[Bug 1899213] Re: [MIR] new dependencies of lintian

Leonidas S. Barbosa 1899213 at bugs.launchpad.net
Tue Jan 19 16:48:32 UTC 2021 

I reviewed discount 2.2.6-1ubuntu1 as checked into hirsute.  This shouldn't be
considered a full audit but rather a quick gauge of maintainability.

discount is an implementation of John Gruber's Markdown markup language.


- CVE History:
  - All CVEs bellow are open
    CVE-2018-11468 - medium (affects only xenial and bionic)
    CVE-2018-11503 - medium (affects only xenial and bionic)
    CVE-2018-11504 - medium (affects only xenial and bionic)
    CVE-2018-12495 - low (affects only xenial and bionic)

- Build-Depends?
  - libmarkdown2, libmarkdown2-dev
- pre/post inst/rm scripts?
  - there are two .install scripts:
    - libmarkdown2-dev.install does:
      - echo mkdio.h         usr/include/$DEB_HOST_MULTIARCH
      - echo libmarkdown.so  usr/lib/$DEB_HOST_MULTIARCH
      - echo libmarkdown.pc  usr/lib/$DEB_HOST_MULTIARCH/pkgconfig/
    - libmarkdown2.install does:
      - echo libmarkdown.so.*           usr/lib/$DEB_HOST_MULTIARCH
- init scripts?
  None
- systemd units?
  None
- dbus services?
  None
- setuid binaries?
  None
- binaries in PATH?
  -rwxr-xr-x root/root     20000 2020-10-10 16:43 ./usr/bin/makepage
  -rwxr-xr-x root/root     24672 2020-10-10 16:43 ./usr/bin/markdown
  -rwxr-xr-x root/root     24160 2020-10-10 16:43 ./usr/bin/mkd2html
  -rwxr-xr-x root/root     32624 2020-10-10 16:43 ./usr/bin/theme
- sudo fragments?
  None
- polkit files?
  None
- udev rules?
  None
- unit tests / autopkgtests?
  - there are tests but I'm not 100% sure they run on build time.
- cron jobs?
  - none
- Build logs:
  None

- Processes spawned?
  one, but run only if it HAS_GIT flag. These are build utilities exec files only.

- Memory management?
  - In a first glance, it is ok.
  - it uses some strcpy with some argv/argc, but the memory
    buffers are set size using the argv/argc. In any case, probably need further looks
- File IO?
 - Sounds ok
- Logging?
 - Some logs using perror
- Environment variable usage?
  - it uses MARKDOWN_FLAGS amd AMALLOC_STATISTICS env variables. But not seems weird.
- Use of privileged functions?
   - None
- Use of cryptography / random number sources etc?
 - None
- Use of temp files?
 - None
- Use of networking?
  - None
- Use of WebKit?
 - None
- Use of PolicyKit?
 - None
- Any significant cppcheck results?
  - lots of Expression errors as in:
sio.c:14:5: error: Expression '((*iot).size++)[((*iot).size<(*iot).alloc)?((*iot).text):((*iot).text=(*iot).text?realloc((*iot).text,sizeof(*iot).text[0]*((*iot).alloc+=100)):malloc(sizeof(*iot).text[0]*((*iot).alloc+=100)))]' depends on order of evaluation of side effects [unknownEvaluationOrder]                                                                                                                         
    EXPAND(*iot) = c; 
- Any significant Coverity results?
   - Some possible NULL dereference in markdown.c 958 as p is passed without be checked.
   - same in line 996 markdown.c
- Any significant shellcheck results?
  - not that relevant.
- Any significant bandit results?
   - None

There are few things that I believe should be address first to ACK it, as re-check the possible NULL dereferences were it was pointed.
But in general, from me it's ACK.

** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2018-11468

** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2018-11503

** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2018-11504

** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2018-12495

-- 
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to lintian in Ubuntu.
https://bugs.launchpad.net/bugs/1899213

Title:
  [MIR] new dependencies of lintian

Status in discount package in Ubuntu:
  New
Status in libhtml-html5-entities-perl package in Ubuntu:
  Fix Released
Status in libproc-processtable-perl package in Ubuntu:
  Fix Released
Status in libtext-markdown-discount-perl package in Ubuntu:
  In Progress
Status in lintian package in Ubuntu:
  Incomplete

Bug description:
  libproc-processtable-perl, libhtml-html5-entities-perl, libtext-
  markdown-discount-perl:

  Well maintained, simple Perl packages without any problem.
  Maintainer of all in Debian is the Debian Perl Group.
  The Foundations Team is subscribed to the bug reports

  libhtml-html5-entities-perl: The last upload took place quite some time ago, but the next upload is prepared in git already.
  Also there is no autopkgtest set for the package.

  ---

  discount:

  Availability
  ============
  Built for all supported architectures. In sync with Debian.

  Rationale
  =========

  libmarkdown2 is a dependency of libtext-markdown-discount-perl.

  Security
  ========

  There were a few security issues which are resolved now:
  https://security-tracker.debian.org/tracker/source-package/discount

  Quality assurance
  =================
  - the Foundations Team is subscribed to the bug reports
  - dh_auto_test runs the tests
  - The package does not have an autopkgtest

  https://bugs.launchpad.net/ubuntu/+source/discount
  https://bugs.debian.org/cgi-bin/pkgreport.cgi?src=discont
  https://github.com/Orc/discount/issues

  Dependencies
  ============
  No universe binary dependencies

  Standards compliance
  ====================
  4.4.0, debhelper compat 12, dh simple rules

  Maintenance
  ===========
  Actively maintained:
  https://github.com/Orc/discount

  Not team maintained in Debian.
  https://tracker.debian.org/pkg/discount

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/discount/+bug/1899213/+subscriptions

More information about the foundations-bugs mailing list