in a vendored crate,
specifically rust-vendor/onig_sys/oniguruma/src/regexec.c
- As the code specifically handles regex, it is rather complex, and
cannot be looked at more in depth due to time constraints. It is
recommended that the usage of `regexec` is analyzed within uutils,
to see what specifically could be affected in that regard.
- Vulnerabilities identified by Coverity seem to be mostly memory
related such as overflows/null pointer dereference.
- Any significant shellcheck results
- None
- Any significant bandit results
- None, just some test related low severity.
- Any significant govulncheck results
- N/A
- Any significant Semgrep results
- None
As of time of writing, the project seems to be in a fine state.
Upstream maintainers seem to be verified, and the code seems to be clean
and maintainable. There were some inconsistencies in code usage (such as
not all `unsafe` blocks having `SAFETY` comments), but it seems like the
project uses proper safety measures, QA tools like CI pipelines, and proper
testing. In many cases, code comments were also very clear and concise,
while also providing example code samples in some cases.
The upstream repository does seem to contain quite a few issues and open
pull requests, but this is to be expected due to the current focus on the
project, as well as its popularity.
Security team ACK for promoting rust-coreutils to main
** Bug watch added: github.com/uutils/coreutils/issues #5698
https://github.com/uutils/coreutils/issues/5698
** Bug watch added: github.com/uutils/coreutils/issues #6008
https://github.com/uutils/coreutils/issues/6008
** Changed in: rust-coreutils (Ubuntu)
Status: New => In Progress
** Changed in: rust-coreutils (Ubuntu)
Assignee: Ubuntu Security Team (ubuntu-security) => (unassigned)
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/2111815
Title:
[MIR] rust-coreutils
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/rust-coreutils/+bug/2111815/+subscriptions
--
ubuntu-bugs mailing list
[email protected]
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
