pkg-perl-maintainers team mailing list archive

Thread
Date

[Bug 1980662] Re: [MIR] lib*-perl for lintian 2.115

To: pkg-perl-maintainers@xxxxxxxxxxxxxxxxxxx
From: Mark Esler <1980662@xxxxxxxxxxxxxxxxxx>
Date: Thu, 08 Sep 2022 16:57:34 -0000
Reply-to: Bug 1980662 <1980662@xxxxxxxxxxxxxxxxxx>
Sender: noreply@xxxxxxxxxxxxx

I reviewed libwww-mechanize-perl 2.14-2 as checked into kinetic. This
shouldn't be considered a full audit but rather a quick gauge of
maintainability. Test and example code not was not included in this audit.

> `WWW::Mechanize`, or Mech for short, is a Perl module for stateful
> programmatic web browsing, used for automating interaction with
> websites.

- CVE History:
  - past CVEs for Net::HTTPS which libwww-mechanize-perl had used
- Bug History:
  - Many open issues
    - https://github.com/libwww-perl/WWW-Mechanize/issues
    - appears many could be closed
    - 72 open issues ported from Google Code Archive
    - multiple open hang issues appear to be addressed
- Build-Depends?
  - see META.yaml for Perl dependencies
  - HTTP::Request and several HTML:: modules are primarily used
- pre/post inst/rm scripts?
  - none
- init scripts?
  - none
- systemd units?
  - none
- dbus services?
  - none
- udev rules?
  - none
- setuid binaries?
  - none
- binaries in PATH?
  - /usr/bin/mech-dump
- sudo fragments?
  - none
- polkit files?
  - none
- udev rules?
  - none
- unit tests / autopkgtests?
  - robust build tests
  - has autopkgtests
- cron jobs?
  - none
- Build logs:
  - looks clean
  
- Processes spawned?
  - eval used to check libraries
- Memory management?
  - none, beyond test files
- File IO?
  - use of open appears safe
  - library contains save_content function that writes files
  - functions read uri's which can be file paths
- Logging?
  - library includes stderr warn messages
- Environment variable usage?
  - none, beyond test files
- Use of privileged functions?
  - none
- Use of cryptography / random number sources etc?
  - none, beyond HTTPS
- Use of temp files?
  - none
- Use of networking?
  - HTTP::Request does the heavy lifting
  - this package, along with a handful of HTML:: modules, parses data
  - data being parsed is likely unsafe sources
  - users of library are responsible for input sanitization!
- Use of WebKit?
  - none
- Use of PolicyKit?
  - none

- Any significant cppcheck results?
  - none, not-applicable
- Any significant Coverity results?
  - none, not-applicable
- Any significant shellcheck results?
  - none, not-applicable
- Any significant bandit results?
  - none, not-applicable
- Any significant perlcritic results?
  - results look okay

The README.md demonstrates how to use WWW::Mechanize with cleartext passwords
and HTTP.

This program looks quite useful, but not suitable for secure environments.
In light of the intended lintian use case, adding this to main is reasonable.

Security team ACK for promoting libwww-mechanize-perl to main.

** Changed in: libwww-mechanize-perl (Ubuntu)
     Assignee: Ubuntu Security Team (ubuntu-security) => (unassigned)

** Changed in: libwww-mechanize-perl (Ubuntu)
       Status: New => In Progress

-- 
You received this bug notification because you are a member of Debian
Perl Group, which is subscribed to libhttp-server-simple-perl in Ubuntu.
https://bugs.launchpad.net/bugs/1980662

Title:
  [MIR] lib*-perl for lintian 2.115

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/libfreezethaw-perl/+bug/1980662/+subscriptions

References

[Bug 1980662] [NEW] [MIR] lib*-perl for lintian 2.115
From: Lukas Märdian, 2022-07-04