I reviewed intel-microcode version 2.20140913.1ubuntu2 as checked into
vivid. This should not be considered a full security audit but rather a
quick gauge of maintainability.
- intel-microcode provides scripts to load microcode during early boot and
intel-supplied microcode
- Build-Depends: debhelper, iucode-tool
- No cryptography
- No networking
- Does not daemonize
- No pre/post inst/rm
- No init scripts
- No dbus services
- No setuid
- No binaries
- No sudo fragments
- No udev rules
- No test suite, unsurprisingly
- No cronjobs
- Clean build logs
- Subprocesses are spawned extensively, shell scripts; nearly all looked
safe
- No memory management
- Files written to are controlled by platform, e.g.
/sys/devices/system/cpu/cpu*/microcode/reload and
/sys/devices/system/cpu/microcode/reload
- No environment variables
- No cryptography
- No networking
- No privileged portions of code
- The only temporary file handling is in a maintainer-only script
debian/diff-latest-pack.sh -- it has predictable /tmp/ names; not a big
deal if the packager using this tool is aware of the limitation.
- No WebKit
- No PolicyKit
- No JavaScript
- slight problem with static analysis, line 92 of debian/initramfs.hook is
probably a bug.
Here's the two issues I found with this package; the first is unlikely to
be a real problem in actual service and the second hasn't actually caused
problems despite being in deployed use -- but it's probably a bug all the
same:
debian/diff-latest-pack.sh -- it has predictable /tmp/ names; not a big
deal if the packager using this tool is aware of the limitation.
Line 92 of debian/initramfs.hook is probably a bug:
if $(dpkg --compare-versions 3.9 le ${version}) ; then
Please fix at the earliest convenience.
Security team ACK for migrating to restricted or main as appropriate.
I reviewed intel-microcode version 2.20140913.1ubuntu2 as checked into
vivid. This should not be considered a full security audit but rather a
quick gauge of maintainability.
- intel-microcode provides scripts to load microcode during early boot and
intel-supplied microcode
- Build-Depends: debhelper, iucode-tool
- No cryptography
- No networking
- Does not daemonize
- No pre/post inst/rm
- No init scripts
- No dbus services
- No setuid
- No binaries
- No sudo fragments
- No udev rules
- No test suite, unsurprisingly
- No cronjobs
- Clean build logs
- Subprocesses are spawned extensively, shell scripts; nearly all looked devices/ system/ cpu/cpu* /microcode/ reload and devices/ system/ cpu/microcode/ reload diff-latest- pack.sh -- it has predictable /tmp/ names; not a big initramfs. hook is
safe
- No memory management
- Files written to are controlled by platform, e.g.
/sys/
/sys/
- No environment variables
- No cryptography
- No networking
- No privileged portions of code
- The only temporary file handling is in a maintainer-only script
debian/
deal if the packager using this tool is aware of the limitation.
- No WebKit
- No PolicyKit
- No JavaScript
- slight problem with static analysis, line 92 of debian/
probably a bug.
Here's the two issues I found with this package; the first is unlikely to
be a real problem in actual service and the second hasn't actually caused
problems despite being in deployed use -- but it's probably a bug all the
same:
debian/ diff-latest- pack.sh -- it has predictable /tmp/ names; not a big
deal if the packager using this tool is aware of the limitation.
Line 92 of debian/ initramfs. hook is probably a bug:
if $(dpkg --compare-versions 3.9 le ${version}) ; then
Please fix at the earliest convenience.
Security team ACK for migrating to restricted or main as appropriate.