Ubuntu
libinih package

  1. Bug #1883890
  2. Comment #2

Comment 2 for bug 1883890

Revision history for this message
Seth Arnold (seth-arnold) wrote :

I reviewed libinih 50-1 as checked into hirsute. This shouldn't be
considered a full audit but rather a quick gauge of maintainability.

libinih is a simple ini file parser for C and C++.

- CVE History:
  - there's no cves in our database
- Build-Depends: debhelper-compat, meson
- pre/post inst/rm scripts?
  - None
- init scripts?
  - None
- systemd units?
  - None
- dbus services?
  - None
- setuid binaries?
  - None
- binaries in PATH?
  - None
- sudo fragments?
  - None
- polkit files?
  - None
- udev rules?
  - None
- unit tests / autopkgtests?
  - Small test suite appears to be run both during the build and during
    autopkgtest
- cron jobs?
  - None
- Build logs:
  - Clean build logs, lintian warnings are out of date:

 W: libinih source: debhelper-compat-file-is-missing
 W: libinih source: package-uses-deprecated-debhelper-compat-version 1
 E: libinih source: package-uses-debhelper-but-lacks-build-depends
 E: libinih source: missing-build-dependency debhelper
 W: libinih source: newer-standards-version 4.5.0 (current is 4.1.4)

- Processes spawned?
  - None
- Memory management?
  - Complicated by changing compile-time malloc vs stack into runtime; it
    seemed okay but it's C.
- File IO?
  - No file writing; file reading under control of the library user.
- Logging?
  - None
- Environment variable usage?
  - None
- Use of privileged functions?
  - None
- Use of cryptography / random number sources etc?
  - None
- Use of temp files?
  - None
- Use of networking?
  - None
- Use of WebKit?
  - None
- Use of PolicyKit?
  - None

- Any significant cppcheck results?
  - None
- Any significant Coverity results?
  - One small warning https://github.com/benhoyt/inih/issues/127
- Any significant shellcheck results?
  - None
- Any significant bandit results?
  - None

There's an error when a strncpy() was replaced with a memcpy(). Thankfully
there is already a fix upstream:

https://github.com/benhoyt/inih/commit/d7f465792c0c7686b50ed45c9a435394ae418d3e#diff-bf9ac2185bcd8a2bc7227af48d0b5da96acee30f6c6a7ba75173c84ce6f2e2c9

This may or may not really justify a CVE: usually ini files are supplied
by administrators or people who otherwise want the software to work.

In any event, I'd like our packages fixed before we promote this package
to main. So, security team PROVISIONAL ACK on promoting libinih to main,
conditional upon this being fixed in our packaging, either via a fresh
Debian import or patch.

Thanks