[Bug 1011597] Re: [MIR] libfcgi-perl, libcgi-fast-perl

Jamie Strandboge jamie at ubuntu.com
Tue Jun 19 15:43:03 UTC 2012


MIR Review for libfcgi-perl:
* builds with only main enabled with no compiler warnings or errors
* it has a small test script that is used in the build
* no Ubuntu delta
* has a watch file
* the package is up to date
* the package is lintian clean
* debian/rules is clean
* as mentioned, no bugs in LP or Debian

Security review for libfcgi-perl:
* This script provides a perl library so it doesn't ship any initscripts, upstart jobs, dbus services, daemons or cron jobs. No setuid or fscap'd programs are installed and there is no use of sudo.
* There was one CVE in a deprecated interface, but it was fixed in a timely fashion with minimal effort.
* For its C code
 - it creates its own wrapper functions for malloc and string operations, and these wrappers check return codes and ensure strings are nul terminated. Spot-checking use of sprintf, it is quite careful to make sure strings are the proper size, etc.
 - it uses strcpy() in a few places, but doesn't always verify the length of the src. However, where this happen stack-protector should intervene. It also looks like in these places on a very poorly written program would allow attacker control to these functions without input sanitizing.
 - OS_SpawnChild() doesn't use umask(0) when spawning a child, but as this is a library, it probably makes sense for callers of OS_SpawnChild() to do this.
 - it creates its own wrapper functions for read() and write().(OS_Read and OS_Write respectively). While the wrappers themselves don't check return codes, all usage of OS_Read() and OS_Write() do.

** Changed in: libfcgi-perl (Ubuntu)
       Status: New => Fix Committed

-- 
You received this bug notification because you are a member of Ubuntu
Server Team, which is subscribed to libfcgi-perl in Ubuntu.
https://bugs.launchpad.net/bugs/1011597

Title:
  [MIR] libfcgi-perl, libcgi-fast-perl

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/libfcgi-perl/+bug/1011597/+subscriptions



More information about the Ubuntu-server-bugs mailing list