Ubuntu
libqrtr-glib package

Bug #1963707
Comment #6

Comment 6 for bug 1963707

Revision history for this message

Mark Esler (eslerm) wrote on 2022-08-05:

I reviewed libqrtr-glib 1.2.2-1ubuntu1 as checked into kinetic. This shouldn't be considered a full audit but rather a quick gauge of maintainability. I do not have a Qualcomm modem to test this package with.

> libqrtr-glib is a glib-based library to use and manage the QRTR (Qualcomm IPC Router) bus.

- CVE History:
  - none
- build-depends
  - primarily glib2 and linux/qrtr
  - linux-vdso.so.1
  - libglib-2.0.so.0
  - libgio-2.0.so.0
  - libgobject-2.0.so.0
  - libc.so.6
  - libpcre.so.3
  - libm.so.6
  - libgmodule-2.0.so.0
  - libz.so.1
  - libmount.so.1
  - libselinux.so.1
  - libffi.so.8
  - ld-linux-x86-64.so.2
  - libblkid.so.1
  - libpcre2-8.so.0
- pre/post inst/rm scripts?
  - none
- init scripts?
  - none
- systemd units?
  - none
- dbus services?
  - none
- setuid binaries?
  - none
- binaries in PATH?
  - none
- sudo fragments?
  - none
- polkit files?
  - none
- udev rules?
  - none
- unit tests / autopkgtests?
  - basic build test
  - https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1011354
  - see MIR teams testing requirements
- cron jobs?
  - none
- build logs:
  - no build errors or warnings
  - no lintain errors or warnings

- processes spawned?
  - none
- memory management?
  - looks sane
  - no direct use of memory copy functions
- file IO?
  - none
- logging?
  - only debug and error messages using gio
- environment variable usage?
  - none
- use of privileged functions?
  - none
- use of cryptography / random number sources etc?
  - none
- Use of temp files?
  - none
- Use of networking?
  - qrtr-bus.c and qrtr-client.c make heavy use of sockets and gsocket
  - many safety checks--e.g., message lengths and types
- use of WebKit?
  - none
- use of PolicyKit?
  - none

- significant cppcheck results?
  - none
- significant Coverity results?
  - none
  - two false positive resource leaks
    - fd handled by gio's g_socket_new_from_fd
- significant shellcheck results?
  - none
- significant bandit results?
  - none

For security to do updates, owning team needs to make a firm commitment to testing.

Security team ACK for promoting libqrtr-glib to main.

> libqrtr-glib is a glib-based library to use and manage the QRTR (Qualcomm IPC Router) bus.

- CVE History:
  - none
- build-depends
  - primarily glib2 and linux/qrtr
  - linux-vdso.so.1
  - libglib-2.0.so.0 
  - libgio-2.0.so.0 
  - libgobject-2.0.so.0 
  - libc.so.6 
  - libpcre.so.3 
  - libm.so.6 
  - libgmodule-2.0.so.0 
  - libz.so.1 
  - libmount.so.1 
  - libselinux.so.1 
  - libffi.so.8 
  - ld-linux-x86-64.so.2
  - libblkid.so.1 
  - libpcre2-8.so.0 
- pre/post inst/rm scripts?
  - none
- init scripts?
  - none
- systemd units?
  - none
- dbus services?
  - none
- setuid binaries?
  - none
- binaries in PATH?
  - none
- sudo fragments?
  - none
- polkit files?
  - none
- udev rules?
  - none
- unit tests / autopkgtests?
  - basic build test
  - https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1011354
  - see MIR teams testing requirements
- cron jobs?
  - none
- build logs:
  - no build errors or warnings
  - no lintain errors or warnings

For security to do updates, owning team needs to make a firm commitment to testing.

Security team ACK for promoting libqrtr-glib to main.

Ubuntulibqrtr-glib package

Comment 6 for bug 1963707

Ubuntu
libqrtr-glib package