[Bug 1748572] Re: [MIR] pysmi, pycryptodome

[Seth Arnold]

I reviewed pysmi version 0.2.2-1 as checked into bionic. This should not 
be considered a full security audit but rather a quick gauge of 
maintainability.

- No CVEs in our database
- pysmi can parse ASN1 mib files and emit json or python code to work with
  data in the described format; there's infrastructure in place to work 
  around bugs in poorly-written mib files, hosted on
  http://mibs.snmplabs.com/

- Build-Depends: debhelper, dh-python, python-all, python3-all, 
  python-ply, python3-ply, python-setuptools, python3-setuptools,
  python-pysnmp4, python3-pysnmp4, python3-sphinx,

- No cryptography
- Can do http / ftp / sftp
- Does not daemonize
- Auto-generated pre/post inst/rm scripts
- No initscripts / systemd files
- No DBus services
- No setuid files
- /usr/bin/mibdump in PATH
- No sudo fragments
- No udev rules
- Many tests run during the build
- No cronjobs
- Clean build logs

- No subprocesses spawned
- File handling is slightly complicated:
  - well-known locations can hold files
  - applications can request loading from other locations, including zips,
    remote resources ,etc
  - some of these inputs influence code generation but conversations with
    the author gave me confidence that this is still something we can 
    support
- minimal logging, looks safe
- No environment variable use
- No privileged operations
- No cryptography
- Can retrieve files over the network via multiple protocols
- No privileged portions of code
- mkstemp is used when temporary files are created
- No WebKit
- No JavaScript
- No PolicyKit

Code generation is a higher-risk activity but the author answered my 
questions quickly and confidently and has a clear threat model in mind 
that I believe accurately reflects our needs.

Security team ACK for promoting pysmi to main.

Thanks


** Changed in: pysmi (Ubuntu)
     Assignee: Ubuntu Security Team (ubuntu-security) => (unassigned)

-- 
You received this bug notification because you are a member of Ubuntu
OpenStack, which is subscribed to pysmi in Ubuntu.
https://bugs.launchpad.net/bugs/1748572

Title:
  [MIR] pysmi, pycryptodome

Status in pycryptodome package in Ubuntu:
  Fix Released
Status in pysmi package in Ubuntu:
  New

Bug description:
  [Rationale]

  The new version of python-pysnmp4 adds dependencies on python-
  pycryptodome and python-pysmi, so these need to be MIRed.

  >> pysmi <<

  [Availability]
  In universe

  [Security]
  No history: http://www.cve.mitre.org/cgi-bin/cvekey.cgi?keyword=pysmi

  [Quality assurance]
  Package executes unit tests during package build.

  [Dependencies]
  All in main.

  [Standards compliance]
  OK

  [Maintenance]
  ubuntu-openstack

  >> pycryptodome <<

  [Availability]
  In universe

  [Security]
  No history: http://www.cve.mitre.org/cgi-bin/cvekey.cgi?keyword=pycryptodome

  [Quality assurance]
  Package executes unit tests during package build.

  [Dependencies]
  All in main.

  [Standards compliance]
  OK

  [Maintenance]
  ubuntu-openstack

  [Background]
  PyCryptodome is a fork of PyCrypto

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/pycryptodome/+bug/1748572/+subscriptions