- Processes spawned?
- None
- Memory management?
- Complicated by changing compile-time malloc vs stack into runtime; it
seemed okay but it's C.
- File IO?
- No file writing; file reading under control of the library user.
- Logging?
- None
- Environment variable usage?
- None
- Use of privileged functions?
- None
- Use of cryptography / random number sources etc?
- None
- Use of temp files?
- None
- Use of networking?
- None
- Use of WebKit?
- None
- Use of PolicyKit?
- None
- Any significant cppcheck results?
- None
- Any significant Coverity results?
- One small warning https://github.com/benhoyt/inih/issues/127
- Any significant shellcheck results?
- None
- Any significant bandit results?
- None
There's an error when a strncpy() was replaced with a memcpy(). Thankfully
there is already a fix upstream:
This may or may not really justify a CVE: usually ini files are supplied
by administrators or people who otherwise want the software to work.
In any event, I'd like our packages fixed before we promote this package
to main. So, security team PROVISIONAL ACK on promoting libinih to main,
conditional upon this being fixed in our packaging, either via a fresh
Debian import or patch.
I reviewed libinih 50-1 as checked into hirsute. This shouldn't be
considered a full audit but rather a quick gauge of maintainability.
libinih is a simple ini file parser for C and C++.
- CVE History:
- there's no cves in our database
- Build-Depends: debhelper-compat, meson
- pre/post inst/rm scripts?
- None
- init scripts?
- None
- systemd units?
- None
- dbus services?
- None
- setuid binaries?
- None
- binaries in PATH?
- None
- sudo fragments?
- None
- polkit files?
- None
- udev rules?
- None
- unit tests / autopkgtests?
- Small test suite appears to be run both during the build and during
autopkgtest
- cron jobs?
- None
- Build logs:
- Clean build logs, lintian warnings are out of date:
W: libinih source: debhelper- compat- file-is- missing uses-deprecated -debhelper- compat- version 1 uses-debhelper- but-lacks- build-depends build-dependenc y debhelper -version 4.5.0 (current is 4.1.4)
W: libinih source: package-
E: libinih source: package-
E: libinih source: missing-
W: libinih source: newer-standards
- Processes spawned?
- None
- Memory management?
- Complicated by changing compile-time malloc vs stack into runtime; it
seemed okay but it's C.
- File IO?
- No file writing; file reading under control of the library user.
- Logging?
- None
- Environment variable usage?
- None
- Use of privileged functions?
- None
- Use of cryptography / random number sources etc?
- None
- Use of temp files?
- None
- Use of networking?
- None
- Use of WebKit?
- None
- Use of PolicyKit?
- None
- Any significant cppcheck results? /github. com/benhoyt/ inih/issues/ 127
- None
- Any significant Coverity results?
- One small warning https:/
- Any significant shellcheck results?
- None
- Any significant bandit results?
- None
There's an error when a strncpy() was replaced with a memcpy(). Thankfully
there is already a fix upstream:
https:/ /github. com/benhoyt/ inih/commit/ d7f465792c0c768 6b50ed45c9a4353 94ae418d3e# diff-bf9ac2185b cd8a2bc7227af48 d0b5da96acee30f 6c6a7ba75173c84 ce6f2e2c9
This may or may not really justify a CVE: usually ini files are supplied
by administrators or people who otherwise want the software to work.
In any event, I'd like our packages fixed before we promote this package
to main. So, security team PROVISIONAL ACK on promoting libinih to main,
conditional upon this being fixed in our packaging, either via a fresh
Debian import or patch.
Thanks