[MIR] libxmlb

Bug #1814997 reported by Mario Limonciello on 2019-02-07
16
This bug affects 2 people
Affects Status Importance Assigned to Milestone
libxmlb (Ubuntu)
Undecided
Unassigned

Bug Description

Rationale:
libxmlb is both a build and runtime dependency for fwupd 1.2.x and later.
It is also a dependency for newer versions of gnome-software and may eventually be a dependency of appstream.

Quality assurance:
No configuration needed
No debconf questions
No long term outstanding bugs
No known major bugs in Debian, Ubuntu or upstream tracker.
Maintained in Debian by EFI team
Runs test suite during build
Uses debian/watch

Standards:
Should be compatible to policy 4.3.0

Maintenance:
Should be set to Ubuntu foundations
However expected to be synced regularly

Security:
No CVES
No services
No ports open
No executables in /sbin /usr/sbin
No suid or sgid

summary: - [MIR] Promote libxmlb to main
+ [MIR] libxmlb

MIR looks fine to me; it's a lot of code though, I'd feel much better if it had more eyes to review. Assigning to the Security Team for a look.

It's also missing a team subscriber, but we'll fix that now.

Changed in libxmlb (Ubuntu):
assignee: nobody → Ubuntu Security Team (ubuntu-security)
status: New → Triaged
amano (jyaku) wrote :

I think that it already blocks the GNOME-software transition to 3.31.90.

Mario Limonciello (superm1) wrote :

Also it's blocking fwupd 1.2.x transition.

Jeremy Bicha (jbicha) on 2019-02-25
tags: added: disco
Alex Murray (alexmurray) wrote :

libxmlb is a recently developed and released library written in C to allow applications to perform fast XPath queries against an XML document without having to parse the entire document into memory. This is designed to only support a subset of XPath for the purposes for fwupd and other utilities. Provides a command-line xb-tool application in /usr/lib which is not intended for end-users to run.

- CVE history: no

- Build-Depends: gir1.2-glib-2.0, gobject-introspection, gtk-doc-tools, libglib2.0-dev, libgirepository1.0-dev, meson, shared-mime-info, uuid-dev
- Does not daemonize
- No use of udev
- No pre/post inst/rm scripts
- No initscripts / systemd unit files
- No DBus services
- No setuid binaries
- No binaries added to PATH
- No sudo fragments
- No udev rules
- Unit tests run during package build - these look pretty comprehensive
- No cronjobs
- Clean build logs - no warnings during build other than for missing API documentation

- No subprocesses are spawned
- Memory management looks good, no obvious issues - uses core GLib
  memory management functionality and string types etc. Care is taken on
  memory copies etc to ensure buffers are appropriately sized.
- xb-tool always sets GIO_USE_VFS to local and overwrites
  G_MESSAGES_DEBUG for logging purposes
- No privileged operations
- No cryptography
- No network connections
- Temporary files only uses during unit tests
- No WebKit
- No JavaScript
- No PolicyKit
- Clean cppcheck
  - 1 false positive error for an unintialised variable

Overall code is of high quality - also upstream has integrated support for fuzzing so likely should be pretty robust against malicious inputs from untrusted XML documents etc.

Security team ACK for promoting to main.

Changed in libxmlb (Ubuntu):
assignee: Ubuntu Security Team (ubuntu-security) → nobody
Matthias Klose (doko) wrote :

Override component to main
libxmlb 0.1.6-2 in disco: universe/misc -> main
gir1.2-xmlb-1.0 0.1.6-2 in disco amd64: universe/introspection/optional/100% -> main
gir1.2-xmlb-1.0 0.1.6-2 in disco arm64: universe/introspection/optional/100% -> main
gir1.2-xmlb-1.0 0.1.6-2 in disco armhf: universe/introspection/optional/100% -> main
gir1.2-xmlb-1.0 0.1.6-2 in disco i386: universe/introspection/optional/100% -> main
gir1.2-xmlb-1.0 0.1.6-2 in disco ppc64el: universe/introspection/optional/100% -> main
gir1.2-xmlb-1.0 0.1.6-2 in disco s390x: universe/introspection/optional/100% -> main
libxmlb-dev 0.1.6-2 in disco amd64: universe/libdevel/optional/100% -> main
libxmlb-dev 0.1.6-2 in disco arm64: universe/libdevel/optional/100% -> main
libxmlb-dev 0.1.6-2 in disco armhf: universe/libdevel/optional/100% -> main
libxmlb-dev 0.1.6-2 in disco i386: universe/libdevel/optional/100% -> main
libxmlb-dev 0.1.6-2 in disco ppc64el: universe/libdevel/optional/100% -> main
libxmlb-dev 0.1.6-2 in disco s390x: universe/libdevel/optional/100% -> main
libxmlb1 0.1.6-2 in disco amd64: universe/libs/optional/100% -> main
libxmlb1 0.1.6-2 in disco arm64: universe/libs/optional/100% -> main
libxmlb1 0.1.6-2 in disco armhf: universe/libs/optional/100% -> main
libxmlb1 0.1.6-2 in disco i386: universe/libs/optional/100% -> main
libxmlb1 0.1.6-2 in disco ppc64el: universe/libs/optional/100% -> main
libxmlb1 0.1.6-2 in disco s390x: universe/libs/optional/100% -> main
19 publications overridden.

Changed in libxmlb (Ubuntu):
status: Triaged → Fix Released
To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers