Ubuntu
libyang2 package

[MIR]: libyang2

Bug #1958293 reported by Andreas Hasenack
12
This bug affects 1 person
Affects Status Importance Assigned to Milestone
libyang2 (Ubuntu)
Fix Released
Critical
Unassigned
Ubuntu ubuntu-22.04-feature-freeze

Bug Description

[Availability]
The package libyang2 is already in Ubuntu universe.
The package libyang2 builds for the architectures it is designed to work on.
It currently builds and works for architetcures (all but i386): amd64 arm64 armhf ppc64el riscv64 s390x
Link to package: https://launchpad.net/ubuntu/+source/libyang2

[Rationale]
- The package libyang2 is a new runtime dependency of package frr
  which is an ongoing MIR at #1951834

[Security]
- Search in the National Vulnerability Database using the PKG as keyword
  http://cve.mitre.org/cve/search_cve_list.html
libyang had quite a few CVEs: https://cve.mitre.org/cgi-bin/cvekey.cgi?keyword=libyang
But all in major version 1. Version 2 (subject of this MIR) doesn't have CVEs yet.

Going over the above CVEs for 2021, for example, shows that only gentoo issued advisories. The remaining ones for 2019 had a mix of Redhat and Fedora advisories, and not even gentoo ones.

- check OSS security mailing list (feed into search engine
  'site:www.openwall.com/lists/oss-security <pkgname>')
No results (libyang2, libyang). "yang" returns results for a person with that name.

Not a single triaged CVE for libyang v1: https://ubuntu.com/security/cve?q=&package=libyang&priority=&version=&status=
v2 has no Ubuntu CVEs (makes sense: it'a s new package in jammy): https://ubuntu.com/security/cve?q=&package=libyang&priority=&version=&status=

Debian security tracker: https://security-tracker.debian.org/tracker/source-package/libyang
libyang2 has no entries yet in the debian security tracker: https://security-tracker.debian.org/tracker/source-package/libyang2

Looks like Debian never issued a DSA for these.

- no `suid` or `sgid` binaries
- no executables in `/sbin` and `/usr/sbin`
- Package does not install services
- libyang is a schema validator, and bugs can become vulnerabilities if untrusted input is parsed incorrectly.

[Quality assurance - function/usage]
- The package works well right after install

[Quality assurance - maintenance]
- The package is maintained well in Debian/Ubuntu and has not too many
  and long term critical bugs open
No launchpad bugs for either libyang or libyang2

- Debian https://bugs.debian.org/cgi-bin/pkgreport.cgi?src=libyang
  CVE bug: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=989060
  Probably not handled because libyang2 is replacing libyang(1), and doesn't have these vulns
- Debian https://bugs.debian.org/cgi-bin/pkgreport.cgi?src=libyang2
  No bugs yet against libyang2

- The package does not deal with exotic hardware we cannot support

[Quality assurance - testing]
The package has a test suite, but it was originally disabled. I filed this bug and enabled its: https://bugs.launchpad.net/ubuntu/+source/libyang2/+bug/1958385

The current package in jammy runs tests at build time:

libyang2 (2.0.112-6ubuntu1) jammy; urgency=medium

  * Enable build time tests (LP: #1958385):
    - d/rules: set -DENABLE_TESTS=ON
    - d/p/fix-test-suite-wrt-FILE.patch: fix test suite failure due
      to __FILE__ being a relative path

 -- Andreas Hasenack <email address hidden> Thu, 20 Jan 2022 21:03:40 +0000

Upstream already provided a fix for the test failures.

- The package runs an autopkgtest, and is currently passing on
  this all arches except i386 (it's not built for i386):
  https://autopkgtest.ubuntu.com/packages/libyang2

- The package does have not failing autopkgtests right now

[Quality assurance - packaging]
- debian/watch is present and works

- lintian run is ok-ish:
$ lintian -I --pedantic
E: libyang2 changes: bad-distribution-in-changes-file unstable
W: libyang2-tools: groff-message usr/share/man/man1/yanglint.1.gz command exited with status 1: /usr/libexec/man-db/zsoelim | /usr/libexec/man-db/manconv -f UTF-8:ISO-8859-1 -t UTF-8//IGNORE | preconv -e UTF-8 | groff -mandoc -Z -rLL=117n -rLT=117n -wmac -Tutf8
W: libyang2-tools: groff-message usr/share/man/man1/yangre.1.gz command exited with status 1: /usr/libexec/man-db/zsoelim | /usr/libexec/man-db/manconv -f UTF-8:ISO-8859-1 -t UTF-8//IGNORE | preconv -e UTF-8 | groff -mandoc -Z -rLL=117n -rLT=117n -wmac -Tutf8
I: libyang2 source: out-of-date-standards-version 4.5.0 (released 2020-01-20) (current is 4.5.1)
I: libyang2: spelling-error-in-binary usr/lib/x86_64-linux-gnu/libyang.so.2.13.7 unkown unknown
I: libyang2: symbols-file-missing-build-depends-package-field
I: libyang2 source: unused-file-paragraph-in-dep5-copyright paragraph at line 13
I: libyang2 source: unused-file-paragraph-in-dep5-copyright paragraph at line 138
I: libyang2 source: unused-file-paragraph-in-dep5-copyright paragraph at line 17
I: libyang2 source: unused-file-paragraph-in-dep5-copyright ... use --no-tag-display-limit to see all (or pipe to a file/program)
I: libyang2 source: wildcard-matches-nothing-in-dep5-copyright */iana-*.yin (line 24)
I: libyang2 source: wildcard-matches-nothing-in-dep5-copyright linenoise/* (line 37)
I: libyang2 source: wildcard-matches-nothing-in-dep5-copyright swig/* (line 9)
I: libyang2 source: wildcard-matches-nothing-in-dep5-copyright ... use --no-tag-display-limit to see all (or pipe to a file/program)
P: libyang2 source: package-uses-old-debhelper-compat-version 10
P: libyang2 source: silent-on-rules-requiring-root

- Lintian overrides are not present

- This package does not rely on obsolete or about to be demoted packages.
Note that libyang1 relied on pcre3, but libyang2 (this package) uses pcre2 already.

- This package has no python2 or GTK2 dependencies

- The package will not be installed by default

- Packaging and build is easy: https://git.launchpad.net/ubuntu/+source/libyang2/tree/debian/rules

[UI standards]
- Application is not end-user facing (does not need translation)

[Dependencies]
- No further depends or recommends dependencies that are not yet in main
$ check-mir
Checking support status of build dependencies...
 * libcmocka-dev binary and source package is in universe

Checking support status of binary dependencies...
 * libyang2 binary and source package is in universe
 * libyang2 binary and source package is in universe
 * libyang2-tools binary and source package is in universe

cmocka is used for unit tests only, at build time, when enabled

[Standards compliance]
- This package correctly follows FHS and Debian Policy

[Maintenance/Owner]
- Server Team is not yet, but will subscribe to the package before promotion

- This does not use static builds
- This does not use vendored code

[Background information]
- The Package description explains the package well
- Upstream Name is libyang
- Link to upstream project: https://github.com/CESNET/libyang/

See original description
Tags: server-todo
Andreas Hasenack (ahasenack)
description: updated
Andreas Hasenack (ahasenack)
tags: added: server-todo
Andreas Hasenack (ahasenack)
summary: - [MIR}: libyang2
+ [MIR]: libyang2
Andreas Hasenack (ahasenack)
description: updated
Ioanna Alifieraki (joalif)
Changed in libyang2 (Ubuntu):
assignee: nobody → Ioanna Alifieraki (joalif)
Revision history for this message
Ioanna Alifieraki (joalif) wrote :
Download full text (4.0 KiB)

Review for Package: src:libyang2

[Summary]
libyang2 source package is a parser toolkit for IETF YANG data modelling.
It provides :
* the library (libyang2) which implements functions to process schemas expressed in
YANG data modelling language. The schemas primarily describe network equipment configuration.
* development files (libyang2-dev)
* executable tools (libyang2-tools, libyang-tools) which can be used for the creation
of IETF YANG schemas.

MIR team ACK

This does need a security review because it parses data formats, so I'll assign ubuntu-security.

List of specific binary packages to be promoted to main: libyang2, libyang2-dev
Specific binary packages built, but NOT to be promoted to main: libyang2-tools, libyang-tools (no dependency on them)

Notes:
Recommended TODOs:
- The package provides one autopackage test. It would be nice to have more.
- In the buildlog (https://launchpadlibrarian.net/581476001/buildlog_ubuntu-jammy-amd64.libyang2_2.0.112-6ubuntu1_BUILDING.txt.gz)
  there are 2 warnings reported many times. It would be nice to report them upstream to be fixed.
  The warnings are :
  ../.././src/parser_json.c: In function ‘lydjson_data_skip’:
  ../.././src/parser_json.c:304:46: warning: ‘current’ may be used uninitialized in this function [-Wmaybe-uninitialized]
  ../.././src/parser_json.c:283:39: note: ‘current’ was declared here

  ../.././src/schema_compile_node.c: In function ‘lys_compile_node_’:
  ../.././src/schema_compile_node.c:2438:19: warning: ‘list’ may be used uninitialized in this function [-Wmaybe-uninitialized]
  ../.././src/schema_compile_node.c:2426:28: note: ‘list’ was declared here

[Duplication]
- There is no other package in main providing the same functionality.

[Dependencies]
OK:
- no other Dependencies to MIR due to this
  - checked with check-mir
  - not listed in seeded-in-ubuntu
  - none of the (potentially auto-generated) dependencies (Depends
    and Recommends) that are present after build are not in main
- no -dev/-debug/-doc packages that need exclusion
- No dependencies in main that are only superficially tested requiring
   more tests now.

Problems: None

[Embedded sources and static linking]
OK:
- no embedded source present
- no static linking
- does not have odd Built-Using entries
- not a go package, no extra constraints to consider in that regard
- No vendoring used, all Built-Using are in main

Problems: None

[Security]

OK:
- history of CVEs does not look concerning
- does not run a daemon as root
- does not use webkit1,2
- does not use lib*v8 directly
- does not open a port/socket
- does not process arbitrary web content
- does not use centralized online accounts
- does not integrate arbitrary javascript into the desktop
- does not deal with system authentication (eg, pam), etc)
- does not deal with security attestation (secure boot, tpm, signatures)

Problems:
- package does parse data-formats

[Common blockers]
OK:
- does not FTBFS currently
- does have a test suite that runs at build time
- test suite fails will fail the build upon error.
- does have a non-trivial test suite that runs as autopkgtest
- no new python2 dependency

Problems: None

[Packaging red flags]
OK:
- Ubunt...

Read more...

Changed in libyang2 (Ubuntu):
assignee: Ioanna Alifieraki (joalif) → Ubuntu Security Team (ubuntu-security)
Revision history for this message
Christian Ehrhardt  (paelzer) wrote :

This is requested by security to be in Jammy for reasonable long term support of the routing daemon.
Setting prio critical and milestone to jammy-FF

Changed in libyang2 (Ubuntu):
milestone: none → ubuntu-22.04-feature-freeze
importance: Undecided → Critical
Revision history for this message
Andreas Hasenack (ahasenack) wrote :

Improving DEP8 coverage: https://bugs.launchpad.net/ubuntu/+source/libyang2/+bug/1960748

Upstream bug about gcc warnings: https://github.com/CESNET/libyang/issues/1787

Revision history for this message
Andreas Hasenack (ahasenack) wrote :

Fix for #1960748 uploaded.

Revision history for this message
Steve Beattie (sbeattie) wrote :

I reviewed libyang2 2.0.112-6ubuntu2 as checked into jammy.
This shouldn't be considered a full audit but rather a quick gauge
of maintainability. The libyang2 source package is a rename of the
libyang based on the upstream 2.0 version which included a new parser;
the libyang source package has not yet been removed from the archive.

libyang2 is a library for processing IETF YANG data modeling schemas,
used primarily for expressing netowrk configuration for networking
equipment.

- CVE History:
  - Roughly fifteen or so CVEs affecting libyang. Upstream is generally
    responsive of reports.
- Build-Depends
  - libpcre2 (ok)
- No pre/post inst/rm scripts
- No init scripts.
- No systemd units.
- No dbus services.
- No setuid binaries.
- Two binaries in PATH, used primarly for schema validation and
  development
- No sudo fragments.
- No polkit files.
- No udev rules.
- tests:
  - significant unit tests run during the build
  - very limited autopkgtests, that only exercise the cli tools
- No cron jobs.
- Build logs:
  - more build time tests on the cli tools could be run if the shunit2
    package was installed
  - build logs mostly clean, some possible uninitialized value warnings
    (from -Wmaybe-uninitialized)
  - lintian warnings are fine

- No processes spawned.
- Memory management is generally okay, some error checking macros are
  present to assist with allocation errors.
- File IO is okay.
- Logging has complex infrastructure, but okay
- Environment variable usage is okay. Alternate plugin and extension
  directories can be specified via env vars, but it's hard to see how
  this can be abused.
- Uses ioctl in the cli tools for querying window size.
- No obvious use of cryptography / random number sources.
- Lint tool uses a known temp file name when recompiled with debugging
  macros enabled (disabled by default)
- No obvious use of networking, parses ip addrs in config files
- No use of WebKit.
- No use of PolicyKit.

- ccpcheck reported a large number of memory leaks plus a few double
  frees, but these look to be likely false positives.
- Coverity flagged a few issues outside of the tests that also mostly
  look to be false positives.

Overall code looks fine, if macro heavy, which seems to confuse static
analyzers. Upstream is responsive to issues.

Security team ACK for promoting libyang2 to main.

Changed in libyang2 (Ubuntu):
assignee: Ubuntu Security Team (ubuntu-security) → nobody
Revision history for this message
Christian Ehrhardt  (paelzer) wrote :

Thank you Steve!

Changed in libyang2 (Ubuntu):
status: New → In Progress
Revision history for this message
Andreas Hasenack (ahasenack) wrote :

I got confirmation[1] in #ubuntu-meeting today (but sadly after the MIR team meeting ended) that libyang2 has an ACK from MIR:

<ahasenack> hi guys, I missed the meeting, can this also be set to committed? https://bugs.launchpad.net/ubuntu/+source/libyang2/+bug/1958293
<ahasenack> I think it's done
<ubottu> Launchpad bug 1958293 in libyang2 (Ubuntu) "[MIR]: libyang2" [Critical, In Progress]
<ahasenack> and https://bugs.launchpad.net/ubuntu/+source/frr/+bug/1951834 which depended on libyang2 being acked
<ubottu> Launchpad bug 1951834 in frr (Ubuntu) "[MIR]: frr" [Critical, In Progress]
<ahasenack> sarnold: ^ security was the last step?
<ahasenack> or does it go back to MIR, who then decide if it's done or not?
* didrocks has quit (Quit: WeeChat 3.4)
<slyon> ahasenack: we have MIR team ACK and security team ACK on libyang2, so that's done. It can be "In Progress" or "Fix Comitted" depending on the change that pulls it into main
<slyon> ahasenack: Both those MIRs are "In Progress" (i.e. ready to be promoted). So you could do the seed change for frr and set both bugs to "Fix Committed"

Setting the bug to "fix committed".

1. https://irclogs.ubuntu.com/2022/02/22/%23ubuntu-meeting.html#t16:11

Changed in libyang2 (Ubuntu):
status: In Progress → Fix Committed
Revision history for this message
Andreas Hasenack (ahasenack) wrote :

ubuntu-server will subscribe to this package, I'm just trying to find the right knobs, maybe I don't have privileges and will have to wait for @cpaelzer tomorrow

Revision history for this message
Andreas Hasenack (ahasenack) wrote :

Subscription sorted out

Revision history for this message
Steve Langasek (vorlon) wrote :

Override component to main
libyang2 2.0.112-6ubuntu2 in jammy: universe/misc -> main
libyang-tools 2.0.112-6ubuntu2 in jammy amd64: universe/devel/optional/100% -> main
libyang-tools 2.0.112-6ubuntu2 in jammy arm64: universe/devel/optional/100% -> main
libyang-tools 2.0.112-6ubuntu2 in jammy armhf: universe/devel/optional/100% -> main
libyang-tools 2.0.112-6ubuntu2 in jammy i386: universe/devel/optional/100% -> main
libyang-tools 2.0.112-6ubuntu2 in jammy ppc64el: universe/devel/optional/100% -> main
libyang-tools 2.0.112-6ubuntu2 in jammy riscv64: universe/devel/optional/100% -> main
libyang-tools 2.0.112-6ubuntu2 in jammy s390x: universe/devel/optional/100% -> main
libyang2 2.0.112-6ubuntu2 in jammy amd64: universe/libs/optional/100% -> main
libyang2 2.0.112-6ubuntu2 in jammy arm64: universe/libs/optional/100% -> main
libyang2 2.0.112-6ubuntu2 in jammy armhf: universe/libs/optional/100% -> main
libyang2 2.0.112-6ubuntu2 in jammy ppc64el: universe/libs/optional/100% -> main
libyang2 2.0.112-6ubuntu2 in jammy riscv64: universe/libs/optional/100% -> main
libyang2 2.0.112-6ubuntu2 in jammy s390x: universe/libs/optional/100% -> main
libyang2-dev 2.0.112-6ubuntu2 in jammy amd64: universe/libdevel/optional/100% -> main
libyang2-dev 2.0.112-6ubuntu2 in jammy arm64: universe/libdevel/optional/100% -> main
libyang2-dev 2.0.112-6ubuntu2 in jammy armhf: universe/libdevel/optional/100% -> main
libyang2-dev 2.0.112-6ubuntu2 in jammy ppc64el: universe/libdevel/optional/100% -> main
libyang2-dev 2.0.112-6ubuntu2 in jammy riscv64: universe/libdevel/optional/100% -> main
libyang2-dev 2.0.112-6ubuntu2 in jammy s390x: universe/libdevel/optional/100% -> main
libyang2-tools 2.0.112-6ubuntu2 in jammy amd64: universe/devel/optional/100% -> main
libyang2-tools 2.0.112-6ubuntu2 in jammy arm64: universe/devel/optional/100% -> main
libyang2-tools 2.0.112-6ubuntu2 in jammy armhf: universe/devel/optional/100% -> main
libyang2-tools 2.0.112-6ubuntu2 in jammy ppc64el: universe/devel/optional/100% -> main
libyang2-tools 2.0.112-6ubuntu2 in jammy riscv64: universe/devel/optional/100% -> main
libyang2-tools 2.0.112-6ubuntu2 in jammy s390x: universe/devel/optional/100% -> main
26 publications overridden.

Changed in libyang2 (Ubuntu):
status: Fix Committed → Fix Released
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.