I reviewed marisa 0.2.6-3~exp2ubuntu2 as checked into hirsute. This shouldn't
be
considered a full audit but rather a quick gauge of maintainability.
marisa is a trie-based datastructure. There's both a library package and
command line interfaces as well as bindings for ruby, python, and perl.
- CVE History:
- None in our database
- Build-Depends?
- chrpath, debhelper-compat, dh-python, perl, pkg-kde-tools,
python3-all-dev, ruby, ruby-dev, swig
- pre/post inst/rm scripts?
- automatically-added python stuff
- init scripts?
- None
- systemd units?
- None
- dbus services?
- None
- setuid binaries?
- None
- binaries in PATH?
-rwxr-xr-x root/root ./usr/bin/marisa-benchmark
-rwxr-xr-x root/root ./usr/bin/marisa-build
-rwxr-xr-x root/root ./usr/bin/marisa-common-prefix-search
-rwxr-xr-x root/root ./usr/bin/marisa-dump
-rwxr-xr-x root/root ./usr/bin/marisa-lookup
-rwxr-xr-x root/root ./usr/bin/marisa-predictive-search
-rwxr-xr-x root/root ./usr/bin/marisa-reverse-lookup
- sudo fragments?
- None
- polkit files?
- None
- udev rules?
- None
- unit tests / autopkgtests?
- Pretty extensive; debian/tests/ runs some simple bindings tests, too
- cron jobs?
- None
- Build logs:
- Some deprecation warnings in Ruby bindings, not too bad
- Processes spawned?
- None
- Memory management?
- Manual-style C++ memory management; it looked good
- File IO?
- File paths provided by clients; coverity reported a race condition
between a stat and mmap call, minor issue
- Logging?
- None
- Environment variable usage?
- None
- Use of privileged functions?
- None
- Use of cryptography / random number sources etc?
- None
- Use of temp files?
- None
- Use of networking?
- None
- Use of WebKit?
- None
- Use of PolicyKit?
- None
- Any significant cppcheck results?
- two false positives, nothing else
- Any significant Coverity results?
- many false positives, one TOCTTOU bug, minor
- Any significant shellcheck results?
- only results are in debian's tests
- Any significant bandit results?
- None
The actual trie portion of marisa is pretty involved. We will need to rely
on upstream for support of the computational pieces. The interoperation
portions of marisa are fairly straightforward older-style C++. This
looked fine.
Security team ACK for promoting marisa to main.
** Changed in: marisa (Ubuntu)
Assignee: Ubuntu Security Team (ubuntu-security) => (unassigned)
** Changed in: marisa (Ubuntu)
Status: New => In Progress
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1914808
Title:
[MIR] marisa
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/marisa/+bug/1914808/+subscriptions
--
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
