Bug 1654670
Summary: | Review Request: perl-Crypt-U2F-Server - Low level wrapper around the U2F C library (server side) | ||
---|---|---|---|
Product: | [Fedora] Fedora | Reporter: | Xavier Bachelot <xavier> |
Component: | Package Review | Assignee: | Petr Pisar <ppisar> |
Status: | CLOSED RAWHIDE | QA Contact: | Fedora Extras Quality Assurance <extras-qa> |
Severity: | medium | Docs Contact: | |
Priority: | medium | ||
Version: | rawhide | CC: | myka.rein, package-review, ppisar |
Target Milestone: | --- | Flags: | ppisar:
fedora-review+
|
Target Release: | --- | ||
Hardware: | All | ||
OS: | Linux | ||
Whiteboard: | |||
Fixed In Version: | Doc Type: | If docs needed, set a value | |
Doc Text: | Story Points: | --- | |
Clone Of: | Environment: | ||
Last Closed: | 2023-10-27 14:33:00 UTC | Type: | --- |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: | |||
Bug Depends On: | 1654667 | ||
Bug Blocks: |
Description
Xavier Bachelot
2018-11-29 11:40:38 UTC
This is an automatic check from review-stats script. This review request ticket hasn't been updated for some time. We're sorry it is taking so long. If you're still interested in packaging this software into Fedora repositories, please respond to this comment clearing the NEEDINFO flag. You may want to update the specfile and the src.rpm to the latest version available and to propose a review swap on Fedora devel mailing list to increase chances to have your package reviewed. If this is your first package and you need a sponsor, you may want to post some informal reviews. Read more at https://fedoraproject.org/wiki/How_to_get_sponsored_into_the_packager_group. Without any reply, this request will shortly be considered abandoned and will be closed. Thank you for your patience. This is ultimately blocked by libtomcrypt which did not had a release with ECC support yet although the support has been added to their develop branch. perl-CryptX upstream ships with a bundled copy of libtomcrypt, which is unbundled from Fedora's perl-CryptX in favor of the system libtomcrypt, hence the need for a libtomcrypt release. See https://bugzilla.redhat.com/show_bug.cgi?id=1654710 This is an automatic check from review-stats script. This review request ticket hasn't been updated for some time. We're sorry it is taking so long. If you're still interested in packaging this software into Fedora repositories, please respond to this comment clearing the NEEDINFO flag. You may want to update the specfile and the src.rpm to the latest version available and to propose a review swap on Fedora devel mailing list to increase chances to have your package reviewed. If this is your first package and you need a sponsor, you may want to post some informal reviews. Read more at https://fedoraproject.org/wiki/How_to_get_sponsored_into_the_packager_group. Without any reply, this request will shortly be considered abandoned and will be closed. Thank you for your patience. Above comment still applies, waiting on a libtomcrypt release. Spec URL: https://www.bachelot.org/fedora/SPECS/perl-Crypt-U2F-Server.spec SRPM URL: https://www.bachelot.org/fedora/SRPMS/perl-Crypt-U2F-Server-0.45-1.fc37.src.rpm This comment was flagged a spam, view the edit history to see the original text if required. This comment was flagged a spam, view the edit history to see the original text if required. This comment was flagged a spam, view the edit history to see the original text if required. URL and Source0 addresses are usable. Ok. TODO: Remove a trailing space from URL value. Source0 archive (SHA-512: d27f23bb44ab69ffbab1e1a6d3adea54af83a19d9c45d304dcdfa119e98fb2350e125594aaebe7c9184703c0d10f3f66c384d8df85bab6d5077fe635c8c063e7) is original. Ok. Summary verified from lib/Crypt/U2F/Server.pm. Ok. TODO: The description is quite crude. Could you rephrase it like this: This is a very low level wrapper around libu2f-server C library. You might rather use a high-level Crypt::U2F::Server::Simple instead. FIX: The license tag does not cover all licenses. It also must be in an SPDX format. Licenses found: lib/Crypt/U2F/Server.pm: BSD-2-Clause lib/Crypt/U2F/Server/Simple.pm: BSD-2-Clause u2f.c: BSD-2-Clause u2f.h: BSD-2-Clause ppport.h: GPL-1.0-or-later OR Artistic-1.0-Perl README: GPL-1.0-or-later OR Artistic-1.0-Perl I believe the correct license tag is: BSD-2-Clause AND (GPL-1.0-or-later OR Artistic-1.0-Perl) TODO: Build-require 'perl(:VERSION) >= 5.18.1' (Makefile.PL:1). FIX: Build-require perl(ExtUtils::Constant) (Makefile.PL:30). The branch with File::Copy cannot work because there is no "fallback" directory in the sources. FIX: Do not build- and run-require 'perl(DynaLoader)'. It's used nowhere. FIX: Build-require 'perl(constant)' (t/12-full-test.t:8). FIX: Build-require 'perl(Data::Dumper)' (t/01-lowlevel-basic.t:17). FIX: Do not run-require 'perl(:MODULE_COMPAT_...)'. It's handled by perl-generators now. TODO: Add NO_PACKLIST=1 NO_PERLLOCAL=1 arguments to Makefile.PL and use %{make_install} as recommended in <https://fedoraproject.org/wiki/Perl/Tips#ExtUtils::MakeMaker>. You will then be able to remove all the find commands except of "find $RPM_BUILD_ROOT -type f -name '*.bs' -size 0 -exec rm -f {} \;" which could be simplified to "find $RPM_BUILD_ROOT -type f -name '*.bs' -size 0 -delete" and you have to build-require "findutils" for that. FIX: Build-require 'coreutils' (perl-Crypt-U2F-Server.spec:45). FIX: Build-require 'make' (perl-Crypt-U2F-Server.spec:48). TODO: Do not package META.json. It does not contain any unique data which cannot be found elsewhere. FIX: Do not use top-level globs in %files section, especially at the manual pages <https://docs.fedoraproject.org/en-US/packaging-guidelines/#_explicit_lists>. FIX: The package does not build because 'perl(Authen::U2F::Tester)' build-dependency is not packaged in Fedora. Either package it first, or remove the dependency. It's an optional test. Spec URL: https://www.bachelot.org/fedora/SPECS/perl-Crypt-U2F-Server.spec SRPM URL: https://www.bachelot.org/fedora/SRPMS/perl-Crypt-U2F-Server-0.45-2.fc40.src.rpm GCC warns: u2f.c: In function ‘u2fclib_verifyRegistration’: u2f.c:186:5: warning: ‘strncpy’ specified bound 1000 equals destination size [-Wstringop-truncation] 186 | strncpy(kh, u2fs_get_registration_keyHandle(reg_result), 1000); | ^ u2fs_get_registration_keyHandle() returns a point to a buffer which is according to current libu2f-server sources allocated to 2000 B. It contains a base64-encoded key. If the encoding form exceeds 1000 B, the strncpy() will miss a trailing null byte and a u2fclib_verifyRegistration() of this package will in turn read over the buffer end with strlen(). The longest ECC keys used today have 512 bits. Nevertheless I recommend fixing this future-possible buffer overflow. All tests pass. Ok. $ rpmlint perl-Crypt-U2F-Server.spec ../SRPMS/perl-Crypt-U2F-Server-0.45-2.fc40.src.rpm ../RPMS/x86_64/perl-Crypt-U2F-Server-* ======================================== rpmlint session starts ======================================= rpmlint: 2.4.0 configuration: /usr/lib/python3.12/site-packages/rpmlint/configdefaults.toml /etc/xdg/rpmlint/fedora-legacy-licenses.toml /etc/xdg/rpmlint/fedora-spdx-licenses.toml /etc/xdg/rpmlint/fedora.toml /etc/xdg/rpmlint/scoring.toml /etc/xdg/rpmlint/users-groups.toml /etc/xdg/rpmlint/warn-on-functions.toml checks: 31, packages: 5 ========= 4 packages and 1 specfiles checked; 0 errors, 0 warnings, 0 badness; has taken 0.4 s ======== rpmlint is Ok. $ rpm -q -lv -p ../RPMS/x86_64/perl-Crypt-U2F-Server-0.45-2.fc40.x86_64.rpm drwxr-xr-x 2 root root 0 Oct 4 02:00 /usr/lib/.build-id drwxr-xr-x 2 root root 0 Oct 4 02:00 /usr/lib/.build-id/b6 lrwxrwxrwx 1 root root 71 Oct 4 02:00 /usr/lib/.build-id/b6/fe4716d766da3ca4542cfd7aef6dbfa386456f -> ../../../../usr/lib64/perl5/vendor_perl/auto/Crypt/U2F/Server/Server.so drwxr-xr-x 2 root root 0 Oct 4 02:00 /usr/lib64/perl5/vendor_perl/Crypt drwxr-xr-x 2 root root 0 Oct 4 02:00 /usr/lib64/perl5/vendor_perl/Crypt/U2F drwxr-xr-x 2 root root 0 Oct 4 02:00 /usr/lib64/perl5/vendor_perl/Crypt/U2F/Server -rw-r--r-- 1 root root 6352 May 4 2019 /usr/lib64/perl5/vendor_perl/Crypt/U2F/Server.pm -rw-r--r-- 1 root root 15347 May 4 2019 /usr/lib64/perl5/vendor_perl/Crypt/U2F/Server/Simple.pm drwxr-xr-x 2 root root 0 Oct 4 02:00 /usr/lib64/perl5/vendor_perl/auto/Crypt drwxr-xr-x 2 root root 0 Oct 4 02:00 /usr/lib64/perl5/vendor_perl/auto/Crypt/U2F drwxr-xr-x 2 root root 0 Oct 4 02:00 /usr/lib64/perl5/vendor_perl/auto/Crypt/U2F/Server -rwxr-xr-x 1 root root 27864 Oct 4 02:00 /usr/lib64/perl5/vendor_perl/auto/Crypt/U2F/Server/Server.so -rw-r--r-- 1 root root 95 Oct 4 02:00 /usr/lib64/perl5/vendor_perl/auto/Crypt/U2F/Server/autosplit.ix drwxr-xr-x 2 root root 0 Oct 4 02:00 /usr/share/doc/perl-Crypt-U2F-Server -rw-r--r-- 1 root root 1077 May 4 2019 /usr/share/doc/perl-Crypt-U2F-Server/Changes -rw-r--r-- 1 root root 746 Mar 12 2019 /usr/share/doc/perl-Crypt-U2F-Server/README -rw-r--r-- 1 root root 2932 Oct 4 02:00 /usr/share/man/man3/Crypt::U2F::Server.3pm.gz -rw-r--r-- 1 root root 4640 Oct 4 02:00 /usr/share/man/man3/Crypt::U2F::Server::Simple.3pm.gz File layout and permissions are Ok. $ rpm -q --requires -p ../RPMS/x86_64/perl-Crypt-U2F-Server-0.45-2.fc40.x86_64.rpm | sort -f | uniq -c 1 libc.so.6()(64bit) 1 libc.so.6(GLIBC_2.2.5)(64bit) 1 libc.so.6(GLIBC_2.3.4)(64bit) 1 libc.so.6(GLIBC_2.4)(64bit) 1 libperl.so.5.38()(64bit) 1 libu2f-server.so.0()(64bit) 1 libu2f-server.so.0(U2F_SERVER_0.0.0)(64bit) 1 perl(:MODULE_COMPAT_5.38.0) 1 perl(:VERSION) >= 5.18.1 1 perl(AutoLoader) 1 perl(Carp) 1 perl(Crypt::U2F::Server) 1 perl(Exporter) 1 perl(strict) 1 perl(warnings) 1 perl(XSLoader) 1 perl-libs 1 rpmlib(CompressedFileNames) <= 3.0.4-1 1 rpmlib(FileDigests) <= 4.6.0-1 1 rpmlib(PayloadFilesHavePrefix) <= 4.0-1 1 rpmlib(PayloadIsZstd) <= 5.4.18-1 1 rtld(GNU_HASH) Binary requires are Ok. $ rpm -q --provides -p ../RPMS/x86_64/perl-Crypt-U2F-Server-0.45-2.fc40.x86_64.rpm | sort -f | uniq -c 1 perl(Crypt::U2F::Server) = 0.45 1 perl(Crypt::U2F::Server::Simple) = 0.45 1 perl-Crypt-U2F-Server = 0.45-2.fc40 1 perl-Crypt-U2F-Server(x86-64) = 0.45-2.fc40 Binary provides are Ok. $ resolvedeps rawhide ../RPMS/x86_64/perl-Crypt-U2F-Server-0.45-2.fc40.x86_64.rpm Binary dependencies are resolvable. Ok. The package builds in Fedora 40 (https://koji.fedoraproject.org/koji/taskinfo?taskID=108130579). Ok. The package is in line with Fedora and Perl packaging guidelines. Please report the potential buffer overflow to the upstream. This package is APPROVED. The Pagure repository was created at https://src.fedoraproject.org/rpms/perl-Crypt-U2F-Server Thanks for the review Petr. I will report the potential buffer overflow to upstream. |