I reviewed libmldbm-perl 2.05-3 as checked into kinetic. This shouldn't be
considered a full audit but rather a quick gauge of maintainability.
> MLDBM store multi-level Perl hash structure in single level tied hash
- CVE History:
- ancient leak circa 1999
- https://github.com/perl/perl5/issues/80
- Build-Depends?
- Data::Dumper perl module 2.08
- 2.08 is a very old version
- some Data:Dumper updates are security related
- https://metacpan.org/dist/Data-Dumper/changes
- nb: package also provides MLDBM::Serializer::Data::Dumper
- pre/post inst/rm scripts?
- none
- init scripts?
- none
- systemd units?
- none
- dbus services?
- none
- setuid binaries?
- none
- binaries in PATH?
- sudo fragments?
- none
- polkit files?
- none
- udev rules?
- none
- unit tests / autopkgtests?
- has build tests and autopkgtests
- cron jobs?
- none
- Build logs:
- looks clean
- Processes spawned?
- concerning eval in ./lib/MLDBM/Serializer/Data/Dumper.pm
- values missing a magic key string are returned before eval +1
- Memory management?
- none
- File IO?
- none, besides build
- Logging?
- yes, via carp
- Environment variable usage?
- none
- Use of privileged functions?
- none
- Use of cryptography / random number sources etc?
- none
- Use of temp files?
- none
- Use of networking?
- none
- Use of WebKit?
- none
- Use of PolicyKit?
- none
- Any significant cppcheck results?
- none / not applicable
- Any significant Coverity results?
- none / not applicable
- Any significant shellcheck results?
- none / not applicable
- Any significant bandit results?
- none / not applicable
- Any significant perlcritic?
- none
Code is possibly unmaintained. Code was written 10 years ago. A travis file was
added 8 years ago. There has never been an issue or pull request on GitHub. https://github.com/chorny/MLDBM
I reviewed libmldbm-perl 2.05-3 as checked into kinetic. This shouldn't be
considered a full audit but rather a quick gauge of maintainability.
> MLDBM store multi-level Perl hash structure in single level tied hash
- CVE History: /github. com/perl/ perl5/issues/ 80 /metacpan. org/dist/ Data-Dumper/ changes Serializer: :Data:: Dumper
- ancient leak circa 1999
- https:/
- Build-Depends?
- Data::Dumper perl module 2.08
- 2.08 is a very old version
- some Data:Dumper updates are security related
- https:/
- nb: package also provides MLDBM::
- pre/post inst/rm scripts?
- none
- init scripts?
- none
- systemd units?
- none
- dbus services?
- none
- setuid binaries?
- none
- binaries in PATH?
- sudo fragments?
- none
- polkit files?
- none
- udev rules?
- none
- unit tests / autopkgtests?
- has build tests and autopkgtests
- cron jobs?
- none
- Build logs:
- looks clean
- Processes spawned? Serializer/ Data/Dumper. pm
- concerning eval in ./lib/MLDBM/
- values missing a magic key string are returned before eval +1
- Memory management?
- none
- File IO?
- none, besides build
- Logging?
- yes, via carp
- Environment variable usage?
- none
- Use of privileged functions?
- none
- Use of cryptography / random number sources etc?
- none
- Use of temp files?
- none
- Use of networking?
- none
- Use of WebKit?
- none
- Use of PolicyKit?
- none
- Any significant cppcheck results?
- none / not applicable
- Any significant Coverity results?
- none / not applicable
- Any significant shellcheck results?
- none / not applicable
- Any significant bandit results?
- none / not applicable
- Any significant perlcritic?
- none
Code is possibly unmaintained. Code was written 10 years ago. A travis file was /github. com/chorny/ MLDBM
added 8 years ago. There has never been an issue or pull request on GitHub.
https:/
See Warnings section of mldbm(3) /manpages. ubuntu. com/manpages/ kinetic/ en/man3/ MLDBM.3pm. html#warnings
https:/
Security team ACK for promoting libmldbm-perl to main.