Ubuntu
lmdb package

Bug #1833745
Comment #3

Comment 3 for bug 1833745

Revision history for this message

Eduardo Barretto (ebarretto) wrote on 2019-07-09:

build warnings Edit (42.6 KiB, text/plain)

I reviewed lmdb 0.9.23-0ubuntu1 as checked into eoan. This shouldn't be
considered a full audit but rather a quick gauge of maintainability.

lmdb is a software library that provides a high-performance embedded
transactional database in the form a key-value store.

- No CVE History
- Build-Depends
  - debhelper
  - doxygen
- No pre/post inst/rm scripts
- No init scripts
- No systemd units
- No dbus services
- No setuid binaries
- binaries in PATH
  - /usr/bin/mdb_copy
  - /usr/bin/mdb_dump
  - /usr/bin/mdb_load
  - /usr/bin/mdb_stat
- No sudo fragments
- No udev rules
- A couple of tests available in the source code:
  - mtest.c: tests for main DB. It's the only test executed during build (./mtest && ./mdb_stat testdb)
  - mtest2.c: tests for subDB
  - mtest3.c: tests for sorted duplicated DBs
  - mtest4.c: tests for sorted duplicated DBs with fixed-size keys
  - mtest5.c: tests for sorted duplicated DBs using cursor_put
  - mtest6.c: tests for DB splits and merges
- No cron jobs
- Build logs:
  - Lots of warnings during build, mostly related to doxygen macro definitions
  - The warnings are attached.
- No Processes spawned
- Memory management
  - Lots of dynamic memory allocation and memory copying. In general they look
    safe, they are checking for NULL, strings are also NUL terminated and they
    are freeing memory after use.
- Lots of File IO
  - some paths come from argv but buffer is allocated dynamically based on
    user's input.
- Logging
  - Binaries in path are logging only to stderr
- No Environment variable usage
- No Use of privileged functions
- No Use of cryptography / random number sources
  - srand used in test code
- No Use of temp files
- No Use of networking
- No Use of WebKit
- No Use of PolicyKit
- No significant cppcheck results
- Coverity results
  - Some NULL pointer derefence
  - Some pthread lock not being unlocked
  - Use after free
  - Resource leak
  - Out-of-bounds access
  - I will be forwarding this to upstream to get more feedback if any of them
    is a high priority issue.
  - Talked to upstream and they confirmed all are false positives.

The code is well maintained and upstream is responsive.

Security team ACK for promoting lmdb to main.

I reviewed lmdb 0.9.23-0ubuntu1 as checked into eoan. This shouldn't be
considered a full audit but rather a quick gauge of maintainability.

lmdb is a software library that provides a high-performance embedded
transactional database in the form a key-value store.

- No CVE History
- Build-Depends
  - debhelper
  - doxygen
- No pre/post inst/rm scripts
- No init scripts
- No systemd units
- No dbus services
- No setuid binaries
- binaries in PATH
  - /usr/bin/mdb_copy
  - /usr/bin/mdb_dump
  - /usr/bin/mdb_load
  - /usr/bin/mdb_stat
- No sudo fragments
- No udev rules
- A couple of tests available in the source code:
  - mtest.c: tests for main DB. It's the only test executed during build (./mtest && ./mdb_stat testdb)
  - mtest2.c: tests for subDB
  - mtest3.c: tests for sorted duplicated DBs
  - mtest4.c: tests for sorted duplicated DBs with fixed-size keys
  - mtest5.c: tests for sorted duplicated DBs using cursor_put
  - mtest6.c: tests for DB splits and merges
- No cron jobs
- Build logs:
  - Lots of warnings during build, mostly related to doxygen macro definitions
  - The warnings are attached.
- No Processes spawned
- Memory management
  - Lots of dynamic memory allocation and memory copying. In general they look
    safe, they are checking for NULL, strings are also NUL terminated and they
    are freeing memory after use.
- Lots of File IO
  - some paths come from argv but buffer is allocated dynamically based on
    user's input.
- Logging
  - Binaries in path are logging only to stderr
- No Environment variable usage
- No Use of privileged functions
- No Use of cryptography / random number sources
  - srand used in test code
- No Use of temp files
- No Use of networking
- No Use of WebKit
- No Use of PolicyKit
- No significant cppcheck results
- Coverity results
  - Some NULL pointer derefence
  - Some pthread lock not being unlocked
  - Use after free
  - Resource leak
  - Out-of-bounds access 
  - I will be forwarding this to upstream to get more feedback if any of them
    is a high priority issue.
  - Talked to upstream and they confirmed all are false positives.

The code is well maintained and upstream is responsive.

Security team ACK for promoting lmdb to main.

Ubuntulmdb package

Comment 3 for bug 1833745

Ubuntu
lmdb package