© 2004
Canonical Ltd.
•
Terms of use
•
Data privacy
•
Contact Launchpad Support
•
Blog
•
Careers
•
System status
•
bbfa235
(Get the code!)
I reviewed version 198-0ubuntu0ppa2 from pitti's PPA.
I confined my review primarily to src/logind/ and src/udevd/ directories,
as these are the largest of the components we intend to use. This should
not be considered a full security audit, but rather a quick and dirty
gauge of code cleanliness.
- No cron jobs, fscaps, sudo
- Several initscripts
- Provides dbus services
- Limited use of setuid(2) looked safe
- Some executables not PIE
- All executables use stack protection, fortify, relro, bind_now
- Minimal tests; extensive global state would be difficult to test
- Daemons initialize carefully
- Many libtool warnings
- Many dpkg-shlibdeps warnings
- Memory allocations check for failure
- Error codes are returned, checked
- String manipulation uses good utility routines
- Crypto used only in un-audited portions
I did not verify if the package provides needed functionality.
Since this is a fairly specialized sort of package, I'm not too surprised
about e.g. libtool and dpkg-shlibdeps warnings. However, they would make
it more difficult to spot warnings in the future. Please consider spending
some time to reduce the warning count.
ACK for the proposed selective inclusion into main.