[MIR] http-parser, dependency of sssd

Bug #1638957 reported by Matthias Klose on 2016-11-03
14
This bug affects 1 person
Affects Status Importance Assigned to Milestone
http-parser (Ubuntu)
High
Unassigned

Bug Description

[MIR] http-parser, dependency of sssd

Matthias Klose (doko) on 2016-11-03
Changed in http-parser (Ubuntu):
assignee: nobody → Ubuntu Server Team (ubuntu-server)
importance: Undecided → High
milestone: none → ubuntu-16.11
Michael Terry (mterry) wrote :

I had some time so I took a quick look at this. But the server team should still flesh this out when they can and we'll do a fuller review.

- Needs a team bug subscriber.
- Seems unmaintained in Debian. No updates in 3 years and upstream has new releases (and repeated requests to update the package -- https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=795492). Are we willing to pick up that slack?

Timo Aaltonen (tjaalton) wrote :

I've added sssd team as bug subscriber. Apart from the new upstream release there doesn't seem to be too much to do.

Debian is frozen now, so no transitions are possible until stretch is released. That's too late for sssd though, since 1.14.x is a dependency of freeipa 4.4 which I have prepared for 17.04.

Michael Terry (mterry) wrote :

- I'd suggest subscribing ~ubuntu-server as well.

- The tests should be run as part of build and/or as an autopkgtest. "make test" should do the trick.

- Is there not another http parser in main that we could use instead?

- I'll pass to security team for a quick opinion -- parsing untrusted web responses seems sensitive.

Changed in http-parser (Ubuntu):
assignee: Ubuntu Server Team (ubuntu-server) → Ubuntu Security Team (ubuntu-security)
Timo Aaltonen (tjaalton) wrote :

A server team admin should add the bug subscription..

Tests are already run during build. There is no other parser to use that I know of, and if there werer that would need changing sssd too.

Jon Grimm (jgrimm) wrote :

Subscription by server team added. Thanks.

Timo Aaltonen (tjaalton) on 2017-02-21
Changed in http-parser (Ubuntu):
milestone: ubuntu-16.11 → none
status: Incomplete → Confirmed
milestone: none → ubuntu-17.04
Timo Aaltonen (tjaalton) wrote :

two months passed, what's next?

Michael Terry (mterry) wrote :

Just waiting on a security check.

Bumping the milestone to ubuntu-17.10 so it remains on people's radar.

Changed in http-parser (Ubuntu):
milestone: ubuntu-17.04 → ubuntu-17.10
Seth Arnold (seth-arnold) wrote :

I reviewed http-parser version 2.1-2 as checked into zesty. This shouldn't
be considered a full security audit but rather a quick gauge of
maintainability.

No CVEs in our database

- http-parser provides an API with callbacks to handle HTTP parsing. It
  doesn't do any networking itself, strictly protocol parsing.

- Build-Depends: debhelper, dh-exec, dpkg-dev
- Does not daemonize
- No maintainer scripts
- No initscripts
- No dbus services
- No setuid
- No binaries in PATH
- No sudo fragments
- No udev rules
- Tests are run during the build; they're ugly in the build logs but
  they're there
- No cron jobs
- Clean build logs

- No subprocesses spawned
- No memory management
- No file IO
- No logging
- No environment variables
- No networking
- No privileged sections of code
- No cryptography
- No tmp files
- No webkit
- No JS
- No PolicyKit
- Clean cppcheck

http-parser is a by-hand character-by-character http parser. http is not
easy so neither is this code but it's remarkably clean given the
complexity involved. The state transitions are clearly labeled, error
handling appears defensive, bounds appeared to be checked.

Security team ACK for promoting http-parser to main.

Thanks

Changed in http-parser (Ubuntu):
assignee: Ubuntu Security Team (ubuntu-security) → nobody
To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.