pkg-perl-maintainers team mailing list archive

Thread
Date

[Bug 1980662] Re: [MIR] lib*-perl for lintian 2.115

To: pkg-perl-maintainers@xxxxxxxxxxxxxxxxxxx
From: Mark Esler <1980662@xxxxxxxxxxxxxxxxxx>
Date: Thu, 08 Sep 2022 16:54:41 -0000
Reply-to: Bug 1980662 <1980662@xxxxxxxxxxxxxxxxxx>
Sender: noreply@xxxxxxxxxxxxx

I reviewed libmldbm-perl 2.05-3 as checked into kinetic.  This shouldn't be
considered a full audit but rather a quick gauge of maintainability.

>  MLDBM store multi-level Perl hash structure in single level tied hash

- CVE History:
  - ancient leak circa 1999
    - https://github.com/perl/perl5/issues/80
- Build-Depends?
  - Data::Dumper perl module 2.08
    - 2.08 is a very old version
    - some Data:Dumper updates are security related
    - https://metacpan.org/dist/Data-Dumper/changes
    - nb: package also provides MLDBM::Serializer::Data::Dumper
- pre/post inst/rm scripts?
  - none
- init scripts?
  - none
- systemd units?
  - none
- dbus services?
  - none
- setuid binaries?
  - none
- binaries in PATH?
- sudo fragments?
  - none
- polkit files?
  - none
- udev rules?
  - none
- unit tests / autopkgtests?
  - has build tests and autopkgtests
- cron jobs?
  - none
- Build logs:
  - looks clean

- Processes spawned?
  - concerning eval in ./lib/MLDBM/Serializer/Data/Dumper.pm
    - values missing a magic key string are returned before eval +1
- Memory management?
  - none
- File IO?
  - none, besides build
- Logging?
  - yes, via carp
- Environment variable usage?
  - none
- Use of privileged functions?
  - none
- Use of cryptography / random number sources etc?
  - none
- Use of temp files?
  - none
- Use of networking?
  - none
- Use of WebKit?
  - none
- Use of PolicyKit?
  - none

- Any significant cppcheck results?
  - none / not applicable
- Any significant Coverity results?
  - none / not applicable
- Any significant shellcheck results?
  - none / not applicable
- Any significant bandit results?
  - none / not applicable
- Any significant perlcritic?
  - none

Code is possibly unmaintained. Code was written 10 years ago. A travis file was
added 8 years ago. There has never been an issue or pull request on GitHub.
https://github.com/chorny/MLDBM

See Warnings section of mldbm(3)
https://manpages.ubuntu.com/manpages/kinetic/en/man3/MLDBM.3pm.html#warnings

Security team ACK for promoting libmldbm-perl to main.

** Bug watch added: github.com/perl/perl5/issues #80
   https://github.com/perl/perl5/issues/80

** Changed in: libmldbm-perl (Ubuntu)
     Assignee: Ubuntu Security Team (ubuntu-security) => (unassigned)

** Changed in: libmldbm-perl (Ubuntu)
       Status: New => In Progress

-- 
You received this bug notification because you are a member of Debian
Perl Group, which is subscribed to libhttp-server-simple-perl in Ubuntu.
https://bugs.launchpad.net/bugs/1980662

Title:
  [MIR] lib*-perl for lintian 2.115

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/libfreezethaw-perl/+bug/1980662/+subscriptions

References

[Bug 1980662] [NEW] [MIR] lib*-perl for lintian 2.115
From: Lukas Märdian, 2022-07-04