MIR: libgit2, http-parser
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
http-parser (Ubuntu) |
Fix Released
|
High
|
Unassigned | ||
libgit2 (Ubuntu) |
Fix Released
|
Undecided
|
Unassigned |
Bug Description
[Availability]
The packages libgit2 and http-parser are already in Ubuntu universe.
They both build for the architectures they are designed to work on.
They currently build and work for architectures: amd64 arm64 armhf i386 s390x ppc64el riscv64
Link to packages:
* [[https:/
* [[https:/
[Rationale]
libgit2 is needed in main as dependencies of src:cargo, and http-parser is a
dependency of libgit2. cargo will be the subject of a separate MIR. Given that
there are several non-trivial dependencies for cargo, I figured splitting them
up in multiple MIRs would make it easier.
Cargo itself will be MIRed as part of the effort to support Rust as a build language for
packages in main.
It would be great and useful to community/processes to have the packages
libgit2 and http-parser in Ubuntu main, but there is no definitive deadline.
In particular, they must not be promoted unless src:cargo enters the archive.
[Security]
The http-parser package originated as part of the nodejs project. Because of that,
while there are no CVE registered for http-parser itself, these CVEs were found that
affected the http-parser code. Sadly, it's usually not obvious which
the issue, only the release itself :slightly_
* https:/
* https:/
* https:/
* https:/
* https:/
* https:/
libgit2 is easier to analyze from a security history PoV, with a dedicated page to list their various security releases: https:/
Here are the CVEs that affected libgit2:
* https:/
* https:/
* https:/
* https:/
* https:/
* https:/
* https:/
* https:/
* https:/
Please note that there are multiple items mentioned on the upstream security page that do not have an associated CVE.
- no `suid` or `sgid` binaries
- no executables in `/sbin` and `/usr/sbin`
- Packages do not install services, timers or recurring jobs
- Packages do not open privileged ports (ports < 1024)
- Packages do not contain extensions to security-sensitive software
[Quality assurance - function/usage]
As libraries, the packages work well after installation (both the -dev and actual binaries)
[Quality assurance - maintenance]
libgit2 is reasonably well-maintained in Debian, and has a proficient upstream community backed by multiple companies.
Bug lists:
- Ubuntu https:/
- Debian https:/
There's only one relevant important bug in Debian for it:
https:/
http-parser is much more problematic. The package is supported in Debian, see
- Ubuntu https:/
- Debian https:/
with the only outstanding important bug being
https:/
which is in fact not an issue for http-parser as a library, as the application level
has all the necessary APIs to modify the debated value. The CVE was only valid for
the particular case of nodejs.
However, the package has recently been explicitly declared unmaintained upstream.
The Foundations team is aware of this fact, and we have concluded internally that,
assuming Security team assent, we would take charge of the maintenance of the library
as long as it's needed by libgit2.
None of those packages deal with exotic hardware we cannot support.
[Quality assurance - testing]
Both packages have non-trivial test suites run at build-time such that their failure
entails build failure.
https:/
https:/
RULE: - The package should, but is not required to, also contain
RULE: non-trivial autopkgtest(s).
libgit2 has only one autopkgtest which is relatively trivial (build against libgit2 and call one trivial function)
http-parser has only one autopkgtest that runs the package testsuite against the installed library.
Both packages only have failing tests on i386, which are being investigated
(failing due to i386 only being a partial architecture).
[Quality assurance - packaging]
Both packages have watchfiles, but the libgit2 doesn't seem to work anymore (ongoing investigation)
- debian/control defines a correct Maintainer field
You'll find recent build logs there:
https:/
https:/
Lintian overrides are present in http-parser regarding the lack of upstream
changelog, but are now erroneous.
libgit2 defines one override, debian-
None of these packages depend on obsolete packages.
The packages will not be installed by default
Packaging and build are easy:
https:/
https:/
[UI standards]
- Application is not end-user facing (does not need translation)
- End-user applications without desktop file, not needed because they are libraries.
[Dependencies]
- No further depends or recommends dependencies that are not yet in main
[Standards compliance]
- These packages correctly follows FHS and Debian Policy
[Maintenance/Owner]
- Foundations team is already subscribed to the packages
- This does not use static builds
- This does not use vendored code
- This package is not rust based
- The packages successfully built during the most recent test rebuild
[Background information]
The Package descriptions explains the package well
Upstream Name is libgit2, see https:/
http-parser used to be a nodejs project, now declared unmaintained,
see https:/
CVE References
Changed in libgit2 (Ubuntu): | |
assignee: | nobody → Didier Roche-Tolomelli (didrocks) |
Changed in http-parser (Ubuntu): | |
assignee: | nobody → Ioanna Alifieraki (joalif) |
Changed in http-parser (Ubuntu): | |
assignee: | nobody → Ubuntu Security Team (ubuntu-security) |
Changed in libgit2 (Ubuntu): | |
assignee: | nobody → Didier Roche-Tolomelli (didrocks) |
tags: | added: sec-1323 |
Changed in libgit2 (Ubuntu): | |
status: | Incomplete → New |
Changed in http-parser (Ubuntu): | |
status: | Incomplete → New |
tags: | added: foundations-todo |
Changed in libgit2 (Ubuntu): | |
assignee: | Ubuntu Security Team (ubuntu-security) → David Fernandez Gonzalez (litios) |
tags: | removed: foundations-todo |
Here are the http-parser lintian logs