libxmlb is a recently developed and released library written in C to allow applications to perform fast XPath queries against an XML document without having to parse the entire document into memory. This is designed to only support a subset of XPath for the purposes for fwupd and other utilities. Provides a command-line xb-tool application in /usr/lib which is not intended for end-users to run.
- CVE history: no
- Build-Depends: gir1.2-glib-2.0, gobject-introspection, gtk-doc-tools, libglib2.0-dev, libgirepository1.0-dev, meson, shared-mime-info, uuid-dev
- Does not daemonize
- No use of udev
- No pre/post inst/rm scripts
- No initscripts / systemd unit files
- No DBus services
- No setuid binaries
- No binaries added to PATH
- No sudo fragments
- No udev rules
- Unit tests run during package build - these look pretty comprehensive
- No cronjobs
- Clean build logs - no warnings during build other than for missing API documentation
- No subprocesses are spawned
- Memory management looks good, no obvious issues - uses core GLib
memory management functionality and string types etc. Care is taken on
memory copies etc to ensure buffers are appropriately sized.
- xb-tool always sets GIO_USE_VFS to local and overwrites
G_MESSAGES_DEBUG for logging purposes
- No privileged operations
- No cryptography
- No network connections
- Temporary files only uses during unit tests
- No WebKit
- No JavaScript
- No PolicyKit
- Clean cppcheck
- 1 false positive error for an unintialised variable
Overall code is of high quality - also upstream has integrated support for fuzzing so likely should be pretty robust against malicious inputs from untrusted XML documents etc.
libxmlb is a recently developed and released library written in C to allow applications to perform fast XPath queries against an XML document without having to parse the entire document into memory. This is designed to only support a subset of XPath for the purposes for fwupd and other utilities. Provides a command-line xb-tool application in /usr/lib which is not intended for end-users to run.
- CVE history: no
- Build-Depends: gir1.2-glib-2.0, gobject- introspection, gtk-doc-tools, libglib2.0-dev, libgirepository 1.0-dev, meson, shared-mime-info, uuid-dev
- Does not daemonize
- No use of udev
- No pre/post inst/rm scripts
- No initscripts / systemd unit files
- No DBus services
- No setuid binaries
- No binaries added to PATH
- No sudo fragments
- No udev rules
- Unit tests run during package build - these look pretty comprehensive
- No cronjobs
- Clean build logs - no warnings during build other than for missing API documentation
- No subprocesses are spawned
- Memory management looks good, no obvious issues - uses core GLib
memory management functionality and string types etc. Care is taken on
memory copies etc to ensure buffers are appropriately sized.
- xb-tool always sets GIO_USE_VFS to local and overwrites
G_MESSAGES_DEBUG for logging purposes
- No privileged operations
- No cryptography
- No network connections
- Temporary files only uses during unit tests
- No WebKit
- No JavaScript
- No PolicyKit
- Clean cppcheck
- 1 false positive error for an unintialised variable
Overall code is of high quality - also upstream has integrated support for fuzzing so likely should be pretty robust against malicious inputs from untrusted XML documents etc.
Security team ACK for promoting to main.