[Bug 1861268] security audit

Eduardo Barretto 1861268 at bugs.launchpad.net
Wed Jul 1 13:34:01 UTC 2020 

I reviewed jeepney 0.4.3-1 as checked into groovy. This shouldn't be
considered a full audit but rather a quick gauge of maintainability.

jeepney is a pure Python D-Bus interface. D-Bus is an inter-process
communication system.

In its README file, jeepney maintainer mentions:
"This project is experimental, and there are a
number of more mature Python DBus bindings."

The mature options that the maintainer mention don't seem to be as
maintained as jeepney.

- No CVE History
- Build-Depends:
  - python3-all
  - python3-pytest
  - python3-sphinx
  - python3-sphinx-rtd-theme
  - python3-testpath
- prerm and postinst scripts automatically created
- No init scripts
- No systemd units
- No dbus services
- No setuid binaries
- No binaries in PATH
- No sudo fragments
- No polkit files
- No udev rules
- unit tests / autopkgtests
  - the source code comes with some tests that can be run with pytest.
  - autopkgtests are also available for this package
- No cron jobs
- Build logs:
  - No relevant errors or warnings

- Processes spawned
  - Only in test code
- No memory management
- File IO
  - Open and write a .py output file when using bindgen to auto-generate
    DBus bindings. The path argument to bindgen is actually a DBus path and
    not a filesystem path.
  - There's not much handling on the output file, you can specify a path.
  - Bindgen is a tool and not used anywhere else in the code.
- No logging
- No environment variable usage
- No use of privileged functions
- No use of cryptography / random number sources
- Use of temp files only in test code
- Use of networking
  - Use sockets to connect to DBus when using tornado, asyncio or blocking I/O.
  - Looks safe
- No use of WebKit
- No use of PolicyKit

- Coverity only found issues in javascript code from the generated documentation
- Bandit found the following issues:
  - B405: import_xml_etree - LOW
  - B314: xml.etree.ElementTree.fromstring - MEDIUM
  - B101: assert_used - LOW
  - B105: hardcoded_password_string - LOW -> false positive 
  - There are plenty of other LOW issues on test code that we are not analysing
  - Those issues are low enough to allow this MIR to continue

Although the maintainer still consider it as experimental, it is a good test
to have it on a non-LTS Ubuntu as dbus-python is obsolete.
Keep in mind that jeepney has some limitations:
https://jeepney.readthedocs.io/en/latest/limitations.html

Security team ACK for promoting jeepney to main.


** Tags added: security-review-done

** Changed in: jeepney (Ubuntu)
     Assignee: Ubuntu Security Team (ubuntu-security) => (unassigned)

-- 
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to python-secretstorage in Ubuntu.
https://bugs.launchpad.net/bugs/1861268

Title:
  [MIR] jeepney

Status in jeepney package in Ubuntu:
  New
Status in python-secretstorage package in Ubuntu:
  New

Bug description:
  [Availability]
  Available in Ubuntu Focal.

  [Rationale]
  python-secretstorage, which is in main because it's a dependency of python-keyring, has been using dbus-python for a long time. However, as dbus-python's README says, it “might not be the best D-Bus binding for you to use”:
  https://gitlab.freedesktop.org/dbus/dbus-python/blob/dbus-python-1.2.16/README#L13

  Also, the Freedesktop wiki lists dbus-python among “Obsolete libraries”:
  https://www.freedesktop.org/wiki/Software/DBusBindings/#obsoletelibraries

  So the new release of secretstorage is now using jeepney, a
  lightweight pure Python D-Bus implementation instead of dbus-python
  (which was written in C).

  [Security]
  No security history.

  [Quality assurance]
  Upstream has a test suite, and it is being run during package build:
  https://launchpadlibrarian.net/459048962/buildlog_ubuntu-focal-amd64.jeepney_0.4.2-1_BUILDING.txt.gz

  There is also an autopkgtest:
  http://autopkgtest.ubuntu.com/packages/jeepney

  [Dependencies]
  Depends: python3:any
  Build-Depends: debhelper-compat (= 12), dh-python, python3-all, python3-pytest, python3-sphinx, python3-sphinx-rtd-theme, python3-testpath

  [Standards compliance]
  Standards-Version: 4.4.1

  [Maintenance]
  Maintained upstream in https://gitlab.com/takluyver/jeepney.

  Maintained in Debian by me under the umbrella of Debian Python modules
  team. Maintenance is very simple, debian/rules is just 18 lines.

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/jeepney/+bug/1861268/+subscriptions

More information about the foundations-bugs mailing list