I reviewed urwid 2.0.1-2build3 as checked into focal. This shouldn't be
considered a full audit but rather a quick gauge of maintainability.
urwid is a console-based display and user interface framework/library for python 2.7 and 3.4+
- CVE History:
- none found
- Build-Depends?
- nothing troubling found
- pre/post inst/rm scripts?
- n/a
- init scripts?
- n/a
- systemd units?
- n/a
- dbus services?
- n/a
- setuid binaries?
- n/a
- binaries in PATH?
- n/a
- sudo fragments?
- n/a
- udev rules?
- n/a
- unit tests / autopkgtests?
- there are some tests but no autopackage tests. The tests run fine when I
manually run them but I don't see them running during the build.
- cron jobs?
- n/a
- Build logs:
- lintian warns about old python versions
- Processes spawned?
- the default for Terminal is using the value of SHELL env var as the command
- it execs a command for it virtual terminal class and some for mouse pointer integration
- it also execs some python for reraising exceptions
- Memory management?
- n/a
- File IO?
- paths appear to be constructed safely
- it's not really getting input from files
- umask is set to 0 when deamonizing
- umask not explicitly set for file creation
- Logging?
- looking isn't used much and looks ok
- Environment variable usage?
- env is not sanitized
- this could possibly be misused or produce unanticipated results but that isn't happening as used by python-configshell-fb
- Use of privileged functions?
- Use of cryptography / random number sources etc?
- n/a
- Use of temp files?
- pipes located in /tmp by default, this isn't being used for our purposed right now.
- Use of networking?
- I didn't focus on this very much becuause urwid as used by python-configshell-fb doesn't use networking
- input is parsed one character at a time.
- Use of WebKit?
- Use of PolicyKit?
- n/a
- Any significant cppcheck results?
- No
- Any significant Coverity results?
- No
Bandit flagged creation of pipes in /tmp in web_display.py as potentially unsafe. That functionality of the framework is not being used
by python-configshell-fb but it could probably be improved.
Security team ACK. My recommendation is that the web_display tmp files be cleaned up to use python's tempfile but I don't think it needs to block inclusion into main at this time because it isn't being used.
I reviewed urwid 2.0.1-2build3 as checked into focal. This shouldn't be
considered a full audit but rather a quick gauge of maintainability.
urwid is a console-based display and user interface framework/library for python 2.7 and 3.4+
- CVE History:
- none found
- Build-Depends?
- nothing troubling found
- pre/post inst/rm scripts?
- n/a
- init scripts?
- n/a
- systemd units?
- n/a
- dbus services?
- n/a
- setuid binaries?
- n/a
- binaries in PATH?
- n/a
- sudo fragments?
- n/a
- udev rules?
- n/a
- unit tests / autopkgtests?
- there are some tests but no autopackage tests. The tests run fine when I
manually run them but I don't see them running during the build.
- cron jobs?
- n/a
- Build logs:
- lintian warns about old python versions
- Processes spawned? configshell- fb configshell- fb doesn't use networking
- the default for Terminal is using the value of SHELL env var as the command
- it execs a command for it virtual terminal class and some for mouse pointer integration
- it also execs some python for reraising exceptions
- Memory management?
- n/a
- File IO?
- paths appear to be constructed safely
- it's not really getting input from files
- umask is set to 0 when deamonizing
- umask not explicitly set for file creation
- Logging?
- looking isn't used much and looks ok
- Environment variable usage?
- env is not sanitized
- this could possibly be misused or produce unanticipated results but that isn't happening as used by python-
- Use of privileged functions?
- Use of cryptography / random number sources etc?
- n/a
- Use of temp files?
- pipes located in /tmp by default, this isn't being used for our purposed right now.
- Use of networking?
- I didn't focus on this very much becuause urwid as used by python-
- input is parsed one character at a time.
- Use of WebKit?
- Use of PolicyKit?
- n/a
- Any significant cppcheck results?
- No
- Any significant Coverity results?
- No
Bandit flagged creation of pipes in /tmp in web_display.py as potentially unsafe. That functionality of the framework is not being used configshell- fb but it could probably be improved.
by python-
Security team ACK. My recommendation is that the web_display tmp files be cleaned up to use python's tempfile but I don't think it needs to block inclusion into main at this time because it isn't being used.