[Bug 2001699] Re: [MIR] python-autocommand, python-inflect, pydantic

Nick Galanis 2001699 at bugs.launchpad.net
Wed Jan 3 08:56:59 UTC 2024 

I reviewed pydantic 1.10.13-0ubuntu1 as checked into noble.  This shouldn't be
considered a full audit but rather a quick gauge of maintainability.

pydantic is a fast and extensible data validation and settings management
library in python. It can be combined with popular IDEs and linters, and its
powered by type hints, making its use easy.

- CVE History
 - CVE-2021-29510 (7.5 CVSS, high)
   - fixed with backports in multiple versions (1.8.2, 1.7.4, 1.6.2)
   - fixed and immediately reviewed by upstream
   - tests provided as PoC for vulnerability
 - CVE-2020-10735 (7.5 CVSS, high)
   - python vulnerability that was affecting the package
   - patched immediately by upstream when made public by python
   - tests provided as PoC for vulnerability
- Build-Depends
 - default and widely-used python libraries, all in main
- pre/post inst/rm scripts
 - prerm script: backported from dh_python, secure
 - postinst script: backported from dh_python, secure
- init scripts
 - none
- systemd units
 - none
- dbus services
 - none
- setuid binaries
 - none
   - no binaries in general: python package
- binaries in PATH
 - none
- sudo fragments
 - none
- polkit files
 - none
- udev rules
 - none
- unit tests / autopkgtests
 - no autopkgtests available. Unittesting with standard python, good and clear
testing process during build. Good coverage of code and functions. New tests
are added for new functionality by upstream, and were added as PoC for
CVE-2021-29510 during its fix, suggesting the same will happen with future CVEs.
- cron jobs
 - none
- Build logs
 - (warning) SetuptoolsDeprecationWarning: setup.py install is deprecated.
 - no other errors/warnings, build runs successfully
- Processes spawned
 - none
   - only in docs, does not involve user input, thus not vulnerable to shell
injection
- Memory management
 - safe
   - python package, not using low level memory management
- File IO
 - mostly in tests/docs
 - when in default functionality of a program, done mostly through python and
do not involve user input
- Logging
 - mostly in tests and docs.
 - when in main functionality, done with caution, while using python
(high-level memory management).
- Environment variable usage
 - only in tests, and setup, not exploitable during runtime, or exploiting
them would require already high privileges by attacker
- Use of privileged functions
 - none
- Use of cryptography / random number sources etc
 - does not involve network communications or encryption
 - sensitive data is handled by masking, ensuring that it is not exposed in
logs / error messages. There is no encryption provided for those passwords, but
they are not stored permanently
 - no SSL/TLS operations
- Use of temp files
 - none
- Use of networking
 - mostly used to assist in testing
 - the ones in main functionality take input from trusted sources, no unsafe
input found
- Use of WebKit
 - only in docs, safe
- Use of PolicyKit
 - none


- Any significant cppcheck results
 - none (not supported)
- Any significant Coverity results
 - none
   - possible DOM-based XSS found in docs, communicated with upstream. 
   (waiting on response by them). Issue was fixed in later version,
   as code was deleted
- Any significant shellcheck results
 - none (not supported)
- Any significant bandit results
 - none.
   - most results in docs/tests, do not involve user input
- Any significant govulncheck results
 - none (not supported)
- Any significant Semgrep results
 - none


No significant security findings during scanning the code, Github repo has 
security policy and easy ways to communicate vulnerabilities with upstream. 
Code is being continuously maintained and issues are fixed quickly, including
the one vulnerability with an assigned CVE that was found in 2021. Overall, 
good quality and clarity of code and good testing, elements that will make 
the patching and backport of possible future vulnerabilities feasible.

Security team ACK for promoting pydantic to main.

** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2020-10735

** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2021-29510

** Changed in: pydantic (Ubuntu)
       Status: New => In Progress

** Changed in: pydantic (Ubuntu)
     Assignee: Ubuntu Security Team (ubuntu-security) => (unassigned)

-- 
You received this bug notification because you are a member of Ubuntu
OpenStack, which is subscribed to jaraco.text in Ubuntu.
https://bugs.launchpad.net/bugs/2001699

Title:
  [MIR] python-autocommand, python-inflect, pydantic

Status in jaraco.text package in Ubuntu:
  In Progress
Status in pydantic package in Ubuntu:
  In Progress
Status in python-autocommand package in Ubuntu:
  Fix Committed
Status in python-inflect package in Ubuntu:
  In Progress

Bug description:
  >> python-autocommand <<

  [Availability]
  The package python-autocommand is already in Ubuntu universe.
  The package python-autocommand build for the architectures (arch:all) it is designed to work on.

  [Rationale]
  New runtime dependency for jaraco.text which is already in Ubuntu main.

  [Security]
  No security history

  - no `suid` or `sgid` binaries
  - no binaries generally (python module)
  - no services
  - no ports opened
  - no extensions to security sensitive software

  [Quality assurance - function/usage]
  - The package works well right after install

  [Quality assurance - maintenance]
  No open bugs in Ubuntu or Debian
  Limited upstream release activity until 2.2.2 in 2022.

  [Quality assurance - testing]
  Package includes unit tests which are executed as part of the package build and fail the package build as needed
  Autopkgtests for all architectures; failing on i386 due to install-ability issues (not a new issue)

  [Quality assurance - packaging]
  - d/watch present and works
  - d/control defines a correct maintainer field
  - lintian --pendantic has one warning and two informational messages
  - no lintian overrides
  - no debconf questions
  - packaging is simple and easy to build (pybuild)

  [UI standards]
  N/A - not an UI application.

  [Dependencies]
  All in main

  [Standards compliance]
  No policy violations

  [Maintenance/Owner]
  Maintainer in Debian
  ubuntu-openstack to maintain in Ubuntu.

  >> python-inflect <<

  [Availability]
  The package python-inflect is already in Ubuntu universe.
  The package python-inflect build for the architectures (arch:all) it is designed to work on.

  [Rationale]
  New runtime dependency for jaraco.text which is already in Ubuntu main.

  [Security]
  No security history

  - no `suid` or `sgid` binaries
  - no binaries generally (python module)
  - no services
  - no ports opened
  - no extensions to security sensitive software

  [Quality assurance - function/usage]
  - The package works well right after install

  [Quality assurance - maintenance]
  No open bugs of importance in Ubuntu or Debian
  Healthy release activity upstream

  [Quality assurance - testing]
  Package includes unit tests which are executed as part of the package build and fail the package build as needed
  No autopkgtests executed for this package.

  [Quality assurance - packaging]
  - d/watch present and works
  - d/control defines a correct maintainer field
  - lintian --pendantic has one warning and two informational messages
  - no lintian overrides
  - no debconf questions
  - packaging is simple and easy to build (pybuild)

  [UI standards]
  N/A - not an UI application.

  [Dependencies]
  All in main

  [Standards compliance]
  No policy violations

  [Maintenance/Owner]
  Maintainer in Debian
  ubuntu-openstack to maintain in Ubuntu.

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/jaraco.text/+bug/2001699/+subscriptions

More information about the Ubuntu-openstack-bugs mailing list