Comment 25 for bug 1891157

Revision history for this message
Seth Arnold (seth-arnold) wrote :

I reviewed golang-github-openprinting-goipp 1.0.0-1 as checked into
groovy. This shouldn't be considered a full audit but rather a quick
gauge of maintainability.

golang-github-openprinting-goipp is a low-level serializer/deserializer
for IPP protocol messages.

- CVE History:
  - No CVEs in our database
- Build-Depends:
  debhelper-compat (= 13),
  dh-golang,
  golang-any
- pre/post inst/rm scripts?
  none
- init scripts?
  none
- systemd units?
  none
- dbus services?
  none
- setuid binaries?
  none
- binaries in PATH?
  none
- sudo fragments?
  none
- polkit files?
  none
- udev rules?
  none
- unit tests / autopkgtests?
  pretty decent collection of smoketests
- cron jobs?
  none
- Build logs:
  No actual build, very clean

- Processes spawned?
  none
- Memory management?
  none
- File IO?
  none
- Logging?
  none
- Environment variable usage?
  none
- Use of privileged functions?
  none
- Use of cryptography / random number sources etc?
  none
- Use of temp files?
  none
- Use of networking?
  not directly, but will process data from a network. Looked clean.
- Use of WebKit?
  none
- Use of PolicyKit?
  none
- Any significant Coverity results?
  none (no build, no coverity)

decodeString() and decodeBytes() look like they could be made to hang
forever if the remote peer sends along a length of N but then doesn't send
along N actual bytes of data in the stream afterwards.

decodeString() does no well-formedness checks on inputs: no utf8
enforcement, no newlines / whitespace etc. This appears to be used with
Name inputs. Much of the code appears able to handle arbitrary bytes well
enough, but the String() method for Collection doesn't do anything to
ensure that an output Name doesn't have { or }, [ or ], or a comma, etc.
Injecting newlines and new headers is a quite popular exploit technique;
are these routines susceptible to similar problems?

There's a pretty decent array non-adversarial test cases.

 W: golang-github-openprinting-goipp source: debhelper-compat-file-is-missing
 W: golang-github-openprinting-goipp source: package-uses-deprecated-debhelper-compat-version 1
 E: golang-github-openprinting-goipp source: package-uses-debhelper-but-lacks-build-depends
 W: golang-github-openprinting-goipp source: newer-standards-version 4.5.0 (current is 4.1.4)

Security team ACK for promoting golang-github-openprinting-goipp to main.