pkg-perl-maintainers team mailing list archive

["Leonidas S. Barbosa" <1899213@xxxxxxxxxxxxxxxxxx>]

I reviewed discount 2.2.6-1ubuntu1 as checked into hirsute.  This shouldn't be
considered a full audit but rather a quick gauge of maintainability.

discount is an implementation of John Gruber's Markdown markup language.


- CVE History:
  - All CVEs bellow are open
    CVE-2018-11468 - medium (affects only xenial and bionic)
    CVE-2018-11503 - medium (affects only xenial and bionic)
    CVE-2018-11504 - medium (affects only xenial and bionic)
    CVE-2018-12495 - low (affects only xenial and bionic)

- Build-Depends?
  - libmarkdown2, libmarkdown2-dev
- pre/post inst/rm scripts?
  - there are two .install scripts:
    - libmarkdown2-dev.install does:
      - echo mkdio.h         usr/include/$DEB_HOST_MULTIARCH
      - echo libmarkdown.so  usr/lib/$DEB_HOST_MULTIARCH
      - echo libmarkdown.pc  usr/lib/$DEB_HOST_MULTIARCH/pkgconfig/
    - libmarkdown2.install does:
      - echo libmarkdown.so.*           usr/lib/$DEB_HOST_MULTIARCH
- init scripts?
  None
- systemd units?
  None
- dbus services?
  None
- setuid binaries?
  None
- binaries in PATH?
  -rwxr-xr-x root/root     20000 2020-10-10 16:43 ./usr/bin/makepage
  -rwxr-xr-x root/root     24672 2020-10-10 16:43 ./usr/bin/markdown
  -rwxr-xr-x root/root     24160 2020-10-10 16:43 ./usr/bin/mkd2html
  -rwxr-xr-x root/root     32624 2020-10-10 16:43 ./usr/bin/theme
- sudo fragments?
  None
- polkit files?
  None
- udev rules?
  None
- unit tests / autopkgtests?
  - there are tests but I'm not 100% sure they run on build time.
- cron jobs?
  - none
- Build logs:
  None

- Processes spawned?
  one, but run only if it HAS_GIT flag. These are build utilities exec files only.

- Memory management?
  - In a first glance, it is ok.
  - it uses some strcpy with some argv/argc, but the memory
    buffers are set size using the argv/argc. In any case, probably need further looks
- File IO?
 - Sounds ok
- Logging?
 - Some logs using perror
- Environment variable usage?
  - it uses MARKDOWN_FLAGS amd AMALLOC_STATISTICS env variables. But not seems weird.
- Use of privileged functions?
   - None
- Use of cryptography / random number sources etc?
 - None
- Use of temp files?
 - None
- Use of networking?
  - None
- Use of WebKit?
 - None
- Use of PolicyKit?
 - None
- Any significant cppcheck results?
  - lots of Expression errors as in:
sio.c:14:5: error: Expression '((*iot).size++)[((*iot).size<(*iot).alloc)?((*iot).text):((*iot).text=(*iot).text?realloc((*iot).text,sizeof(*iot).text[0]*((*iot).alloc+=100)):malloc(sizeof(*iot).text[0]*((*iot).alloc+=100)))]' depends on order of evaluation of side effects [unknownEvaluationOrder]                                                                                                                         
    EXPAND(*iot) = c; 
- Any significant Coverity results?
   - Some possible NULL dereference in markdown.c 958 as p is passed without be checked.
   - same in line 996 markdown.c
- Any significant shellcheck results?
  - not that relevant.
- Any significant bandit results?
   - None

There are few things that I believe should be address first to ACK it, as re-check the possible NULL dereferences were it was pointed.
But in general, from me it's ACK.

** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2018-11468

** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2018-11503

** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2018-11504

** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2018-12495

-- 
You received this bug notification because you are a member of Debian
Perl Group, which is subscribed to libtext-markdown-discount-perl in
Ubuntu.
https://bugs.launchpad.net/bugs/1899213

Title:
  [MIR] new dependencies of lintian

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/discount/+bug/1899213/+subscriptions