I reviewed jigit 1.22-3ubuntu1 as checked into kinetic. This shouldn't be considered a full audit but rather a quick gauge of maintainability.
jigit is a package of utilities to make working with jigdo files easier. jigdo files break large file, like a DVD ISO, into smaller constituent files.
- no CVE history
- build-depends on debhelper, zlib1g-dev, libbz2-dev, libio-compress-perl
- no pre/post inst/rm scripts, init scripts, systemd units, dbus services, setuid binaries, sudo fragments, polkit files, udev rules, cron jobs, WebKit, PolicyKit, nor privileged functions.
- binaries:
- /usr/bin/jigdo-gen-checksum-list
- /usr/bin/jigdump
- /usr/bin/jigit-mkimage
- /usr/bin/jigsum
- /usr/bin/jigsum-sha256
- /usr/bin/parallel-sums
- /usr/sbin/mkjigsnap
- autopkgtest proposed https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1012621
- Build logs:
- 3x "warning: ignoring return value of ‘fread’" in mkimage.c and uncompress.c
- Processes spawned:
- in ./iso-image.pl:89, ./iso-image.pl:110, ./libjte/jte.c:189, ./libjte/jte.c:237, ./libjte/checksum.c:679
- filename path in checksum.c main() is not checked or sanitized and can buffer overflow before system(buf)
- Memory management / File IO / Logging
- many files manage memory, IO, and logging
- user defined file paths are not sanitized (e.g., mkimage.c)
- memory is not being freed
- see ccpcheck and coverity results
- Environment variable usage
- only in build files
- Use of cryptography:
- no -- only checksums
- Use of temp files:
- no -- only in build scripts and documentation/comments
- Use of networking?
- only in, non-installed, helper script `./jigit`
- Significant cppcheck results:
- extract-data.c:46:9: error: Resource leak: in_file [resourceLeak]
- libjte/jte.c:649:9: error: Memory leak: checksum [memleak]
- libjte/test/demo.c:213:9: error: Resource leak: fp_out [resourceLeak]
- uncompress.c:157:9: error: Memory leak: comp_buf [memleak]
- uncompress.c:165:9: error: Memory leak: comp_buf [memleak]
- mkimage.c:1258:7: error: Used file that is not opened. [useClosedFile]
- mkimage.c:1013:5: error: Common realloc mistake: 'buf' nulled but not freed upon failure [memleakOnRealloc]
- Significant code-c.txt:
- unsafe input mechanisms ./mkimage.c:(602|620|630): ret = gzgets(file, buf, sizeof(buf));
- Significant Coverity results:
- many Resource Leak (CWE-404) reports (mostly leaked storage)
- many Uninitialized Scalar Variable (CWE-457) reports
- many Unchecked return value from library (CWE-252) reports
- other reports not mentioned here
- Significant shellcheck results:
- helper shell script `./jigit` feels dubious, but does not install
- defaults to download config from private repository
- many ShellCheck warnings
- libjte/bin/jigdo-gen-checksum-list:139:17: warning: For loops over find output are fragile. Use find -exec or a while read loop. [SC2044]
- Other
- Maintainer is actively involved in FOSS and Debian \o/
- Most code written ~17 and ~11.5 years ago
- several "TODO" comments in libjte.c and checksum.c
- parse_data_block() is defined in mkimage.c and jigdump.c
- read_data_block() is defined in uncompress.c and jigdo.c (no aparent relation)
jigit is a useful set of tools for distributing large files however I don't think jigit is sufficiently paranoid for wide use. jigit should only be ran on controlled environments on controlled, known safe, input.
I reviewed jigit 1.22-3ubuntu1 as checked into kinetic. This shouldn't be considered a full audit but rather a quick gauge of maintainability.
jigit is a package of utilities to make working with jigdo files easier. jigdo files break large file, like a DVD ISO, into smaller constituent files.
- no CVE history jigdo-gen- checksum- list jigit-mkimage jigsum- sha256 parallel- sums /bugs.debian. org/cgi- bin/bugreport. cgi?bug= 1012621 checksum. c:679 comments data.c: 46:9: error: Resource leak: in_file [resourceLeak] test/demo. c:213:9: error: Resource leak: fp_out [resourceLeak] c:(602| 620|630) : ret = gzgets(file, buf, sizeof(buf)); bin/jigdo- gen-checksum- list:139: 17: warning: For loops over find output are fragile. Use find -exec or a while read loop. [SC2044]
- build-depends on debhelper, zlib1g-dev, libbz2-dev, libio-compress-perl
- no pre/post inst/rm scripts, init scripts, systemd units, dbus services, setuid binaries, sudo fragments, polkit files, udev rules, cron jobs, WebKit, PolicyKit, nor privileged functions.
- binaries:
- /usr/bin/
- /usr/bin/jigdump
- /usr/bin/
- /usr/bin/jigsum
- /usr/bin/
- /usr/bin/
- /usr/sbin/mkjigsnap
- autopkgtest proposed https:/
- Build logs:
- 3x "warning: ignoring return value of ‘fread’" in mkimage.c and uncompress.c
- Processes spawned:
- in ./iso-image.pl:89, ./iso-image.pl:110, ./libjte/jte.c:189, ./libjte/jte.c:237, ./libjte/
- filename path in checksum.c main() is not checked or sanitized and can buffer overflow before system(buf)
- Memory management / File IO / Logging
- many files manage memory, IO, and logging
- user defined file paths are not sanitized (e.g., mkimage.c)
- memory is not being freed
- see ccpcheck and coverity results
- Environment variable usage
- only in build files
- Use of cryptography:
- no -- only checksums
- Use of temp files:
- no -- only in build scripts and documentation/
- Use of networking?
- only in, non-installed, helper script `./jigit`
- Significant cppcheck results:
- extract-
- libjte/jte.c:649:9: error: Memory leak: checksum [memleak]
- libjte/
- uncompress.c:157:9: error: Memory leak: comp_buf [memleak]
- uncompress.c:165:9: error: Memory leak: comp_buf [memleak]
- mkimage.c:1258:7: error: Used file that is not opened. [useClosedFile]
- mkimage.c:1013:5: error: Common realloc mistake: 'buf' nulled but not freed upon failure [memleakOnRealloc]
- Significant code-c.txt:
- unsafe input mechanisms ./mkimage.
- Significant Coverity results:
- many Resource Leak (CWE-404) reports (mostly leaked storage)
- many Uninitialized Scalar Variable (CWE-457) reports
- many Unchecked return value from library (CWE-252) reports
- other reports not mentioned here
- Significant shellcheck results:
- helper shell script `./jigit` feels dubious, but does not install
- defaults to download config from private repository
- many ShellCheck warnings
- libjte/
- Other
- Maintainer is actively involved in FOSS and Debian \o/
- Most code written ~17 and ~11.5 years ago
- several "TODO" comments in libjte.c and checksum.c
- parse_data_block() is defined in mkimage.c and jigdump.c
- read_data_block() is defined in uncompress.c and jigdo.c (no aparent relation)
jigit is a useful set of tools for distributing large files however I don't think jigit is sufficiently paranoid for wide use. jigit should only be ran on controlled environments on controlled, known safe, input.
Security team NACK for promoting jigit to main.