[Bug 1990655] [NEW] MIR: libgit2, http-parser
Simon Chopin
1990655 at bugs.launchpad.net
Fri Sep 23 11:15:12 UTC 2022
Public bug reported:
[Availability]
The packages libgit2 and http-parser are already in Ubuntu universe.
They both build for the architectures they are designed to work on.
They currently build and work for architectures: amd64 arm64 armhf i386 s390x ppc64el riscv64
Link to packages:
* [[https://launchpad.net/ubuntu/+source/http-parser]]
* [[https://launchpad.net/ubuntu/+source/libgit2]]
[Rationale]
libgit2 is needed in main as dependencies of src:cargo, and http-parser is a
dependency of libgit2. cargo will be the subject of a separate MIR. Given that
there are several non-trivial dependencies for cargo, I figured splitting them
up in multiple MIRs would make it easier.
Cargo itself will be MIRed as part of the effort to support Rust as a build language for
packages in main.
It would be great and useful to community/processes to have the packages
libgit2 and http-parser in Ubuntu main, but there is no definitive deadline.
In particular, they must not be promoted unless src:cargo enters the archive.
[Security]
The http-parser package originated as part of the nodejs project. Because of that,
while there are no CVE registered for http-parser itself, these CVEs were found that
affected the http-parser code. Sadly, it's usually not obvious which
the issue, only the release itself :slightly_frowning_face:.
* https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-2086: Fixed in 2.6.1. As evidenced by https://github.com/nodejs/http-parser/commit/e2e467b91262246b339fb3d80c8408d498b4a43b the fix was made privately within the nodeJS project and then backported in a "bulk" commit to the the separate http-parser project.
* https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-2216: Fixed in 2.6.1. See above.
* https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-7159: Fixed in 2.8.1 by https://github.com/nodejs/http-parser/commit/01da95feade5e5612499f5374498e7968c1a4a82, which was also discussed in private within the node project.
* https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-12121: Only valid in the context of client code, the lib itself already provides the necessary APIs
* https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-9900: Originated in envoyproxy but also discussed publicly and fixed in http-parser in 2.9.1 by https://github.com/nodejs/http-parser/pull/469
* https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-8287: Fixed in Ubuntu, but not upstream, despite the fix available as a PR: https://github.com/nodejs/http-parser/pull/530
libgit2 is easier to analyze from a security history PoV, with a
dedicated page to list their various security releases:
https://libgit2.org/security/
Here are the CVEs that affected libgit2:
* https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-9390: First round of fix in 0.21.3, with a subsequent related release 0.22.1. Presumably the fixes are in the commits dated Dec 17, 2014 of https://github.com/libgit2/libgit2/commits/v0.21.3 and the last commits of https://github.com/libgit2/libgit2/commits/v0.22.1 . The vulnerability was widespread throughout the Git community, with pretty much all implementations vulnerables: https://git-blame.blogspot.com/2014/12/git-1856-195-205-214-and-221-and.html
* https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-8568 and https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-8569 are not listed on the upstream security page (perhaps not considered security issues because "only" DoS?) but were addressed in https://github.com/libgit2/libgit2/pull/3956 subsequently published in 0.24.3
* https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-10128: Affecting 0.24, fixed in 0.24.6, see https://github.com/libgit2/libgit2/commit/4ac39c76c0153d1ee6889a0984c39e97731684b2
* https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-10129 and https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-10130 both fixed in 0.24.6 and 0.25.1, published in a bulk security fixes PR: https://github.com/libgit2/libgit2/pull/4076 presumably discussed on a private ML beforehand.
* https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-8098 and https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-8099 were fixed in 0.26.2 ( https://github.com/libgit2/libgit2/pull/4575 )
* https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-10887 and https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-10888 were both fixed in 0.27.3 in this PR: https://github.com/libgit2/libgit2/pull/4717 which presumably originated from private ML discussions beforehand.
* https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-15501 (found by fuzzing from oss-fuzz) was fixed in releases 0.26.6 and 0.27.4, see https://github.com/libgit2/libgit2/pull/4756 and https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=9406
* https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-12278 and https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-12279 (NTFS-related vulnerabilities) were both fixed in 0.28.4 and 0.99.0, while not mentioned on the upstream security page.
* https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-1348 and up til https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-1354 are all Git CVEs that were also adressed in 0.28.4 and 0.27.10
Please note that there are multiple items mentioned on the upstream
security page that do not have an associated CVE.
- no `suid` or `sgid` binaries
- no executables in `/sbin` and `/usr/sbin`
- Packages do not install services, timers or recurring jobs
- Packages do not open privileged ports (ports < 1024)
- Packages do not contain extensions to security-sensitive software
[Quality assurance - function/usage]
As libraries, the packages work well after installation (both the -dev and actual binaries)
[Quality assurance - maintenance]
libgit2 is reasonably well-maintained in Debian, and has a proficient upstream community backed by multiple companies.
Bug lists:
- Ubuntu https://bugs.launchpad.net/ubuntu/+source/libgit2/+bug
- Debian https://bugs.debian.org/cgi-bin/pkgreport.cgi?src=libgit2
There's only one relevant important bug in Debian for it:
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=990136
http-parser is much more problematic. The package is supported in Debian, see
- Ubuntu https://bugs.launchpad.net/ubuntu/+source/http-parser/+bug
- Debian https://bugs.debian.org/cgi-bin/pkgreport.cgi?src=http-parser
with the only outstanding important bug being
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=914941
which is in fact not an issue for http-parser as a library, as the application level
has all the necessary APIs to modify the debated value. The CVE was only valid for
the particular case of nodejs.
However, the package has recently been explicitly declared unmaintained upstream.
The Foundations team is aware of this fact, and we have concluded internally that,
assuming Security team assent, we would take charge of the maintenance of the library
as long as it's needed by libgit2.
None of those packages deal with exotic hardware we cannot support.
[Quality assurance - testing]
Both packages have non-trivial test suites run at build-time such that their failure
entails build failure.
https://launchpadlibrarian.net/618827392/buildlog_ubuntu-kinetic-amd64.http-parser_2.9.4-5_BUILDING.txt.gz
https://launchpadlibrarian.net/610604824/buildlog_ubuntu-kinetic-amd64.libgit2_1.3.0+dfsg.1-3ubuntu1_BUILDING.txt.gz
RULE: - The package should, but is not required to, also contain
RULE: non-trivial autopkgtest(s).
libgit2 has only one autopkgtest which is relatively trivial (build against libgit2 and call one trivial function)
http-parser has only one autopkgtest that runs the package testsuite against the installed library.
Both packages only have failing tests on i386, which are being investigated
(failing due to i386 only being a partial architecture).
[Quality assurance - packaging]
Both packages have watchfiles, but the libgit2 doesn't seem to work anymore (ongoing investigation)
- debian/control defines a correct Maintainer field
You'll find recent build logs there:
https://launchpadlibrarian.net/618827392/buildlog_ubuntu-kinetic-amd64.http-parser_2.9.4-5_BUILDING.txt.gz
https://launchpadlibrarian.net/610604824/buildlog_ubuntu-kinetic-amd64.libgit2_1.3.0+dfsg.1-3ubuntu1_BUILDING.txt.gz
Lintian overrides are present in http-parser regarding the lack of upstream
changelog, but are now erroneous.
libgit2 defines one override, debian-watch-does-not-check-gpg-signature
None of these packages depend on obsolete packages.
The packages will not be installed by default
Packaging and build are easy:
https://sources.debian.org/src/libgit2/1.3.0%2Bdfsg.1-3/debian/rules/
https://sources.debian.org/src/http-parser/2.9.4-5/debian/rules/
[UI standards]
- Application is not end-user facing (does not need translation)
- End-user applications without desktop file, not needed because they are libraries.
[Dependencies]
- No further depends or recommends dependencies that are not yet in main
[Standards compliance]
- These packages correctly follows FHS and Debian Policy
[Maintenance/Owner]
- Foundations team is already subscribed to the packages
- This does not use static builds
- This does not use vendored code
- This package is not rust based
- The packages successfully built during the most recent test rebuild
[Background information]
The Package descriptions explains the package well
Upstream Name is libgit2, see https://libgit2.org/
http-parser used to be a nodejs project, now declared unmaintained,
see https://github.com/nodejs/http-parser
** Affects: http-parser (Ubuntu)
Importance: High
Status: New
** Affects: libgit2 (Ubuntu)
Importance: Undecided
Status: New
--
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to http-parser in Ubuntu.
https://bugs.launchpad.net/bugs/1990655
Title:
MIR: libgit2, http-parser
Status in http-parser package in Ubuntu:
New
Status in libgit2 package in Ubuntu:
New
Bug description:
[Availability]
The packages libgit2 and http-parser are already in Ubuntu universe.
They both build for the architectures they are designed to work on.
They currently build and work for architectures: amd64 arm64 armhf i386 s390x ppc64el riscv64
Link to packages:
* [[https://launchpad.net/ubuntu/+source/http-parser]]
* [[https://launchpad.net/ubuntu/+source/libgit2]]
[Rationale]
libgit2 is needed in main as dependencies of src:cargo, and http-parser is a
dependency of libgit2. cargo will be the subject of a separate MIR. Given that
there are several non-trivial dependencies for cargo, I figured splitting them
up in multiple MIRs would make it easier.
Cargo itself will be MIRed as part of the effort to support Rust as a build language for
packages in main.
It would be great and useful to community/processes to have the packages
libgit2 and http-parser in Ubuntu main, but there is no definitive deadline.
In particular, they must not be promoted unless src:cargo enters the archive.
[Security]
The http-parser package originated as part of the nodejs project. Because of that,
while there are no CVE registered for http-parser itself, these CVEs were found that
affected the http-parser code. Sadly, it's usually not obvious which
the issue, only the release itself :slightly_frowning_face:.
* https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-2086: Fixed in 2.6.1. As evidenced by https://github.com/nodejs/http-parser/commit/e2e467b91262246b339fb3d80c8408d498b4a43b the fix was made privately within the nodeJS project and then backported in a "bulk" commit to the the separate http-parser project.
* https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-2216: Fixed in 2.6.1. See above.
* https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-7159: Fixed in 2.8.1 by https://github.com/nodejs/http-parser/commit/01da95feade5e5612499f5374498e7968c1a4a82, which was also discussed in private within the node project.
* https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-12121: Only valid in the context of client code, the lib itself already provides the necessary APIs
* https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-9900: Originated in envoyproxy but also discussed publicly and fixed in http-parser in 2.9.1 by https://github.com/nodejs/http-parser/pull/469
* https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-8287: Fixed in Ubuntu, but not upstream, despite the fix available as a PR: https://github.com/nodejs/http-parser/pull/530
libgit2 is easier to analyze from a security history PoV, with a
dedicated page to list their various security releases:
https://libgit2.org/security/
Here are the CVEs that affected libgit2:
* https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-9390: First round of fix in 0.21.3, with a subsequent related release 0.22.1. Presumably the fixes are in the commits dated Dec 17, 2014 of https://github.com/libgit2/libgit2/commits/v0.21.3 and the last commits of https://github.com/libgit2/libgit2/commits/v0.22.1 . The vulnerability was widespread throughout the Git community, with pretty much all implementations vulnerables: https://git-blame.blogspot.com/2014/12/git-1856-195-205-214-and-221-and.html
* https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-8568 and https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-8569 are not listed on the upstream security page (perhaps not considered security issues because "only" DoS?) but were addressed in https://github.com/libgit2/libgit2/pull/3956 subsequently published in 0.24.3
* https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-10128: Affecting 0.24, fixed in 0.24.6, see https://github.com/libgit2/libgit2/commit/4ac39c76c0153d1ee6889a0984c39e97731684b2
* https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-10129 and https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-10130 both fixed in 0.24.6 and 0.25.1, published in a bulk security fixes PR: https://github.com/libgit2/libgit2/pull/4076 presumably discussed on a private ML beforehand.
* https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-8098 and https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-8099 were fixed in 0.26.2 ( https://github.com/libgit2/libgit2/pull/4575 )
* https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-10887 and https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-10888 were both fixed in 0.27.3 in this PR: https://github.com/libgit2/libgit2/pull/4717 which presumably originated from private ML discussions beforehand.
* https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-15501 (found by fuzzing from oss-fuzz) was fixed in releases 0.26.6 and 0.27.4, see https://github.com/libgit2/libgit2/pull/4756 and https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=9406
* https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-12278 and https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-12279 (NTFS-related vulnerabilities) were both fixed in 0.28.4 and 0.99.0, while not mentioned on the upstream security page.
* https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-1348 and up til https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-1354 are all Git CVEs that were also adressed in 0.28.4 and 0.27.10
Please note that there are multiple items mentioned on the upstream
security page that do not have an associated CVE.
- no `suid` or `sgid` binaries
- no executables in `/sbin` and `/usr/sbin`
- Packages do not install services, timers or recurring jobs
- Packages do not open privileged ports (ports < 1024)
- Packages do not contain extensions to security-sensitive software
[Quality assurance - function/usage]
As libraries, the packages work well after installation (both the -dev and actual binaries)
[Quality assurance - maintenance]
libgit2 is reasonably well-maintained in Debian, and has a proficient upstream community backed by multiple companies.
Bug lists:
- Ubuntu https://bugs.launchpad.net/ubuntu/+source/libgit2/+bug
- Debian https://bugs.debian.org/cgi-bin/pkgreport.cgi?src=libgit2
There's only one relevant important bug in Debian for it:
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=990136
http-parser is much more problematic. The package is supported in Debian, see
- Ubuntu https://bugs.launchpad.net/ubuntu/+source/http-parser/+bug
- Debian https://bugs.debian.org/cgi-bin/pkgreport.cgi?src=http-parser
with the only outstanding important bug being
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=914941
which is in fact not an issue for http-parser as a library, as the application level
has all the necessary APIs to modify the debated value. The CVE was only valid for
the particular case of nodejs.
However, the package has recently been explicitly declared unmaintained upstream.
The Foundations team is aware of this fact, and we have concluded internally that,
assuming Security team assent, we would take charge of the maintenance of the library
as long as it's needed by libgit2.
None of those packages deal with exotic hardware we cannot support.
[Quality assurance - testing]
Both packages have non-trivial test suites run at build-time such that their failure
entails build failure.
https://launchpadlibrarian.net/618827392/buildlog_ubuntu-kinetic-amd64.http-parser_2.9.4-5_BUILDING.txt.gz
https://launchpadlibrarian.net/610604824/buildlog_ubuntu-kinetic-amd64.libgit2_1.3.0+dfsg.1-3ubuntu1_BUILDING.txt.gz
RULE: - The package should, but is not required to, also contain
RULE: non-trivial autopkgtest(s).
libgit2 has only one autopkgtest which is relatively trivial (build against libgit2 and call one trivial function)
http-parser has only one autopkgtest that runs the package testsuite against the installed library.
Both packages only have failing tests on i386, which are being investigated
(failing due to i386 only being a partial architecture).
[Quality assurance - packaging]
Both packages have watchfiles, but the libgit2 doesn't seem to work anymore (ongoing investigation)
- debian/control defines a correct Maintainer field
You'll find recent build logs there:
https://launchpadlibrarian.net/618827392/buildlog_ubuntu-kinetic-amd64.http-parser_2.9.4-5_BUILDING.txt.gz
https://launchpadlibrarian.net/610604824/buildlog_ubuntu-kinetic-amd64.libgit2_1.3.0+dfsg.1-3ubuntu1_BUILDING.txt.gz
Lintian overrides are present in http-parser regarding the lack of upstream
changelog, but are now erroneous.
libgit2 defines one override, debian-watch-does-not-check-gpg-signature
None of these packages depend on obsolete packages.
The packages will not be installed by default
Packaging and build are easy:
https://sources.debian.org/src/libgit2/1.3.0%2Bdfsg.1-3/debian/rules/
https://sources.debian.org/src/http-parser/2.9.4-5/debian/rules/
[UI standards]
- Application is not end-user facing (does not need translation)
- End-user applications without desktop file, not needed because they are libraries.
[Dependencies]
- No further depends or recommends dependencies that are not yet in main
[Standards compliance]
- These packages correctly follows FHS and Debian Policy
[Maintenance/Owner]
- Foundations team is already subscribed to the packages
- This does not use static builds
- This does not use vendored code
- This package is not rust based
- The packages successfully built during the most recent test rebuild
[Background information]
The Package descriptions explains the package well
Upstream Name is libgit2, see https://libgit2.org/
http-parser used to be a nodejs project, now declared unmaintained,
see https://github.com/nodejs/http-parser
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/http-parser/+bug/1990655/+subscriptions
More information about the foundations-bugs
mailing list