[Bug 1630073] Re: [MIR] python-pyelftools

[Matthias Klose]

Override component to main
python-pyelftools 0.24-3 in bionic: universe/misc -> main
python-pyelftools 0.24-3 in bionic amd64: universe/python/extra/100% -> main
python-pyelftools 0.24-3 in bionic arm64: universe/python/extra/100% -> main
python-pyelftools 0.24-3 in bionic armhf: universe/python/extra/100% -> main
python-pyelftools 0.24-3 in bionic i386: universe/python/extra/100% -> main
python-pyelftools 0.24-3 in bionic ppc64el: universe/python/extra/100% -> main
python-pyelftools 0.24-3 in bionic s390x: universe/python/extra/100% -> main
python3-pyelftools 0.24-3 in bionic amd64: universe/python/extra/100% -> main
python3-pyelftools 0.24-3 in bionic arm64: universe/python/extra/100% -> main
python3-pyelftools 0.24-3 in bionic armhf: universe/python/extra/100% -> main
python3-pyelftools 0.24-3 in bionic i386: universe/python/extra/100% -> main
python3-pyelftools 0.24-3 in bionic ppc64el: universe/python/extra/100% -> main
python3-pyelftools 0.24-3 in bionic s390x: universe/python/extra/100% -> main
13 publications overridden.


** Changed in: python-pyelftools (Ubuntu)
   Status: Confirmed => Fix Released

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1630073

Title:
  [MIR] python-pyelftools

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/dpdk/+bug/1630073/+subscriptions

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 1630073] Re: [MIR] python-pyelftools

[ChristianEhrhardt]

Submitted to deb_dpdk as:
  https://gerrit.fd.io/r/#/c/9450/

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1630073

Title:
  [MIR] python-pyelftools

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/dpdk/+bug/1630073/+subscriptions

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 1630073] Re: [MIR] python-pyelftools

[ChristianEhrhardt]

Thank you Seth,
it is too late for artful to be meaningful so we will carry it as-is there.
But I'll make the changes in Debian and then on 18.04 merges the component 
mismatch will show up.

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1630073

Title:
  [MIR] python-pyelftools

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/dpdk/+bug/1630073/+subscriptions

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 1630073] Re: [MIR] python-pyelftools

[Seth Arnold]

I reviewed python-pyelftools version 0.24-3 as checked into Debian
unstable. This shouldn't be considered a full security audit but rather a
quick gauge of maintainability.

- No CVEs in our database
- python-pyelftools provides a Python API for inspecting ELF objects
  without dependencies upon readelf or binutils

- Build-Depends: debhelper), dh-python, python, python3
- No cryptography
- No networking
- Does not damonize
- automatically generated pre/post inst/rm scripts
- No initscripts
- No dbus services
- No setuid files
- No binaries in PATH
- No sudo fragments
- No udev rules
- Test suite run during package build
- No cronjobs
- Clean build logs

- subprocesses only spawned in test suite, looked good
- Files only manipulated in test suite, looked good
- Almost all logging is in the test suite, looked good
- No environment use
- No privileged functions
- No networking
- No cryptography
- No privileged portions of code
- Temp files only handled in test suite, looked good
- No webkit
- No javascript
- No policykit


ELF files are complicated enough that parsing them has been a frequent
source of security issues in the Linux kernel, binutils, readelf, and
doubtless many other tools. So while a re-implementation of ELF parsing is
bound to reintroduce some of the same bugs already solved elsewhere, the
memory safety of Python means the consequences are probably less severe
than other implementations.

There's one very dangerous idiom used in some of the examples:

- examples load . and .. into sys.path
- scripts/readelf.py loads . into sys.path

This is fine for software that's obviously examples but these examples
look useful enough that they may some day be promoted to 'real tools'.

These tools must not be promoted with the sys.path manipulations in
place.

Security team ACK for promoting python-pyelftools to main.

Thanks


** Changed in: python-pyelftools (Ubuntu)
 Assignee: Ubuntu Security Team (ubuntu-security) => (unassigned)

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1630073

Title:
  [MIR] python-pyelftools

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/dpdk/+bug/1630073/+subscriptions

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 1630073] Re: [MIR] python-pyelftools

[ChristianEhrhardt]

We decupled and made this a suggests in Debian as well.
If it would be ok to take it, it would make users life slightly better - but 
urgency certainly dropped.

** Changed in: python-pyelftools (Ubuntu)
   Importance: Undecided => Low

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1630073

Title:
  [MIR] python-pyelftools

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/dpdk/+bug/1630073/+subscriptions

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 1630073] Re: [MIR] python-pyelftools

[ChristianEhrhardt]

Ping, for the sake of nearing dpdk merge on artful I wanted to ask a few
days ahead if this review has made progress?

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1630073

Title:
  [MIR] python-pyelftools

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/dpdk/+bug/1630073/+subscriptions

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 1630073] Re: [MIR] python-pyelftools

[ChristianEhrhardt]

Thanks for the info Michael on the Status.

I wanted to let you know that since one of the main goals for DPDK was to 
become a sync to Debian it is in proposed now this way.
That includes the expected component mismatch on python-pyelftools - and since 
we have to rebuild openvswitch against that new DPDK API that is in the 
dependency chain behind it.

So we are kind of waiting on this - let us know when you know more on this.
If you could prioritize this (as it should be a rather small package) that 
would be great.

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1630073

Title:
  [MIR] python-pyelftools

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/dpdk/+bug/1630073/+subscriptions

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 1630073] Re: [MIR] python-pyelftools

[Michael Terry]

This is waiting on a review by the security team.  They are usually
quite busy, with a queue of audits to go through.

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1630073

Title:
  [MIR] python-pyelftools

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/dpdk/+bug/1630073/+subscriptions

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 1630073] Re: [MIR] python-pyelftools

[ChristianEhrhardt]

FYI - here in the bug - we have set a bug subscriber right after doko mentioned 
it as an issue.
Scott was so kind to set it back to confirmed then to follow the process.

I know there was the usual December rush and Christmas time in between,
but since nothing happened since then I wanted to ping for an update on
this?

Debian is soon to pick up our DPDK 16.11 packaging which we want to sync
then, that would cause this component mismatch on python-elftools so I'd
be happy to get this blocker out of the way.

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1630073

Title:
  [MIR] python-pyelftools

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/dpdk/+bug/1630073/+subscriptions

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 1630073] Re: [MIR] python-pyelftools

[Scott Moser]

subscribed ubuntu-server.

** Changed in: python-pyelftools (Ubuntu)
   Status: Incomplete => Confirmed

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1630073

Title:
  [MIR] python-pyelftools

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/dpdk/+bug/1630073/+subscriptions

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 1630073] Re: [MIR] python-pyelftools

[Matthias Klose]

it doesn't have a bug subscriber

** Changed in: python-pyelftools (Ubuntu)
   Status: Confirmed => Incomplete

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1630073

Title:
  [MIR] python-pyelftools

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/dpdk/+bug/1630073/+subscriptions

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 1630073] Re: [MIR] python-pyelftools

[ChristianEhrhardt]

Hmm, this is accidentally still flagged incomplete without an open question - 
maybe by that it isn't on the radar for review.
I'd like to get that in this cycle, setting to confirmed again.

** Changed in: python-pyelftools (Ubuntu)
   Status: Incomplete => Confirmed

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1630073

Title:
  [MIR] python-pyelftools

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/dpdk/+bug/1630073/+subscriptions

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 1630073] Re: [MIR] python-pyelftools

[Michael Terry]

** Changed in: python-pyelftools (Ubuntu)
 Assignee: ChristianEhrhardt (paelzer) => Ubuntu Security Team 
(ubuntu-security)

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1630073

Title:
  [MIR] python-pyelftools

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/dpdk/+bug/1630073/+subscriptions

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 1630073] Re: [MIR] python-pyelftools

[ChristianEhrhardt]

Ready for consideration by the MIR Team and an audit by the security Team.
Subscribing both.

But once more to be sure - this is meant for the Z* release.
So take a breath and close out your Yakkety tasks first :-)

** Description changed:

+ [MIR]
+ Listing MIR requirements that are fulfilled IMHO:
+ 
+ 0. First of all - this is for the Z* release, no rush into Yakkety,
+but starting to do it right for Z* now instead of late in the next
+cycle.
+ 
+ 1. Availability: Is already in Ubuntu universe and builds for the 
+architectures it is designed to work on.
+ 
+ 2. Rationale: having this python extension available would allow us to 
+ship a dpdk helper tool that can help debugging it in case uncommon 
+network cards are used. DPDK is in main, so this would be a runtime 
+dependency.
+ 
+ 3. Security: There were no open CVEs reported against it in the past.
+No Binaries, services or anything like it - just py files to include 
+and a readme.
+ 
+ 4. Quality assurance: Being a python extension there is no config needed 
+that would make usability complex.
+The code is well myintained upstream. Currently there is no Ubuntu 
+Delta to Debian and so far there are zero bugs against the package at
+https://bugs.launchpad.net/ubuntu/+source/python-pyelftools
+Neither are there in Debian:
+https://bugs.debian.org/cgi-bin/pkgreport.cgi?pkg=python-pyelftools
+It has a set of integrated tests ran on build in override_dh_auto_test.
+ 
+ 5. UI Standards: No UI
+ 
+ 6. Dependencies:
+Runtime dependencies are on python2/3 only which already is in main.
+Build dependencies are on python, dh-python and debhelper. Again a 
+small list and all already in main.
+ 
+ 7. Standards compliance: Packaging is small and easy to understand as it   
+is almost "just" calling dh with pybuild. It has a watch file and also 
+FHS/Debian compliance is given. Lintian reports no open issues.
+ 
+ 8. Maintenance: As said so far no open bugs and no delta. Since it doesn't
+expose anything to the network the risk of security issues is medium. 
+It is medium and not low as it is used to process elf data on e.g. 
+shared libraries - that means reading arbitrary data. Since it is in 
+python a lot of the protection e.g. for buffer overflows comes from the 
+runtime environment. There is no owning Team yet as it falls in the MIR 
+prerequisites quote of "Simple packages (e.g. language bindings, simple 
+Perl modules, small command-line programs, etc.) might not need very 
+much maintenance effort, and if they are maintained well in Debian we 
+can just keep them synced"
+ 
+ 
+ 
  The latest upload of dpdk introduces a dependency on python-pyelftools.
  MIR, or dropping of the dependency, needed.

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1630073

Title:
  [MIR] python-pyelftools

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/dpdk/+bug/1630073/+subscriptions

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 1630073] Re: [MIR] python-pyelftools

[Launchpad Bug Tracker]

This bug was fixed in the package dpdk - 16.07-0ubuntu5

---
dpdk (16.07-0ubuntu5) yakkety; urgency=medium

  [ Christian Ehrhardt ]
  * Fix component mismatch by dropping the optional dpdk-pmdinfo tool
(LP: #1630073).

  [ Gowrishankar Muthukrishnan ]
  * update d/p/dpdk-dev-examples-ip_pipeline-fix-pmd-driver-parameter.patch to
fix dlopen issue (LP: #1630119)

 -- Christian Ehrhardt   Tue, 04 Oct
2016 09:27:54 +0200

** Changed in: dpdk (Ubuntu)
   Status: Triaged => Fix Released

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1630073

Title:
  [MIR] python-pyelftools

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/dpdk/+bug/1630073/+subscriptions

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 1630073] Re: [MIR] python-pyelftools

[ChristianEhrhardt]

FYI - Upload in the unapproved queue now

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1630073

Title:
  [MIR] python-pyelftools

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/dpdk/+bug/1630073/+subscriptions

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 1630073] Re: [MIR] python-pyelftools

[ChristianEhrhardt]

As I said the tool is optional, used almost only for debugging new Cards
so far (which PCI IDs of cards match which driver - I mean you poit it
at .so files, so not the most day-to-day task) and it is new (no
regression to "take it away" from anybody).

If users want to use it, it is "just" a python script. They still can use it by 
installing dependencies on their own. To allow that we just drop linking the 
tool into /usr/bin/.
That way it is out of scope at first, but still keeps it available for those 
who really want/need to use it in /usr/share/dpdk/tools/dpdk-pmdinfo.py.

The error for missing the python-elftools if using the tool from
/usr/share is relatively user-friendly (it identifies what is missing
exactly).

The error for the hwdata dependency would be much more unreadable, but
we are fine to keep the hwdata dependency as that causes no component
mismatch.

For the following release we can take the time to properly consider a
MIR for python-elftools.

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1630073

Title:
  [MIR] python-pyelftools

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/dpdk/+bug/1630073/+subscriptions

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 1630073] Re: [MIR] python-pyelftools

[ChristianEhrhardt]

Hi Steve, you were 6 hours earlier than me since we had public holiday
yesterday.

So far the tool is optional and we are too late IMHO to MIR that in.

I'll prep an upload that drops this particular tool for Yakkety and revisit 
that later on.
Dup'ing my report now.

** Also affects: dpdk (Ubuntu)
   Importance: Undecided
   Status: New

** Changed in: dpdk (Ubuntu)
   Status: New => Triaged

** Changed in: dpdk (Ubuntu)
   Importance: Undecided => High

** Changed in: dpdk (Ubuntu)
 Assignee: (unassigned) => ChristianEhrhardt (paelzer)

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1630073

Title:
  [MIR] python-pyelftools

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/dpdk/+bug/1630073/+subscriptions

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 1630073] Re: [MIR] python-pyelftools

[Steve Langasek]

** Changed in: python-pyelftools (Ubuntu)
 Assignee: Christian Ehrhardt (der-schoenne) => ChristianEhrhardt (paelzer)

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1630073

Title:
  [MIR] python-pyelftools

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/python-pyelftools/+bug/1630073/+subscriptions

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 1630073] Re: [MIR] python-pyelftools

[Steve Langasek]

** Changed in: python-pyelftools (Ubuntu)
   Status: New => Incomplete

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1630073

Title:
  [MIR] python-pyelftools

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/python-pyelftools/+bug/1630073/+subscriptions

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs