Comment 3 for bug 1610286

I reviewed lasso 2.5.0-5build1 as checked into ubuntu zesty. This should
not be considered a full security audit but rather a quick gauge of
maintainability.

lasso has two CVEs in our databases, CVE-2009-0050 and CVE-2015-1783. The
first was an OpenSSL API misuse which was common to many other
applications due to awkward API design. The second was use of an
uninitialized variable, which appeared to be due to a typo.

Lasso is part of a single-signon system as part of Project Liberty.

- Build-Depends: debhelper, dh-python, libxml2-dev, libxslt1-dev,
  libxmlsec1-dev, libxmlsec1-openssl, libglib2.0-dev, python-all-dev,
  python3-all-dev, libexpat1-dev, fastjar, python-lxml, python3-lxml,
  python-six, python3-six, chrpath, dh-python

- does not itself do networking
- does not itself daemonize
- pre/post inst/rm scripts are automatically generated
- no init scripts
- no dbus services
- no setuid
- no binaries in PATH
- no sudo fragments
- no udev rules
- there is a test suite but it is not run at build time
- no cron jobs
- build logs are clean

- no subprocesses spawned
- memory management is using glib's allocators, which kill the program on
  failure. There are roughly 360 of these in the sources; it is a big
  assumption for a library to make that falling over is the best way to
  handle an error.
- file IO under control of callers
- extensive error logging, spot checks looked safe
- uses environment variables REQUEST_METHOD and QUERY_STRING presumably
  from a web server
- no privileged functions
- extensive use of encryption
- does not itself do networking
- no privileged portions of code
- no temporary files
- no webkit
- no javascript
- no policykit
- many cppcheck warnings but probably only one real error:
  - lasso/id-wsf/discovery.c lasso_discovery_build_credential()
    'profile' may be NULL in this expression:
    response = LASSO_DISCO_QUERY_RESPONSE(profile->response);

- tests/tests.c my_malloc() fails to account for size=0 allocations

While lasso looks like it was programmed defensively, the subject matter
is extremely complex, and logic errors are likely. It's just too large to
avoid. We will rely heavily on upstream or other teams inside of Canonical
in the event vulnerabilities in the protocol handling are discovered.

Please enable the test suite.

Security team ACK on promoting lasso to main on the condition that the
test suite is enabled.

Thanks