[MIR] required new dependency of appstream

Bug #1833745 reported by Rik Mills
16
This bug affects 1 person
Affects Status Importance Assigned to Milestone
lmdb (Ubuntu)
Fix Released
High
Unassigned

Bug Description

Availability
============
Built for all supported architectures. One upstream release ahead of Debian.

Rationale
=========
Now a required build and runtime dependency of appstream in -proposed in Eoan

https://github.com/ximion/appstream/commit/358e9394631b87797f56dcb7e09e459b4044e631#commitcomment-33995178

Quote "Compiling AppStream without LMDB is not really possible."

Security
========
No known CVEs.
https://security-tracker.debian.org/tracker/source-package/lmdb

Quality assurance
=================
- Desktop Packages team is subscribed.
- dh_auto_test run at build time for supported architectures.
- No functional outstanding bugs in Ubuntu or Debian. Upstream 'issue' tracker is active.
https://bugs.launchpad.net/ubuntu/+source/lmdb
https://bugs.debian.org/cgi-bin/pkgreport.cgi?src=lmdb
https://www.openldap.org/its/index.cgi/Software%20Bugs?page=1;expression=lmdb;page=1

Dependencies
============
No universe binary dependencies

Standards compliance
====================
4.1.5.0 , debhelper compat 9

Maintenance
===========
Actively maintained:
http://www.openldap.org/devel/gitweb.cgi?p=openldap.git;a=history;f=libraries/liblmdb;hb=HEAD

Not team maintained in Debian.
https://tracker.debian.org/pkg/lmdb

Rik Mills (rikmills)
description: updated
description: updated
Rik Mills (rikmills)
description: updated
description: updated
Changed in lmdb (Ubuntu):
assignee: nobody → Christian Ehrhardt  (paelzer)
Rik Mills (rikmills)
description: updated
Revision history for this message
Christian Ehrhardt  (paelzer) wrote :
Download full text (3.3 KiB)

[Reasoning]
So far lmdb was disabled e.g. in bind9 [2], but as outlined in the referred patch [1] this can't really be disabled in AppStream.
So lets take a look, fortunately it seems rather small.

[Duplication]
LMDB is a very thin in memory database. You'd think either of big databases which these days almost all grew in-memory features or mid sized projects like memchached.
But none of these really fits in the same size/use-as-lib/key-value-only tradeoff that LMDB tries to address.
Leveldb comes to mind [3] but that isn't in main either.

So while it feels like "oh no, another in-mem DB" I can't find something that would be a proper replacement.
Also given that bind9, postfix and appstream switched to it makes it less of a special on-off snowflake.

[Embedded sources and static linking]
- no other embedded libraries
- no static build
- no golang

[Security]
- no CVEs yet
- does not run as a daemon itself (lib)
- doesn't use webkit1,2
- doesn't use lib*v8 directly
- does not open a port
- does not processe arbitrary web content
- does not use centralized online accounts
- does not integrate arbitrary javascript into the desktop
- does not deal with system authentication (eg, pam), etc)

The one usual check that applies is that to some extend it "parses data formats" when it persists and reads them from/to disk.
Also the content at least - in the use case triggering this being appstream - can be partially remote.

Further the mmapped files represent a new "attack vector" against tools using this in replacement for internal variables.
Following the "if in doubt let security check it" rule this will need a security review as well.

[Common blockers]
- no FTBFS currently
- runtime builds and runs test suite
- lib only without a lot user visible messages (no translation need)
- not a python package

The package lacks a team subscriber, some team has to step up - since driven by appstream (bug 1538293) probably the Desktop Team?

[Packaging red flags]
- no Ubuntu delta atm
- symbols file exists and it tracked
- d/watch is present
- regular updates in Debian and by Upstream (no big moves, just minor versiosn)
- the current release is packaged
- currently just a sync, so no issue for MOTUs
- only very minor lintian warnings
- d/rules fits a page and debian/* in general is rather clean
- no use of Built-Using
- no golang

[Upstream red flags]
- developed under the umbrella of the openldap project [5] by symas [4]
- some warnigns on
  Wimplicit-fallthrough
  obsolete tags
  undocumented macros
  Nothing severe
- no use of sudo, gksu, pkexec, or LD_LIBRARY_PATH
- no use of user nobody
- no use of setuid
- no open important bugs in Debian or Ubuntu or Upstream
- no use of webkit, qtwebkit, seed or libgoa-*
- not in scope for the Unity Dash (or other recent UI)

[Summary]
Approved by MIR team under the two following constraints
- needs package subscriber (I susbcribed didrocks to consider it)
- needs security review

[1]: https://github.com/ximion/appstream/commit/358e9394631b87797f56dcb7e09e459b4044e631#commitcomment-33995178
[2]: https://github.com/ximion/appstream/commit/358e9394631b87797f56dcb7e09e459b4044e631#commitcomment-33995446
[3]: https://mo...

Read more...

Changed in lmdb (Ubuntu):
assignee: Christian Ehrhardt  (paelzer) → Ubuntu Security Team (ubuntu-security)
Revision history for this message
Sebastien Bacher (seb128) wrote :

@Christian, thanks for the review! desktop-packages is subsribed to the report/Desktop Team is going to own that one (the description has been updated earlier to reflect that).
@Didrocks, unping :)

Revision history for this message
Eduardo Barretto (ebarretto) wrote :

I reviewed lmdb 0.9.23-0ubuntu1 as checked into eoan. This shouldn't be
considered a full audit but rather a quick gauge of maintainability.

lmdb is a software library that provides a high-performance embedded
transactional database in the form a key-value store.

- No CVE History
- Build-Depends
  - debhelper
  - doxygen
- No pre/post inst/rm scripts
- No init scripts
- No systemd units
- No dbus services
- No setuid binaries
- binaries in PATH
  - /usr/bin/mdb_copy
  - /usr/bin/mdb_dump
  - /usr/bin/mdb_load
  - /usr/bin/mdb_stat
- No sudo fragments
- No udev rules
- A couple of tests available in the source code:
  - mtest.c: tests for main DB. It's the only test executed during build (./mtest && ./mdb_stat testdb)
  - mtest2.c: tests for subDB
  - mtest3.c: tests for sorted duplicated DBs
  - mtest4.c: tests for sorted duplicated DBs with fixed-size keys
  - mtest5.c: tests for sorted duplicated DBs using cursor_put
  - mtest6.c: tests for DB splits and merges
- No cron jobs
- Build logs:
  - Lots of warnings during build, mostly related to doxygen macro definitions
  - The warnings are attached.
- No Processes spawned
- Memory management
  - Lots of dynamic memory allocation and memory copying. In general they look
    safe, they are checking for NULL, strings are also NUL terminated and they
    are freeing memory after use.
- Lots of File IO
  - some paths come from argv but buffer is allocated dynamically based on
    user's input.
- Logging
  - Binaries in path are logging only to stderr
- No Environment variable usage
- No Use of privileged functions
- No Use of cryptography / random number sources
  - srand used in test code
- No Use of temp files
- No Use of networking
- No Use of WebKit
- No Use of PolicyKit
- No significant cppcheck results
- Coverity results
  - Some NULL pointer derefence
  - Some pthread lock not being unlocked
  - Use after free
  - Resource leak
  - Out-of-bounds access
  - I will be forwarding this to upstream to get more feedback if any of them
    is a high priority issue.
  - Talked to upstream and they confirmed all are false positives.

The code is well maintained and upstream is responsive.

Security team ACK for promoting lmdb to main.

Changed in lmdb (Ubuntu):
assignee: Ubuntu Security Team (ubuntu-security) → nobody
Changed in lmdb (Ubuntu):
status: New → Fix Committed
importance: Undecided → High
Revision history for this message
Steve Langasek (vorlon) wrote :

Override component to main
lmdb 0.9.23-0ubuntu1 in eoan: universe/misc -> main
liblmdb-dev 0.9.23-0ubuntu1 in eoan amd64: universe/libdevel/optional/100% -> main
liblmdb-dev 0.9.23-0ubuntu1 in eoan arm64: universe/libdevel/optional/100% -> main
liblmdb-dev 0.9.23-0ubuntu1 in eoan armhf: universe/libdevel/optional/100% -> main
liblmdb-dev 0.9.23-0ubuntu1 in eoan i386: universe/libdevel/optional/100% -> main
liblmdb-dev 0.9.23-0ubuntu1 in eoan ppc64el: universe/libdevel/optional/100% -> main
liblmdb-dev 0.9.23-0ubuntu1 in eoan s390x: universe/libdevel/optional/100% -> main
liblmdb0 0.9.23-0ubuntu1 in eoan amd64: universe/libs/optional/100% -> main
liblmdb0 0.9.23-0ubuntu1 in eoan arm64: universe/libs/optional/100% -> main
liblmdb0 0.9.23-0ubuntu1 in eoan armhf: universe/libs/optional/100% -> main
liblmdb0 0.9.23-0ubuntu1 in eoan i386: universe/libs/optional/100% -> main
liblmdb0 0.9.23-0ubuntu1 in eoan ppc64el: universe/libs/optional/100% -> main
liblmdb0 0.9.23-0ubuntu1 in eoan s390x: universe/libs/optional/100% -> main
lmdb-doc 0.9.23-0ubuntu1 in eoan amd64: universe/doc/optional/100% -> main
lmdb-doc 0.9.23-0ubuntu1 in eoan arm64: universe/doc/optional/100% -> main
lmdb-doc 0.9.23-0ubuntu1 in eoan armhf: universe/doc/optional/100% -> main
lmdb-doc 0.9.23-0ubuntu1 in eoan i386: universe/doc/optional/100% -> main
lmdb-doc 0.9.23-0ubuntu1 in eoan ppc64el: universe/doc/optional/100% -> main
lmdb-doc 0.9.23-0ubuntu1 in eoan s390x: universe/doc/optional/100% -> main
lmdb-utils 0.9.23-0ubuntu1 in eoan amd64: universe/database/optional/100% -> main
lmdb-utils 0.9.23-0ubuntu1 in eoan arm64: universe/database/optional/100% -> main
lmdb-utils 0.9.23-0ubuntu1 in eoan armhf: universe/database/optional/100% -> main
lmdb-utils 0.9.23-0ubuntu1 in eoan i386: universe/database/optional/100% -> main
lmdb-utils 0.9.23-0ubuntu1 in eoan ppc64el: universe/database/optional/100% -> main
lmdb-utils 0.9.23-0ubuntu1 in eoan s390x: universe/database/optional/100% -> main
25 publications overridden.

Changed in lmdb (Ubuntu):
status: Fix Committed → Fix Released
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.