I reviewed jansson version 2.7-1ubuntu1 as checked into vivid. This should
not be considered a full security audit but rather a quick gauge of
maintainability.
- jansson provides a C api for working with json files
- Build-Depends: debhelper, dh-autoreconf
- Does not itself daemonize
- Does not itself run as a system user
- No pre/post inst/rm
- No initscripts
- No dbus services
- No setuid
- No binaries in *bin/
- No sudo fragments
- No udev rules
- No cronjobs
- Almost no tests run during build
- Clean build logs
- No subprocesses spawned
- Most memory management looks good, some potential for integer overflow
exists
- File opening looks safe
- Logging looks safe
- Environment variables only used in test programs
- No privileged operations
- No cryptography
- Does not itself do networking
- No tmp file use
- Does not use WebKit
- Does not use JS
- Does not use PolicyKit
- Clean cppcheck
Here's a few small issues I found while reviewing the source in the hopes
someone finds them useful:
- loadfile() in test/bin/json_process.c does malloc(fsize+1), no checks
that fsize+1 doesn't wrap-around
- multiple cases of malloc(size * sizeof(foo)); a calloc()-style function
that checks for integer overflows ought to be used instead
Jansson looks like high-quality code with a friendly API for manipulating
JSON in C.
Security team ACK for promoting jansson to main.
Thanks
** Changed in: jansson (Ubuntu)
Assignee: Seth Arnold (seth-arnold) => (unassigned)
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1392023
Title:
[MIR] jansson
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/jansson/+bug/1392023/+subscriptions
--
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
