[MIR] libfcgi-perl, libcgi-fast-perl
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
libfcgi-perl (Ubuntu) |
Fix Released
|
High
|
Unassigned | ||
perl (Ubuntu) |
Fix Released
|
High
|
Unassigned |
Bug Description
Availability: In universe since hardy.
Rationale:
New dependency for munin 2.0.0 - instead of static generation of HTML pages, munin now uses apache2+
Security:
One CVE - http://
Quality assurance:
Builds OK.
Package installable and used by libcgi-fast-perl with Apache2.
Minimal test suite is executed during build (single - does it work style - test).
No outstanding bugs in LP bugtracker.
No outstanding bugs in Debian bugtracker.
Uses watch file and recent debhelper format to package.
Dependencies:
No additional dependencies outside of main.
Maintenance:
Well maintained in Debian;
Will be added to the ubuntu-server subscription list: TODO
Background information:
libcgi-fast-perl is provided by perl (in main) but is located in universe.
libfcgi-perl is the helper module for FastCGI.
There are several fastcgi implementations in the archive - however non of them are in main.
Changed in libfcgi-perl (Ubuntu): | |
assignee: | nobody → James Page (james-page) |
status: | New → In Progress |
description: | updated |
description: | updated |
Changed in libfcgi-perl (Ubuntu): | |
importance: | Undecided → High |
Changed in perl (Ubuntu): | |
importance: | Undecided → High |
Changed in libfcgi-perl (Ubuntu): | |
assignee: | James Page (james-page) → nobody |
status: | In Progress → New |
description: | updated |
tags: | added: server-notriage |
Changed in perl (Ubuntu): | |
status: | Fix Committed → Fix Released |
Changed in libfcgi-perl (Ubuntu): | |
status: | Fix Committed → Fix Released |
MIR Review for libfcgi-perl:
* builds with only main enabled with no compiler warnings or errors
* it has a small test script that is used in the build
* no Ubuntu delta
* has a watch file
* the package is up to date
* the package is lintian clean
* debian/rules is clean
* as mentioned, no bugs in LP or Debian
Security review for libfcgi-perl:
* This script provides a perl library so it doesn't ship any initscripts, upstart jobs, dbus services, daemons or cron jobs. No setuid or fscap'd programs are installed and there is no use of sudo.
* There was one CVE in a deprecated interface, but it was fixed in a timely fashion with minimal effort.
* For its C code
- it creates its own wrapper functions for malloc and string operations, and these wrappers check return codes and ensure strings are nul terminated. Spot-checking use of sprintf, it is quite careful to make sure strings are the proper size, etc.
- it uses strcpy() in a few places, but doesn't always verify the length of the src. However, where this happen stack-protector should intervene. It also looks like in these places on a very poorly written program would allow attacker control to these functions without input sanitizing.
- OS_SpawnChild() doesn't use umask(0) when spawning a child, but as this is a library, it probably makes sense for callers of OS_SpawnChild() to do this.
- it creates its own wrapper functions for read() and write().(OS_Read and OS_Write respectively). While the wrappers themselves don't check return codes, all usage of OS_Read() and OS_Write() do.