[Bug 1242561] Re: [MIR] libestr
Seth Arnold
1242561 at bugs.launchpad.net
Sat Nov 23 03:42:42 UTC 2013
NAK on libestr 0.1.5-2.
While auditing this code I discovered a flaw in the es_unescapeStr()
function -- luckily, it's been discovered and fixed in 0.1.6:
http://libestr.adiscon.com/uncategorized/libestr-0-1-6-2/
The flaws fixed in newer versions look too important to only fix this
one issue.
The overall code quality looks decent, despite the sobering entries in
the changelog, so I'm inclined to accept a future version.
A unit test suite is sorely lacking; even simple tests of
es_unescapeStr() should have found the flaws I discovered by manual
inspection.
Thanks
** Changed in: libestr (Ubuntu)
Assignee: Seth Arnold (seth-arnold) => (unassigned)
--
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to libestr in Ubuntu.
https://bugs.launchpad.net/bugs/1242561
Title:
[MIR] libestr
Status in “libestr” package in Ubuntu:
New
Bug description:
The new upstream version of rsyslog found in Debian unstable depends
unconditionally on libestr. As a string handling library that will be
used by a privileged process, this is a fairly security-sensitive
library.
http://cve.mitre.org/cgi-bin/cvekey.cgi?keyword=libestr and
http://people.canonical.com/~ubuntu-security/cve/universe.html show
zero CVEs for this package, but as a little-known library that's only
been around for 3 years, a more thorough security audit is probably
needed. The source does build cleanly with -Werror -Wall, which is a
hopeful sign.
The package has no other dependencies.
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/libestr/+bug/1242561/+subscriptions
More information about the foundations-bugs
mailing list