I reviewed rust-threecpio 0.10.2-0ubuntu1 as checked into questing.
This shouldn't be considered a full audit but rather a quick gauge
of maintainability.
rust-threecpio (aka 3cpio) is a cpio file manager specifically for
the initramfs and it is a Rust implementation intended to replace
the GNU cpio (source package named cpio).
- CVE History
- None
- Build-Depends
- debhelper-compat, dh-cargo, asciidoctor, bzip2, cargo,
libstd-rust-dev, lz4, lzop ,rustc, xz-utils, zstd
- pre/post inst/rm scripts
- None
- init scripts
- None
- systemd units
- None
- dbus services
- None
- setuid binaries
- None
- binaries in PATH
- installs '/usr/bin/3cpio', the only binary created
- sudo fragments
- None
- polkit files
- None
- udev rules
- None
- unit tests / autopkgtests
- unit tests exists and are executed during build. easy to run them
manually with 'cargo test';
- autopkgtest are not running as of now but there are plans to have
it as stated in LP #2120364;
- cron jobs
- None
- Build logs
- Build logs are clean and there is nothing outstanding
- Processes spawned
- spawn compression programs in `src/compression.rs`. not using absolute
paths (e.g.: `/usr/bin/bzip2`) but not an issue here as `3cpio` is not
intended to run with privileges and a change in the `PATH` likely
wouldn't cause exposures.
- Memory management
- OK
- File IO
- reads and writes files in most of the operations due to the nature of
the program;
- errors checks are present;
- data contents are compressed/decompressed so there is no expectation
of data being processed by other means that could cause harm;
- paths are passed by argument and there are checks and tests for
possible vulnerabilities such as path transversal attacks and for the
use of symlinks;
- Logging
- OK
- Environment variable usage
- OK
- Use of privileged functions
- None
- Use of cryptography / random number sources etc
- None
- Use of temp files
- OK
- Use of networking
- None
- Use of WebKit
- None
- Use of PolicyKit
- None
- Any significant cppcheck results
- None
- Any significant Coverity results
- None
- Any significant shellcheck results
- None
- Any significant bandit results
- None
- Any significant govulncheck results
- None
- Any significant Semgrep results
- None
Code seems very solid and upstream is very active and present.
Bonus for the usage of the minimum viable vendored code, hopefully
easier to maintain.
Security team ACK for promoting rust-threecpio to main. I would
suggest adding a `SECURITY.md` file in upstream (github) to create
a security policy to handle possible security issues[1].
[1]: https://docs.github.com/en/code-security/getting-started/adding-a-
security-policy-to-your-repository
** Changed in: rust-threecpio (Ubuntu)
Status: New => In Progress
** Changed in: rust-threecpio (Ubuntu)
Assignee: Ubuntu Security Team (ubuntu-security) => (unassigned)
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/2119257
Title:
[MIR] rust-threecpio
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/rust-threecpio/+bug/2119257/+subscriptions
--
ubuntu-bugs mailing list
[email protected]
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
