Ubuntu
dasbus package

Bug #2025912
Comment #3

Comment 3 for bug 2025912

Revision history for this message

Amir Naseredini (sahnaseredini) wrote on 2023-08-29:

I reviewed dasbus 1.7-1 as checked into lunar. This shouldn't be
considered a full audit but rather a quick gauge of maintainability.

dasbus is a DBus library written in python.

- CVE History
  - no CVE found
- Build-Depends
  - python builtins (`os`, `threading`, and `logging`)
  - uses these two - minor bug without security impacts
    - dasbus/xml.py:from xml.etree import ElementTree
    - dasbus/xml.py:from xml.dom import minidom
- pre/post inst/rm scripts
  - autogenerated by `dh_python3`
- init scripts
  - none
- systemd units
  - none
- dbus services
  - none
- setuid binaries
  - none
- binaries in PATH
  - none
- sudo fragments
  - none
- polkit files
  - none
- udev rules
  - none
- unit tests / autopkgtests
  - it has a comprehensive set of unit tests
  - tests can be run locally and `autopkgtest` is available
- cron jobs
  - none
- Build logs
  - nothing major

- Processes spawned
  - none
- Memory management
  - none
- File IO
  - nothing significant or concerning
- Logging
  - logging is used fairly well, but sparse
- Environment variable usage
  - none
- Use of privileged functions
  - none
- Use of cryptography / random number sources etc
  - nothing concerning
- Use of temp files
  - none
- Use of networking
  - nothing concerning
- Use of WebKit
  - none
- Use of PolicyKit
  - none

- Any significant cppcheck results
  - none
- Any significant Coverity results
  - none
- Any significant shellcheck results
  - none
- Any significant bandit results
  - minor bug without security impacts
- Any significant govulncheck results
  - N/A
- Any significant Semgrep results
  - minor bug without security impacts

- The package is well-maintained by developers and issues are addressed shortly
after being created.
- There is a minor bug regarding the validation of the `xml` which does not
seem to have security implications
(https://github.com/rhinstaller/dasbus/issues/121#issue-1867395487).
- It is recommended for the owning team to consider porting `dasbus` from
`elementtree` to `defusedxml`, as `bandit` suggests

Security team ACK for promoting dasbus to main.

I reviewed dasbus 1.7-1 as checked into lunar.  This shouldn't be
considered a full audit but rather a quick gauge of maintainability.

dasbus is a DBus library written in python.

- The package is well-maintained by developers and issues are addressed shortly
after being created. 
- There is a minor bug regarding the validation of the `xml` which does not 
seem to have security implications 
(https://github.com/rhinstaller/dasbus/issues/121#issue-1867395487).
- It is recommended for the owning team to consider porting `dasbus` from 
`elementtree` to `defusedxml`, as `bandit` suggests

Security team ACK for promoting dasbus to main.

Ubuntudasbus package

Comment 3 for bug 2025912

Ubuntu
dasbus package