Comment 4 for bug 1814997

libxmlb is a recently developed and released library written in C to allow applications to perform fast XPath queries against an XML document without having to parse the entire document into memory. This is designed to only support a subset of XPath for the purposes for fwupd and other utilities. Provides a command-line xb-tool application in /usr/lib which is not intended for end-users to run.

- CVE history: no

- Build-Depends: gir1.2-glib-2.0, gobject-introspection, gtk-doc-tools, libglib2.0-dev, libgirepository1.0-dev, meson, shared-mime-info, uuid-dev
- Does not daemonize
- No use of udev
- No pre/post inst/rm scripts
- No initscripts / systemd unit files
- No DBus services
- No setuid binaries
- No binaries added to PATH
- No sudo fragments
- No udev rules
- Unit tests run during package build - these look pretty comprehensive
- No cronjobs
- Clean build logs - no warnings during build other than for missing API documentation

- No subprocesses are spawned
- Memory management looks good, no obvious issues - uses core GLib
  memory management functionality and string types etc. Care is taken on
  memory copies etc to ensure buffers are appropriately sized.
- xb-tool always sets GIO_USE_VFS to local and overwrites
  G_MESSAGES_DEBUG for logging purposes
- No privileged operations
- No cryptography
- No network connections
- Temporary files only uses during unit tests
- No WebKit
- No JavaScript
- No PolicyKit
- Clean cppcheck
  - 1 false positive error for an unintialised variable

Overall code is of high quality - also upstream has integrated support for fuzzing so likely should be pretty robust against malicious inputs from untrusted XML documents etc.

Security team ACK for promoting to main.