MIR Review for libfcgi-perl: * builds with only main enabled with no compiler warnings or errors * it has a small test script that is used in the build * no Ubuntu delta * has a watch file * the package is up to date * the package is lintian clean * debian/rules is clean * as mentioned, no bugs in LP or Debian
Security review for libfcgi-perl: * This script provides a perl library so it doesn't ship any initscripts, upstart jobs, dbus services, daemons or cron jobs. No setuid or fscap'd programs are installed and there is no use of sudo. * There was one CVE in a deprecated interface, but it was fixed in a timely fashion with minimal effort. * For its C code - it creates its own wrapper functions for malloc and string operations, and these wrappers check return codes and ensure strings are nul terminated. Spot-checking use of sprintf, it is quite careful to make sure strings are the proper size, etc. - it uses strcpy() in a few places, but doesn't always verify the length of the src. However, where this happen stack-protector should intervene. It also looks like in these places on a very poorly written program would allow attacker control to these functions without input sanitizing. - OS_SpawnChild() doesn't use umask(0) when spawning a child, but as this is a library, it probably makes sense for callers of OS_SpawnChild() to do this. - it creates its own wrapper functions for read() and write().(OS_Read and OS_Write respectively). While the wrappers themselves don't check return codes, all usage of OS_Read() and OS_Write() do. ** Changed in: libfcgi-perl (Ubuntu) Status: New => Fix Committed -- You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to libfcgi-perl in Ubuntu. https://bugs.launchpad.net/bugs/1011597 Title: [MIR] libfcgi-perl, libcgi-fast-perl To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/libfcgi-perl/+bug/1011597/+subscriptions -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs