Ubuntu
python-tabulate package

[MIR] python-tabulate (dependency of cinder)

Bug #1862773 reported by Matthias Klose
10
This bug affects 1 person
Affects Status Importance Assigned to Milestone
python-tabulate (Ubuntu)
Fix Released
High
Unassigned

Bug Description

[Availability]
In universe

[Rationale]
Taken from the upstream commit that makes this change:

PrettyTable is no longer maintained and the last release was in 2013.
There are starting to be deprecation warnings emitted with newer Python
releases.

Various attempts to revive a fork haven't gained much traction. A common
recommendation is to move away from PrettyTable to tabulate. This
switches our usage to a close equivalent using that library instead.

[Security]
No security history

https://cve.mitre.org/cgi-bin/cvekey.cgi?keyword=tabulate

[Quality assurance]
Package has unit tests which are run as part of the package build.

[Dependencies]
All in main

[Standards compliance]
OK-ish - simple package but not updated to latest Standards-Version

[Maintenance]
Not that well maintained in Debian - last update was an NMU in October 2019 to remove Py2 support. More recent updates in Ubuntu to bump version and execute unit tests as part of package builld.

[Background information]
tabulate provides similar function to prettytable - however not all openstack projects have made the switch and there are other reverse-depends in main for python3-prettytable:

$ reverse-depends -c main python3-prettytable
Reverse-Depends
* ceph-common [amd64 arm64 armhf ppc64el s390x]
* python3-automaton
* python3-blazarclient
* python3-ceilometerclient
* python3-cinder
* python3-cinderclient
* python3-cliff
* python3-futurist
* python3-glance
* python3-glanceclient
* python3-heatclient
* python3-magnumclient
* python3-manilaclient
* python3-monascaclient
* python3-nova
* python3-novaclient
* python3-oslo.upgradecheck
* python3-osprofiler
* python3-seamicroclient
* python3-senlinclient
* python3-troveclient

That said it formats output for python applications so would be considered fairly low risk from a security perspective so having two similar pkgs in main but be more palatable.

See original description
Tags: focal
Matthias Klose (doko)
Changed in python-tabulate (Ubuntu):
importance: Undecided → High
assignee: nobody → Ubuntu OpenStack (ubuntu-openstack)
James Page (james-page)
description: updated
Changed in python-tabulate (Ubuntu):
status: Incomplete → New
assignee: Ubuntu OpenStack (ubuntu-openstack) → nobody
Revision history for this message
Christian Ehrhardt  (paelzer) wrote :
Download full text (3.6 KiB)

[Summary]
Other than the known - but sort of accepted - duplication issue this LGTM.
Following the rules this also needs security review, and for an ack you also
need to add the team subscription.

@Openstack:
- please subscribe to the package and ping back here.
- thanks for improving and going ahead of Debian, but please continue to
  put attention onto the package.

@Security - review needed, but should be small and fast

[Duplication]
There is the duplication issue with python3-prettytable that was already
mentioned in the description.

But the reasoning for the duplication rule is to keep maintenance effort
reasonable, this one does not seem to increase that a lot.

For now there seems to be no way to do openstack without it and switching that
to python3-prettytable seems just as un-practical than vice versa.

Never the less I'd want to ask the Openstack Team after the current releases
are done to check how doable a switch to python-tabulate would be for the
remaining rev-deps. Can (and most likely is) be "not doable", but then we
know instead of guess.

[Dependencies]
OK:
- no other Dependencies to MIR due to this
- no -dev/-debug/-doc packages that need exclusion

[Embedded sources and static linking]
OK:
- no embedded source present
- no static linking

[Security]
OK:
- history of CVEs does not look concerning
- does not run a daemon as root
- does not use webkit1,2
- does not use lib*v8 directly
- does not open a port
- does not process arbitrary web content
- does not use centralized online accounts
- does not integrate arbitrary javascript into the desktop
- does not deal with system authentication (eg, pam), etc)

Problems:
- it does not parse data formats to render them

I'm torn as this is really minimal, but following the rules there could be
something in here that could be exploited by people manipulating the data.
And that way people might breach into a more important program that depends/uses
python-tabulate.
This is small, so the review should be quick - but I'd ask to do one (better
safe than sorry)

[Common blockers]
OK:
- does not FTBFS currently
- does have a test suite that runs at build time
  - test suite fails will fail the build upon error.
- no translation present, but none needed for this case (user visible)?
- no new python2 dependency
- used dh_python

Problems:
- does not have a test suite that runs as autopkgtest (probably ok for this as
  itself only depends on python3)
- ubuntu-openstack (nor openstack-ubuntu-packagers) isn't subscribed yet

[Packaging red flags]
OK:
- symbols tracking not applicable for this kind of code.
- d/watch is present and looks ok
- Upstream update history is good
- Debian/Ubuntu update history is sporadic, but you fixed that - thanks
- the current release is packaged
- promoting this does not seem to cause issues for MOTUs
  that so far maintained the package
- no massive Lintian warnings
- d/rules is rather clean
- not using Built-Using

Problems:
- Ubuntu does carry a delta, but it is reasonable and maintenance under control
  I mean thanks for updating and enabling the tests, but just be clear that
  therefore this package seems to be more on you than usual.
  Please plan to n...

Read more...

Changed in python-tabulate (Ubuntu):
status: New → Incomplete
Revision history for this message
Christian Ehrhardt  (paelzer) wrote :

Please assign `ubuntu-security` once subscribed

Revision history for this message
James Page (james-page) wrote :

Added bug subscriber.

Changed in python-tabulate (Ubuntu):
assignee: nobody → Ubuntu Security Team (ubuntu-security)
Christian Ehrhardt  (paelzer)
Changed in python-tabulate (Ubuntu):
status: Incomplete → New
Revision history for this message
Mike Salvatore (mikesalvatore) wrote :

I reviewed python-tabulate 0.8.6-0ubuntu2 as checked into focal. This shouldn't be
considered a full audit but rather a quick gauge of maintainability.

python-tabulate is both a library and command-line utility that pretty-prints
tabular data. It is written in Python and can create tables in a wide variety
of formats.

- CVE History:
  None
- Build-Depends?
  - dh-python
  - python3-all
  - python3-nose
  - python3-setuptools
  - python3-wcwidth
- pre/post inst/rm scripts?
  None
- init scripts?
  None
- systemd units?
  None
- dbus services?
  None
- setuid binaries?
  None
- binaries in PATH?
  /usr/bin/tabulate
- sudo fragments?
  None
- polkit files?
  None
- udev rules?
  None
- unit tests / autopkgtests?
  python-tabulate provides a test suite with 83% code coverage. This test suite runs during the build.
- cron jobs?
  None
- Build logs:
  - Lintian
 W: python-tabulate source: ancient-standards-version 3.9.8 (released 2016-04-06) (current is 4.5.0)
  - Build Errors
 /usr/lib/python3.8/subprocess.py:838: RuntimeWarning: line buffering (buffering=1) isn't supported in binary mode, the default buffer size will be used
 subprocess.py is used by the test suite
- Processes spawned?
  The test suite invokes `python tabulate.py` using the subprocess module. The test suite is run during build and does not get included in the .deb.
- Memory management?
  All code is written in python.
- File IO?
  - Input and output files are specified by the user.
  - It may be possible to provide input that causes tabulate.py or the tabulate() function to crash. Code that calls tabulate() should use try/except to avoid crashes.
- Logging?
  None
- Environment variable usage?
  None
- Use of privileged functions?
  None
- Use of cryptography / random number sources etc?
  None
- Use of temp files?
  None
- Use of networking?
  None
- Use of WebKit?
  None
- Use of PolicyKit?
  None
- Any significant bandit results?
  tabulate.py:1457: B101[bandit]: LOW: Use of assert detected. The enclosed code will be removed when compiling to optimised byte code.
- Any significant Coverity results?
  Coverity was not run.

In general, the mission of python-tabulate is straight forward: take input, create table. It therefore has a very limited attack surface. The pace of development seems reasonable and, coupled with the test suite that covers 83% of the code, python-tabulate should be fairly maintainable.

Security team ACK for promoting python-tabulate to main.

Revision history for this message
James Page (james-page) wrote :

MIR and security reviews completed - ready for promotion to main for focal.

Changed in python-tabulate (Ubuntu):
assignee: Ubuntu Security Team (ubuntu-security) → nobody
status: New → Fix Committed
Revision history for this message
Matthias Klose (doko) wrote :

Override component to main
python-tabulate 0.8.6-0ubuntu2 in focal: universe/misc -> main
python3-tabulate 0.8.6-0ubuntu2 in focal amd64: universe/python/optional/100% -> main
python3-tabulate 0.8.6-0ubuntu2 in focal arm64: universe/python/optional/100% -> main
python3-tabulate 0.8.6-0ubuntu2 in focal armhf: universe/python/optional/100% -> main
python3-tabulate 0.8.6-0ubuntu2 in focal i386: universe/python/optional/100% -> main
python3-tabulate 0.8.6-0ubuntu2 in focal ppc64el: universe/python/optional/100% -> main
python3-tabulate 0.8.6-0ubuntu2 in focal s390x: universe/python/optional/100% -> main
7 publications overridden.

Changed in python-tabulate (Ubuntu):
status: Fix Committed → Fix Released
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.