[Bug 1956617] Re: [MIR] protobuf-c

Mark Esler 1956617 at bugs.launchpad.net
Mon Jul 11 15:53:47 UTC 2022 

I reviewed protobuf-c 1.3.3-1 as checked into focal, protobuf-c
1.3.3-1ubuntu2 as checked into jammy, and protobuf-c 1.4.0 from
upstream's git repo.

"This is protobuf-c, a C implementation of the Google Protocol Buffers
data serialization format. It includes libprotobuf-c, a pure C library
that implements protobuf encoding and decoding, and protoc-c, a code
generator that converts Protocol Buffer .proto files to C descriptor
code, based on [Google's] original protoc."

- CVE History:
  - two recent vulnerabilities
  - one was assigned CVE-2022-33070
  - patched in v1.4.1
- Build-Depends?
  - protobuf
  - ldd /usr/bin/protoc-gen-c
    - linux-vdso.so.1                                                       
    - libprotobuf.so.23 => /lib/x86_64-linux-gnu/libprotobuf.so.23        
    - libprotoc.so.23 => /lib/x86_64-linux-gnu/libprotoc.so.23
    - libstdc++.so.6 => /lib/x86_64-linux-gnu/libstdc++.so.6
    - libgcc_s.so.1 => /lib/x86_64-linux-gnu/libgcc_s.so.1      
    - libc.so.6 => /lib/x86_64-linux-gnu/libc.so.6
    - libz.so.1 => /lib/x86_64-linux-gnu/libz.so.1
    - /lib64/ld-linux-x86-64.so.2
    - libm.so.6 => /lib/x86_64-linux-gnu/libm.so.6                
  - ldd /usr/lib/x86_64-linux-gnu/libprotobuf-c.so.1.0.0      
    - no additional dependencies    
- pre/post inst/rm scripts?
  - none
- init scripts?
  - none
- systemd units?
  - none
- dbus services?
  - none
- setuid binaries?
  - none
- binaries in PATH?
  - /usr/bin/protoc-gen-c                          
  - proto-c -> protoc-gen-c
- sudo fragments?
  - none
- polkit files?
  - none
- udev rules?
  - none
- unit tests / autopkgtests?
  - requested in https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1004962
- cron jobs?
  - none
- Build logs:
  - OK
  - No errors. All warnings are trivial.
- Processes spawned?
  - only for documentation generation
- Memory management?
  - See vulnerabilities above
  - Use of memcpy, malloc, free, and memset LGTM
  - An OOB memory access exists in test file
  - Defensive programming reasoning commented throughout code
- File IO?
  - none
- Logging?
  - none
- Environment variable usage?
  - none (outside of debian build scripts)
- Use of privileged functions?
  - none
- Use of cryptography / random number sources etc?
  - none
- Use of temp files?
  - none
- Use of networking?
  - none
- Use of WebKit?
  - none
- Use of PolicyKit?
  - none
- Any significant cppcheck results?
  - none
- Any significant Coverity results?
  - none
  - OOB in a test
- Any significant shellcheck results?
  - none
- Any significant bandit results?
  - none

Packages in Main already use protobuf-c as part of their build (such as
sudo). The two recent vulnerabilities in protobuf-c's history were
patched promptly. One of the patches is by sudo's maintainer. protobuf-c
is also tracked by Google's OSS-Fuzz. The authors of protobuf-c took a
lot of care to handle input and protect memory. It is well written and a
good candidate for Main.

Security team ACK for promoting protobuf-c to Main.

** Changed in: protobuf-c (Ubuntu)
     Assignee: Ubuntu Security Team (ubuntu-security) => (unassigned)

-- 
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to protobuf-c in Ubuntu.
https://bugs.launchpad.net/bugs/1956617

Title:
  [MIR] protobuf-c

Status in protobuf-c package in Ubuntu:
  New

Bug description:
  [Availability]
  The package protobuf-c is already in Ubuntu universe, and was in main some years ago.
  The package protobuf-c builds for the architectures it is designed to work on.
  It currently builds and works for architectures:  amd64 arm64 armhf i386 ppc64el riscv64 s390x
  Link to package https://launchpad.net/ubuntu/+source/protobuf-c

  [Rationale]
  - The package protobuf-c is required in Ubuntu main for fwupd 1.7.x to handle firmware updates for Logitech devices that use logitech_bulkcontroller such as their 4k webcams.
  - The feature is only going to be useful to users owning such hardware but it is important for those users.

  [Security]
  - No CVEs/security issues in this software in the past

  - no `suid` or `sgid` binaries
  - no executables in `/sbin` and `/usr/sbin`
  - Package does not install services, timers or recurring jobs
  - Packages does not open privileged ports (ports < 1024)
  - Packages does not contain extensions to security-sensitive software

  [Quality assurance - function/usage]
  - The package works well right after install

  [Quality assurance - maintenance]
  - The package is maintained well in Debian/Ubuntu and has no bugs open in Debian or Ubuntu
    - Ubuntu https://bugs.launchpad.net/ubuntu/+source/protobuf-c/+bug
    - Debian https://bugs.debian.org/cgi-bin/pkgreport.cgi?src=protobuf-c
  - The package does not deal with exotic hardware we cannot support

  [Quality assurance - testing]
  - The package runs a test suite on build time, if it fails
    it makes the build fail, link to build log https://launchpadlibrarian.net/464904971/buildlog_ubuntu-focal-amd64.protobuf-c_1.3.3-1_BUILDING.txt.gz

  - The package does not run an autopkgtest but there is no reason they
  shouldn't be added.

  [Quality assurance - packaging]
  - debian/watch is not present, no reason it shouldn't have one though

  - This package has some minor lintian warnings

  # lintian --pedantic
  running with root privileges is not recommended!
  W: protobuf-c-compiler: no-manual-page usr/bin/protoc-c
  W: protobuf-c-compiler: no-manual-page usr/bin/protoc-gen-c
  P: protobuf-c source: package-uses-old-debhelper-compat-version 12
  P: protobuf-c source: silent-on-rules-requiring-root
  P: protobuf-c source: update-debian-copyright 2019 vs 2020 [debian/copyright:65]

  and some warnings about long lines in upstream sources

  - Lintian overrides are not present

  - This package does not rely on obsolete or about to be demoted packages.
  - This package has no python2 or GTK2 dependencies

  - The package will be installed by default, but does not ask debconf
  questions

  - Packaging and build is easy, link to d/rules
  https://salsa.debian.org/edmonds/protobuf-c/-/blob/master/debian/rules

  [UI standards]
  - Application is not end-user facing (does not need translation)

  [Dependencies]
  - No further depends or recommends dependencies that are not yet in main

  [Standards compliance]
  - This package correctly follows FHS and Debian Policy

  [Maintenance/Owner]
  - Owning Team should be foundations since they own fwupd
  - Team is not yet, but will subscribe to the package before promotion

  - This does not use static builds
  - This does not use vendored code

  [Background information]
  The Package description explains the package well
  Upstream Name is protobuf-c
  Link to upstream project https://github.com/protobuf-c/protobuf-c

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/protobuf-c/+bug/1956617/+subscriptions

More information about the foundations-bugs mailing list