I've reviewed python-bcrypt 0.4-2ubuntu1 in Vivid. Due to
time-constraints, this should not be considered a full audit. Here are
some interesting points taken from my review notes:
= Code =
* CVE history
- CVE-2013-1895 was assigned for an issue that could allow an
attacker to log in as another user if a threaded application used
py-bcrypt.
- The initial bug report was ignored for a few months but the
security impact of the bug was unknown at that time. When someone
else pointed out the security impact, a fix was apparently released
within an hour.
* What does the package do? What are the interfaces between it and the
user, between it and 3rd parties?
- The package implements bcrypt password hashing for Python
applications. Applications interact with it to securely store
hashed passwords.
* Build-deps?
- Only core Python and C library build deps
- Implements its own blowfish and sha2 and combines them to implement
pbkdf2
* No daemons, no init scripts, no DBus, no setuid binaries, no binaries
in $PATH, no sudo fragments, no udev rules, no cron jobs, no
subprocesses spawned, clean memory management/handling, no file I/O,
no network usage, no logging, no env variable usage, no privileged
operations
* Test suite? How does it interact with the code?
- PyUnit tests which run through a number of test vectors to verify
that a known set of inputs always outputs the expected value and
that known bad inputs results in different outputs.
- The tested vectors didn't match up with any other bcrypt test
vectors that I could find so I updated the test suite with some
test vectors from John the Ripper's bcrypt tests and verified that
the tests still pass.
* Clean build logs
* Static analysis tools (rats, flawfinder, cppcheck) gave it a clean
bill of health
= Packaging =
* The Ubuntu delta is to enable to tests (verify test vectors) at build
time
* Packaging is clean and has no complexity
* Does it have a bug subscriber in Ubuntu? Ideally some team in Ubuntu
is looking after the package.
- No
* Does it have a watch file?
- Yes but it points to code.google.com which is shutting down later
this year
* Current release is packaged but there hasn't been any new commits in
the last 1.5 years
- Probably not an issue as there are no serious open bugs and the
code can probably be considered "feature complete"
- Backporting security fixes should be easy since there's not any
churn
* No applicable, open bugs in Debian BTS or Launchpad
The code is small. I don't like that it implements its own crypto but,
considering what the package does, it seems acceptable.
Security Team ACK for promoting to main, conditional on doko (or someone
else) subscribing to the package's bug reports.
I've reviewed python-bcrypt 0.4-2ubuntu1 in Vivid. Due to
time-constraints, this should not be considered a full audit. Here are
some interesting points taken from my review notes:
= Code =
* CVE history
- CVE-2013-1895 was assigned for an issue that could allow an
attacker to log in as another user if a threaded application used
py-bcrypt.
- The initial bug report was ignored for a few months but the
security impact of the bug was unknown at that time. When someone
else pointed out the security impact, a fix was apparently released
within an hour.
* What does the package do? What are the interfaces between it and the
user, between it and 3rd parties?
- The package implements bcrypt password hashing for Python
applications. Applications interact with it to securely store
hashed passwords.
* Build-deps?
- Only core Python and C library build deps
- Implements its own blowfish and sha2 and combines them to implement
pbkdf2
* No daemons, no init scripts, no DBus, no setuid binaries, no binaries handling, no file I/O,
in $PATH, no sudo fragments, no udev rules, no cron jobs, no
subprocesses spawned, clean memory management/
no network usage, no logging, no env variable usage, no privileged
operations
* Test suite? How does it interact with the code?
- PyUnit tests which run through a number of test vectors to verify
that a known set of inputs always outputs the expected value and
that known bad inputs results in different outputs.
- The tested vectors didn't match up with any other bcrypt test
vectors that I could find so I updated the test suite with some
test vectors from John the Ripper's bcrypt tests and verified that
the tests still pass.
* Clean build logs
* Static analysis tools (rats, flawfinder, cppcheck) gave it a clean
bill of health
= Packaging =
* The Ubuntu delta is to enable to tests (verify test vectors) at build
time
* Packaging is clean and has no complexity
* Does it have a bug subscriber in Ubuntu? Ideally some team in Ubuntu
is looking after the package.
- No
* Does it have a watch file?
- Yes but it points to code.google.com which is shutting down later
this year
* Current release is packaged but there hasn't been any new commits in
the last 1.5 years
- Probably not an issue as there are no serious open bugs and the
code can probably be considered "feature complete"
- Backporting security fixes should be easy since there's not any
churn
* No applicable, open bugs in Debian BTS or Launchpad
The code is small. I don't like that it implements its own crypto but,
considering what the package does, it seems acceptable.
Security Team ACK for promoting to main, conditional on doko (or someone
else) subscribing to the package's bug reports.