pkg-perl-maintainers team mailing list archive

Thread
Date
[Bug 2029379] Re: [MIR] promote libdbd-sqlite3-perl (libmail-dmarc-perl dependency)

To: pkg-perl-maintainers@xxxxxxxxxxxxxxxxxxx
From: George-Andrei Iosif <2029379@xxxxxxxxxxxxxxxxxx>
Date: Thu, 25 Jan 2024 07:41:17 -0000
Reply-to: Bug 2029379 <2029379@xxxxxxxxxxxxxxxxxx>
Sender: noreply@xxxxxxxxxxxxx
I reviewed `libdbd-sqlite3-perl` `1.72-1` as checked into mantic. This 
shouldn't be considered a full audit but rather a quick gauge of 
maintainability. As the module is highly stateful, it was not tested with 
fuzzing.

`libdbd-sqlite3-perl` is a DBI driver for an SQLite instance. The upstream code 
is available on GitHub at https://github.com/DBD-SQLite/DBD-SQLite.

The main interface of the package is the DBI driver (dbi.perl.org). A user 
should use the DBI API to connect to the database and perform CRUD operations. 
Besides the DBI API, the package provides methods that can be leveraged to 
implement custom functions registered in the SQL syntax. Please see the 
MetaCPAN (metacpan.org/release/ISHIGAKI/DBD-SQLite-1.74) page for a full list 
of the modules and their methods.

- CVE History
  - There is no CVE assigned to this package.
  - Despite this fact, the upstream (and its CPAN package) is prone to 
transitive dependencies from SQLite. This doesn't affect the packages provided 
by Debian and Ubuntu because the control file of the package requires 
`libsqlite3-dev` and a Quilt patch is applied to enable the use of it instead 
of the SQLite amalgamation (www.sqlite.org/amalgamation.html).
    - Files of the SQLite amalgamation are vendored in the Perl module:
      - `sqlite3.h`;
      - `sqlite3.c`;
      - `sqlite3ext.h`;
      - `fts3_tokenizer.h`; and
      - `dbdimp_tokenizer.inc` (SQLite's `fts3_tokenizer1.c`).
    - The SQLite vulnerabilities are fixed by only upgrading the vendored 
SQLite file, without any backporting to previous versions. The updates are 
either created ad-hoc by the maintainer or as a response to GitHub issues 
opened by the users. Below is a list of relevant issues and their corresponding 
creation years:
      - https://github.com/DBD-SQLite/DBD-SQLite/issues/12 (2015);
      - https://github.com/DBD-SQLite/DBD-SQLite/issues/108 (2023); and
      - https://github.com/DBD-SQLite/DBD-SQLite/issues/103 (2022).
  - The same happens for the Ppport header (`ppport.h`), which "attempts to 
bring some of the newer Perl API features to older versions of Perl" (from 
https://docstore.mik.ua/orelly/perl4/perlnut/ch08_54.htm_).
    - The header itself should be generated at build time by the package or, at 
least, updated regularly. Based on the Git history, the latter was a practice 
for the DBD-SQLite maintainers around 2009-2010.
  - Other vulnerabilities in the code of the module, which received no CVE, are:
    - Buffer overflow: https://rt-cpan.github.io/Public/Bug/Display/73787 
(2012); and
    - Integer overflow: https://rt-cpan.github.io/Public/Bug/Display/28785 
(2007).
  - The maintainer is using his blog to announce updates in the module: 
https://blogs.perl.org/mt/mt-cp.cgi?__mode=view&id=464.
- Build-Depends
  - Nothing raises security concerns.
- pre/post inst/rm scripts
  - N/A
- init scripts
  - N/A
- systemd units
  - N/A
- dbus services
  - N/A
- setuid binaries
  - N/A
- binaries in PATH
  - N/A
- sudo fragments
  - N/A
- polkit files
  - N/A
- udev rules
  - N/A
- unit tests / autopkgtests
  - The package defines 117 tests in its `t/` and `xt/` folders, which 
extensively test the codebase.
  - The tests leverage a helper module for handling warnings in 
`inc/Test/FailWarnings.pm`.
- cron jobs
  - N/A
- Build logs
  - N/A

- Processes spawned
  - N/A
- Memory management
  - Operations with the memory are happening only through the SQLite API, via 
methods such as `sqlite3_malloc` and `sqlite3_free`. The module clears its 
memory before exiting a function.
- File IO
  - Operations with the file-base database are happening only through the 
SQLite API.
  - When the database is backed by the filesystem, files are securely opened in 
`lib/DBD/SQLite/VirtualTable/FileContent.pm` with the three-argument variant of 
`open`.
- Logging
  - The module uses the following functions for logging:
    - `sqlite_error`;
    - `sqlite3_result_error`; and
    - `warn`.
- Environment variable usage
  - N/A
- Use of privileged functions
  - N/A
- Use of cryptography / random number sources etc
  - Cryptographic functions (hashing and RC4 as a PRNG) are used in SQLite, but 
they were not reviewed because the vendored code is not enabled in Ubuntu.
- Use of temp files
  - The use of temporary files happens only in the SQLite database, but the 
behaviour is properly documented (www.sqlite.org/tempfiles.html) and its code 
is not enabled in Ubuntu.
- Use of networking
  - N/A as the SQLite database is only stored locally
- Use of WebKit
  - N/A
- Use of PolicyKit
  - N/A

- Any significant cppcheck results
  - Only false positives
- Any significant Coverity results
  - Coverity doesn't have support for Perl (as per Coverity's SAT-27514 ticket).
  - There are some NULL-terminated string warnings for the vendored SQLite, but 
these are out of scope because the vendored code is not enabled in Ubuntu.
  - For the C part of the codebase, only code quality warnings are generated.
- Any significant shellcheck results
  - N/A
- Any significant bandit results
  - N/A
- Any significant govulncheck results
  - N/A
- Any significant Semgrep results
  - Only false positives
- Any significant perlcritic results
  - An instance of a code injection was discovered in an API method exposed by 
one Perl module.
    - This method is also used by the SQL parser, but it was validated that it 
cannot be triggered from SQL queries.
    - The security impact is minimal and doesn't influence the MIR decision.
    - No further details will be provided here as the issue will be reported to 
the upstream.

After reviewing the codebase, it was concluded that the codebase is 
maintainable and doesn't have immediate security issues that may block the 
reviewing process.

The single security concern that arose during the review was the reporting of 
the security issues by the upstream. The project had no CVE, despite previous 
versions of the module (included in our active Ubuntu releases) being affected 
by vulnerabilities in its codebase. This lack of visibility affects all 
downstream developers, including Debian, and makes the users vulnerable.

The Security team proposes a conditional ACK for promoting 
`libdbd-sqlite3-perl` into main. The owning team (namely, the Ubuntu Server 
Team) needs to commit to the development and testing of security patches in all
Ubuntu releases if we lack upstream support. In addition, the same team should
ask for demoting the package if a more suitable package can be used as an
alternative for `libdbd-sqlite3-perl`.

Thanks!

** Bug watch added: github.com/DBD-SQLite/DBD-SQLite/issues #12
   https://github.com/DBD-SQLite/DBD-SQLite/issues/12

** Bug watch added: github.com/DBD-SQLite/DBD-SQLite/issues #103
   https://github.com/DBD-SQLite/DBD-SQLite/issues/103

-- 
You received this bug notification because you are a member of Debian
Perl Group, which is subscribed to libdbd-sqlite3-perl in Ubuntu.
https://bugs.launchpad.net/bugs/2029379

Title:
  [MIR] promote libdbd-sqlite3-perl (libmail-dmarc-perl dependency)

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/libdbd-sqlite3-perl/+bug/2029379/+subscriptions