I reviewed libfido2 1.3.1-1build1 as checked into focal. This shouldn't be
considered a full audit but rather a quick gauge of maintainability.
libfido2 is a library used for communicating with FIDO U2F and FIDO 2.0
devices over USB, and for verifying associated attestation and assertion
signatures.
- CVE History:
- No history of CVEs
- Build-Depends
- libcbor-dev, libssl-dev, libudev-dev
- No pre/post inst/rm scripts
- No init scripts
- No systemd units
- No dbus services
- No setuid binaries
- binaries in PATH
- /usr/bin/fido2-assert
- /usr/bin/fido2-cred
- /usr/bin/fido2-token
- No sudo fragments
- No polkit files
- No udev rules
- unit tests / autopkgtests
- No autopkgtests
- It looks like some tests are present in the source package in the
regress/ directory but are not run during build
- These should be run during the normal build process or at least run
as autopkgtests
- No cron jobs
- Build logs are generally clean
- One minor lintian fail:
W: libfido2-doc: manpage-has-errors-from-man
usr/share/man/man3/fido_bio_template.3.gz 41: warning [p 1, 6.8i]: can't
break line
- No Processes spawned
- Fair amount of dynamic memory management but all look quite defensive and
correct
- File IO
- Opens hid input devices, these are enumerated via udev so file paths
are sane
- Logging is careful, doesn't appear to be any lurking format string vulns
- No Environment variable usage
- Use of privileged functions
- 2 uses of ioctl() on hid devices to read the hidraw report descriptor
size, and then to read the actual report descriptor itself
- Use of cryptography / random number sources etc
- Uses openssl to parse public key from X509 certificates in the public
functions fido_cred_verify() etc
- No use of temp files
- No use of networking
- No use of WebKit
- No use of PolicyKit
- No cppcheck errors / warnings
- Unknown Coverity results
- Currently waiting to perform Coverity analysis
- No significant shellcheck results
- Only in the fuzz test and functional test driver code
- licensecheck notes that a lot of the code does not contain known license
markers (however all seem to state that is covered by a BSD-style license
defined in the LICENSE file)
libfido2 appears quite well written and defensive, and includes a fuzz and
regression test framework which provide confidence that it is likely to
have no low-hanging security bugs and that it would be possible to perform
tests when doing security updates in the future. If possible, it would be
best if these tests could be run during the build or as autopkgtests.
Security team ACK for promoting libfido2 to main once some
autopkgtests are added if possible to run the regression tests
or some similar tests.
I reviewed libfido2 1.3.1-1build1 as checked into focal. This shouldn't be
considered a full audit but rather a quick gauge of maintainability.
libfido2 is a library used for communicating with FIDO U2F and FIDO 2.0
devices over USB, and for verifying associated attestation and assertion
signatures.
- CVE History: fido2-assert fido2-token has-errors- from-man man/man3/ fido_bio_ template. 3.gz 41: warning [p 1, 6.8i]: can't
- No history of CVEs
- Build-Depends
- libcbor-dev, libssl-dev, libudev-dev
- No pre/post inst/rm scripts
- No init scripts
- No systemd units
- No dbus services
- No setuid binaries
- binaries in PATH
- /usr/bin/
- /usr/bin/fido2-cred
- /usr/bin/
- No sudo fragments
- No polkit files
- No udev rules
- unit tests / autopkgtests
- No autopkgtests
- It looks like some tests are present in the source package in the
regress/ directory but are not run during build
- These should be run during the normal build process or at least run
as autopkgtests
- No cron jobs
- Build logs are generally clean
- One minor lintian fail:
W: libfido2-doc: manpage-
usr/share/
break line
- No Processes spawned
- Fair amount of dynamic memory management but all look quite defensive and
correct
- File IO
- Opens hid input devices, these are enumerated via udev so file paths
are sane
- Logging is careful, doesn't appear to be any lurking format string vulns
- No Environment variable usage
- Use of privileged functions
- 2 uses of ioctl() on hid devices to read the hidraw report descriptor
size, and then to read the actual report descriptor itself
- Use of cryptography / random number sources etc
- Uses openssl to parse public key from X509 certificates in the public
functions fido_cred_verify() etc
- No use of temp files
- No use of networking
- No use of WebKit
- No use of PolicyKit
- No cppcheck errors / warnings
- Unknown Coverity results
- Currently waiting to perform Coverity analysis
- No significant shellcheck results
- Only in the fuzz test and functional test driver code
- licensecheck notes that a lot of the code does not contain known license
markers (however all seem to state that is covered by a BSD-style license
defined in the LICENSE file)
libfido2 appears quite well written and defensive, and includes a fuzz and
regression test framework which provide confidence that it is likely to
have no low-hanging security bugs and that it would be possible to perform
tests when doing security updates in the future. If possible, it would be
best if these tests could be run during the build or as autopkgtests.
Security team ACK for promoting libfido2 to main once some
autopkgtests are added if possible to run the regression tests
or some similar tests.