I reviewed libmicrohttpd version 0.9.44+dfsg-1 as checked into xenial. This shouldn't be considered a full security audit, but rather a quick gauge of maintainability.
- [item elided] - parse_uri() does not check error returns from asprintf() - store_in_buffer() can leak 'dst' if realloc() fails - SPDYF_start_daemon_va() calls spdyf_parse_options_va(), which treats all addresses as identical struct sockaddr types. However, SPDYF_start_daemon_va() includes code which checks the daemon->address as if it were a struct sockaddr_in6. I suggest using ASAN or valgrind with this with IPv6 addresses. And some more subjective feedback: - SPDYF_run() select(2) is a cranky interface, I'd pick something else first. select(2) can't handle file descriptors larger than 1024, which limits the utility of the server. - Much of the code needs to be run through indent; the project ought to pick a coding style and enforce it. Mixing coding styles within one source file is exhausting to read. - Commented out code is confusing. Consider deleting each piece of commented out code. Lintian errors and warnings: E: libmicrohttpd10: postinst-must-call-ldconfig usr/lib/x86_64-linux-gnu/libmicrohttpd.so.10.34.0 W: libmicrohttpd-dev: info-document-missing-image-file usr/share/info/libmicrohttpd.info.gz performance_data.png E: libmicrospdy0: postinst-must-call-ldconfig usr/lib/x86_64-linux-gnu/libmicrospdy.so.0.0.0 The build logs are slightly noisy with ignored error returns from read(), write(), asprintf() and dpkg-gencontrol warnings about -is and -ip parameters. Much of the code looks careful and professional. Some of the code looks very immature and probably shouldn't have made it into a "library release", even with a version number 0.9.something. I think we should disable the SPDY libraries in our packaging: there's a lot of work left before they're production-ready, and I would not expect ABI or API stability from this library. ACK from the security team for promoting libmicrohttpd to main with the provision that the SPDY libraries are either no longer built or remain in universe. We suggest removing them for the time being. Please also address the lintian warnings and errors before release. Thanks -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1488341 Title: MIR: libmicrohttpd To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/libmicrohttpd/+bug/1488341/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
