Ubuntu
python-rtslib-fb package

  1. Bug #1854362
  2. Comment #33

Comment 33 for bug 1854362

Revision history for this message
Mark Morlino (markmorlino) wrote :

I reviewed urwid 2.0.1-2build3 as checked into focal. This shouldn't be
considered a full audit but rather a quick gauge of maintainability.

urwid is a console-based display and user interface framework/library for python 2.7 and 3.4+

- CVE History:
  - none found
- Build-Depends?
  - nothing troubling found
- pre/post inst/rm scripts?
  - n/a
- init scripts?
  - n/a
- systemd units?
  - n/a
- dbus services?
  - n/a
- setuid binaries?
  - n/a
- binaries in PATH?
  - n/a
- sudo fragments?
  - n/a
- udev rules?
  - n/a
- unit tests / autopkgtests?
  - there are some tests but no autopackage tests. The tests run fine when I
    manually run them but I don't see them running during the build.
- cron jobs?
  - n/a
- Build logs:
  - lintian warns about old python versions

- Processes spawned?
  - the default for Terminal is using the value of SHELL env var as the command
  - it execs a command for it virtual terminal class and some for mouse pointer integration
  - it also execs some python for reraising exceptions
- Memory management?
  - n/a
- File IO?
  - paths appear to be constructed safely
  - it's not really getting input from files
  - umask is set to 0 when deamonizing
  - umask not explicitly set for file creation
- Logging?
  - looking isn't used much and looks ok
- Environment variable usage?
  - env is not sanitized
  - this could possibly be misused or produce unanticipated results but that isn't happening as used by python-configshell-fb
- Use of privileged functions?
- Use of cryptography / random number sources etc?
  - n/a
- Use of temp files?
  - pipes located in /tmp by default, this isn't being used for our purposed right now.
- Use of networking?
  - I didn't focus on this very much becuause urwid as used by python-configshell-fb doesn't use networking
  - input is parsed one character at a time.
- Use of WebKit?
- Use of PolicyKit?
  - n/a

- Any significant cppcheck results?
  - No
- Any significant Coverity results?
  - No

Bandit flagged creation of pipes in /tmp in web_display.py as potentially unsafe. That functionality of the framework is not being used
by python-configshell-fb but it could probably be improved.

Security team ACK. My recommendation is that the web_display tmp files be cleaned up to use python's tempfile but I don't think it needs to block inclusion into main at this time because it isn't being used.