[MIR] libfastjson
Bug #1746327 reported by
Julian Andres Klode
This bug affects 1 person
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
libfastjson (Ubuntu) |
Fix Released
|
High
|
Adam Conrad |
Bug Description
[Availability]
Available in universe for all architectures.
[Rationale]
rsyslog switched from json-c to fastjson between 8.16 and 8.32, so we need fastjson for upgrading it.
[Security]
A JSON parser must parse potentially untrusted data, not sure how that applies to its use in rsyslog - it would be strange if it parsed untrusted data there.
[Quality assurance]
Upstream has a test suite run at build.
[Dependencies]
Only debhelper + pkg-config
[Standards compliance]
[Maintenance]
There should not be any need for divergence from Debian and it seems actively maintained there. That said, as a dependency of rsyslog, foundations-bugs should be responsible.
Changed in libfastjson (Ubuntu): | |
importance: | Undecided → High |
To post a comment you must log in.
MIR looks good in general, but it *is* a JSON parser, and could potentially deal with untrusted data. Looking at the code quickly, it's pretty complicated, so it doesn't sound unlikely that there'd be some potential issues there.
I agree that in this case it's for syslog, but it's still important that we consider any future uses when the package is in main.
Let's get the Security Team's opinion on this.