I reviewed libimobiledevice-glue 1.3.1-1 as checked into plucky. This shouldn't be considered a full audit but rather a quick gauge of maintainability.
libimobiledevice-glue is a library with common code used by the libraries and tools around the libimobiledevice project. The following project are currently using this library: - ibusbmuxd - libimobiledevice - usbmuxd - libirecovery - idevicerestore - CVE History - https://cve.mitre.org/cgi-bin/cvekey.cgi?keyword=libimobiledevice lists a few CVEs but the only one affecting code that now belongs to this package is CVE-2016-5104 (already fixed). The majority of the rest belongs to a dependency of this package: libplist. - libimobiledevice contains the code from this library vendored and has 2 CVEs, one being CVE-2016-5104 that was affecting code present in socket.c, distributed in this library. - Build-Depends - debhelper-compat (= 13), - pkgconf, - libplist-dev (>= 2.6), - pre/post inst/rm scripts - none - init scripts - none - systemd units - none - dbus services - none - setuid binaries - none - binaries in PATH - none - sudo fragments - none - polkit files - none - udev rules - none - unit tests / autopkgtests - It does not have tests. - It has autopkg tests. - cron jobs - none - Build logs - none - Processes spawned - none - Memory management - I found two possible issues. I already contacted Upstream to get more info. - File IO - normal - Logging - normal - Environment variable usage - only getenv("COLOR") - Use of privileged functions - none - Use of cryptography / random number sources etc - this library has a copy of LibTomCrypt's sha1.c, sha256.c and sha512.c. - Use of temp files - none - Use of networking - normal - Use of WebKit - none - Use of PolicyKit - none - Any significant cppcheck results - none - Any significant Coverity results - none - Any significant shellcheck results - none - Any significant bandit results - none - Any significant govulncheck results - none - Any significant Semgrep results - none Some of the code present in this library is also being shipped in libimobiledevice-glue-1.3.1 in plucky, oracular, and noble and in usbmuxd-1.1.1 in plucky, oracular, and noble. Upstream removed these files in this commit: https://github.com/libimobiledevice/libimobiledevice/commit/ce7609375646cfb1e7d490579e172c37c74a0589 Upstream does not have a SECURITY.md file set up in their repo. I already contacted them to ask them if they could include one. This library has a copy of LibTomCrypt's sha1.c, sha256.c and sha512.c. These files are not present in libimobiledevice-glue-1.3.1 nor in usbmuxd-1.1.1. These files have been added recently: https://github.com/libimobiledevice/libimobiledevice-glue/commit/510ca0e0dfc88acda8b86bfbfe44f4eec2e1b7d6. As Seth pointed out in the comment, can we switch to using OpenSSL instead? Security team ACK for promoting libimobiledevice-glue to main ** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2016-5104 -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/2074086 Title: MIR libimobiledevice-glue To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/libimobiledevice-glue/+bug/2074086/+subscriptions -- ubuntu-bugs mailing list [email protected] https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
