Comment 16 for bug 1864439

Revision history for this message
Alex Murray (alexmurray) wrote :

I reviewed libfido2 1.3.1-1build1 as checked into focal. This shouldn't be
considered a full audit but rather a quick gauge of maintainability.

libfido2 is a library used for communicating with FIDO U2F and FIDO 2.0
devices over USB, and for verifying associated attestation and assertion
signatures.

- CVE History:
  - No history of CVEs
- Build-Depends
  - libcbor-dev, libssl-dev, libudev-dev
- No pre/post inst/rm scripts
- No init scripts
- No systemd units
- No dbus services
- No setuid binaries
- binaries in PATH
  - /usr/bin/fido2-assert
  - /usr/bin/fido2-cred
  - /usr/bin/fido2-token
- No sudo fragments
- No polkit files
- No udev rules
- unit tests / autopkgtests
  - No autopkgtests
  - It looks like some tests are present in the source package in the
    regress/ directory but are not run during build
    - These should be run during the normal build process or at least run
      as autopkgtests
- No cron jobs
- Build logs are generally clean
  - One minor lintian fail:
  W: libfido2-doc: manpage-has-errors-from-man
  usr/share/man/man3/fido_bio_template.3.gz 41: warning [p 1, 6.8i]: can't
  break line

- No Processes spawned
- Fair amount of dynamic memory management but all look quite defensive and
  correct
- File IO
  - Opens hid input devices, these are enumerated via udev so file paths
    are sane
- Logging is careful, doesn't appear to be any lurking format string vulns
- No Environment variable usage
- Use of privileged functions
  - 2 uses of ioctl() on hid devices to read the hidraw report descriptor
    size, and then to read the actual report descriptor itself
- Use of cryptography / random number sources etc
  - Uses openssl to parse public key from X509 certificates in the public
    functions fido_cred_verify() etc
- No use of temp files
- No use of networking
- No use of WebKit
- No use of PolicyKit

- No cppcheck errors / warnings
- Unknown Coverity results
  - Currently waiting to perform Coverity analysis
- No significant shellcheck results
  - Only in the fuzz test and functional test driver code
- licensecheck notes that a lot of the code does not contain known license
  markers (however all seem to state that is covered by a BSD-style license
  defined in the LICENSE file)

libfido2 appears quite well written and defensive, and includes a fuzz and
regression test framework which provide confidence that it is likely to
have no low-hanging security bugs and that it would be possible to perform
tests when doing security updates in the future. If possible, it would be
best if these tests could be run during the build or as autopkgtests.

Security team ACK for promoting libfido2 to main once some
autopkgtests are added if possible to run the regression tests
or some similar tests.