[Bug 1814997] Re: [MIR] libxmlb

Tue Mar 5 00:48:47 UTC 2019

libxmlb is a recently developed and released library written in C to
allow applications to perform fast XPath queries against an XML document
without having to parse the entire document into memory. This is
designed to only support a subset of XPath for the purposes for fwupd
and other utilities. Provides a command-line xb-tool application in
/usr/lib which is not intended for end-users to run.

- CVE history: no

- Build-Depends: gir1.2-glib-2.0, gobject-introspection, gtk-doc-tools, libglib2.0-dev, libgirepository1.0-dev, meson, shared-mime-info, uuid-dev
- Does not daemonize
- No use of udev
- No pre/post inst/rm scripts
- No initscripts / systemd unit files
- No DBus services
- No setuid binaries
- No binaries added to PATH
- No sudo fragments
- No udev rules
- Unit tests run during package build - these look pretty comprehensive
- No cronjobs
- Clean build logs - no warnings during build other than for missing API documentation

- No subprocesses are spawned
- Memory management looks good, no obvious issues - uses core GLib
  memory management functionality and string types etc. Care is taken on
  memory copies etc to ensure buffers are appropriately sized.
- xb-tool always sets GIO_USE_VFS to local and overwrites
  G_MESSAGES_DEBUG for logging purposes
- No privileged operations
- No cryptography
- No network connections
- Temporary files only uses during unit tests
- No WebKit
- No JavaScript
- No PolicyKit
- Clean cppcheck
  - 1 false positive error for an unintialised variable

Overall code is of high quality - also upstream has integrated support
for fuzzing so likely should be pretty robust against malicious inputs
from untrusted XML documents etc.

Security team ACK for promoting to main.

** Changed in: libxmlb (Ubuntu)
     Assignee: Ubuntu Security Team (ubuntu-security) => (unassigned)

-- 
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to libxmlb in Ubuntu.
Matching subscriptions: foundations-bugs-libxmlb
https://bugs.launchpad.net/bugs/1814997

Title:
  [MIR] libxmlb

Status in libxmlb package in Ubuntu:
  Triaged

Bug description:
  Rationale:
  libxmlb is both a build and runtime dependency for fwupd 1.2.x and later.
  It is also a dependency for newer versions of gnome-software and may eventually be a dependency of appstream.

  Quality assurance:
  No configuration needed
  No debconf questions
  No long term outstanding bugs
  No known major bugs in Debian, Ubuntu or upstream tracker.
  Maintained in Debian by EFI team
  Runs test suite during build
  Uses debian/watch

  Standards:
  Should be compatible to policy 4.3.0

  Maintenance:
  Should be set to Ubuntu foundations
  However expected to be synced regularly

  Security:
  No CVES
  No services
  No ports open
  No executables in /sbin /usr/sbin
  No suid or sgid

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/libxmlb/+bug/1814997/+subscriptions