Ubuntu
jeepney package

  1. Bug #1861268
  2. Comment #15

Comment 15 for bug 1861268

Revision history for this message
Eduardo Barretto (ebarretto) wrote : security audit

I reviewed jeepney 0.4.3-1 as checked into groovy. This shouldn't be
considered a full audit but rather a quick gauge of maintainability.

jeepney is a pure Python D-Bus interface. D-Bus is an inter-process
communication system.

In its README file, jeepney maintainer mentions:
"This project is experimental, and there are a
number of more mature Python DBus bindings."

The mature options that the maintainer mention don't seem to be as
maintained as jeepney.

- No CVE History
- Build-Depends:
  - python3-all
  - python3-pytest
  - python3-sphinx
  - python3-sphinx-rtd-theme
  - python3-testpath
- prerm and postinst scripts automatically created
- No init scripts
- No systemd units
- No dbus services
- No setuid binaries
- No binaries in PATH
- No sudo fragments
- No polkit files
- No udev rules
- unit tests / autopkgtests
  - the source code comes with some tests that can be run with pytest.
  - autopkgtests are also available for this package
- No cron jobs
- Build logs:
  - No relevant errors or warnings

- Processes spawned
  - Only in test code
- No memory management
- File IO
  - Open and write a .py output file when using bindgen to auto-generate
    DBus bindings. The path argument to bindgen is actually a DBus path and
    not a filesystem path.
  - There's not much handling on the output file, you can specify a path.
  - Bindgen is a tool and not used anywhere else in the code.
- No logging
- No environment variable usage
- No use of privileged functions
- No use of cryptography / random number sources
- Use of temp files only in test code
- Use of networking
  - Use sockets to connect to DBus when using tornado, asyncio or blocking I/O.
  - Looks safe
- No use of WebKit
- No use of PolicyKit

- Coverity only found issues in javascript code from the generated documentation
- Bandit found the following issues:
  - B405: import_xml_etree - LOW
  - B314: xml.etree.ElementTree.fromstring - MEDIUM
  - B101: assert_used - LOW
  - B105: hardcoded_password_string - LOW -> false positive
  - There are plenty of other LOW issues on test code that we are not analysing
  - Those issues are low enough to allow this MIR to continue

Although the maintainer still consider it as experimental, it is a good test
to have it on a non-LTS Ubuntu as dbus-python is obsolete.
Keep in mind that jeepney has some limitations:
https://jeepney.readthedocs.io/en/latest/limitations.html

Security team ACK for promoting jeepney to main.