Ubuntu
http-parser package

  1. Bug #1990655
  2. Comment #14

Comment 14 for bug 1990655

Revision history for this message
Mark Esler (eslerm) wrote :

The following was written by sahnaseredini:

I reviewed http-parser 2.9.4-5 as checked into lunar. This shouldn't be
considered a full audit but rather a quick gauge of maintainability.

http-parser is a parser for http requests/responses.

- CVE History:
  - history of CVEs does not look concerning
  - only one CVE (CVE-2020-8287) which does not seem to be critical
  - The time window between the report date to commiting the patch is around
    two months
- Build-Depends?
  - libc6
- pre/post inst/rm scripts?
  - none
- init scripts?
  - none
- systemd units?
  - none
- dbus services?
  - none
- setuid binaries?
  - none
- binaries in PATH?
  - none
- sudo fragments?
  - none
- polkit files?
  - none
- udev rules?
  - none
- unit tests / autopkgtests?
  - does have a test suite that runs at build time
     - test suite fails will fail the build upon error.
  - does have a non-trivial test suite that runs as autopkgtest
  - CAN YOU SUCCESSFULLY RUN THEM LOCALLY?
    - Yes
- cron jobs?
  - none
- Build logs:
  - ERRORS / WARNINGS?
    - none
  - LINTIAN FAILURES?
      - E: libhttp-parser2.9: malformed-override Unknown tag no-upstream-changelog in line 2

- Processes spawned?
  - none
- Memory management?
  - it uses `malloc` once in a standard way in c
- File IO?
  - they use `fopen` once in a standard way in c
- Logging?
  - looks careful and safe
- Environment variable usage?
  - none
- Use of privileged functions?
  - none
- Use of cryptography / random number sources etc?
  - none
- Use of temp files?
  - none
- Use of networking?
  - Does not directly use the network
- Use of WebKit?
  - none
- Use of PolicyKit?
  - none

- Any significant cppcheck results?
  - none (only on tests!)
- Any significant Coverity results?
  - none
- Any significant shellcheck results?
  - none
- Any significant bandit results?
  - none
- Any significant govulncheck results?
  - N/A

The package (http-parser) is currently not actively maintained.
  - [*Link to the announcement*](https://github.com/nodejs/http-parser/issues/522)
  - [*Link to the package*](https://github.com/nodejs/node/tree/fc70ce08f5818a286fb5899a1bc3aff5965a745e/deps/http_parser)
  - They recommend using [*llhttp*](https://github.com/nodejs/llhttp) and claim that it has
    similar API, feature parity, well maintained and in active use!

Security team propose a conditional ACK for promoting http-parser to main
upon Foundations team's acknowledgment of their commitment in assisting with
the development of security fixes, in the absence of upstream support, as
well as their responsibility to ask for demoting the pacakge in the future
once a suitable alternative is identified and deemed feasible.