I reviewed rust-sequoia-sqv 1.3.0-3ubuntu1 as checked into resolute. This
shouldn't be considered a full audit but rather a quick gauge of
maintainability.
`rust-sequoia-sqv` is a simple signature verification program which
verifies detached OpenPGP signatures. It is a replacement for `gpgv`.
Unlike `gpgv`, it can take additional constraints on the signature into
account.
- CVE History
- no CVE history
- Build-Depends
- debhelper-compat, dh-sequence-cargo, bash-completion
- all 3 are in main and seem to be standard
- pre/post inst/rm scripts
- none present
- init scripts
- none present
- systemd units
- none present
- dbus services
- none present
- setuid binaries
- none present
- binaries in PATH
- ./usr/bin/sqv, which is expected
- sudo fragments
- none present
- polkit files
- none present
- udev rules
- none present
- unit tests / autopkgtests
- has build tests, but no autopkgtests
- cron jobs
- none present
- Build logs
- normal build log, with some minor warnings related to deprecation of
`DateTime::from_utc` function
- Processes spawned
- no spawned processes
- Memory management
- unsupported for rust
- File IO
- none
- Logging
- no obvious secret leakage like passwords, tokens, private keys, or
environment contents
- Environment variable usage
- none
- Use of privileged functions
- no privileged functions
- Use of cryptography / random number sources etc
- `sqv` relies on vendored `sequoia-openpgp` for essentially all
crypto-related tasks such as key binding, revocation, key-usage, and
algorithm acceptance decisions
- Use of temp files
- no temporary files
- Use of networking
- no networking
- Use of WebKit
- none
- Use of PolicyKit
- none
- Any significant Coverity results
- none
- Any significant shellcheck results
- none
- Any significant Semgrep results
- none
- Two of the vendored packages are currently vulnerable (reported by
osv-scanner)
- `openssl` v0.10.71 is vulnerable to CVE-2025-3416. Although it's a
rust wrapper around the system openssl library, the vulnerability is
in the wrapper itself.
- `sequoia-openpgp`v2.0.0 is vulnerable to CVE-2025-67897, which is a
vendored rust crate source.
Security team ACK for promoting `rust-sequoia-sqv` to main if and only if
the vulnerable vendored packages are upgraded to patched versions
(`openssl` to v0.10.72) and (`sequoia-openpgp` to 2.1.0).
** CVE added: https://cve.org/CVERecord?id=CVE-2025-3416
** CVE added: https://cve.org/CVERecord?id=CVE-2025-67897
** Changed in: rust-sequoia-sqv (Ubuntu)
Status: New => In Progress
** Changed in: rust-sequoia-sqv (Ubuntu)
Assignee: Ubuntu Security Team (ubuntu-security) => (unassigned)
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/2089690
Title:
[MIR] rust-sequoia-sqv
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/gnupg2/+bug/2089690/+subscriptions
--
ubuntu-bugs mailing list
[email protected]
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
