Bug 1654670

This is an automatic check from review-stats script.

This review request ticket hasn't been updated for some time. We're sorry
it is taking so long. If you're still interested in packaging this software
into Fedora repositories, please respond to this comment clearing the
NEEDINFO flag.

You may want to update the specfile and the src.rpm to the latest version
available and to propose a review swap on Fedora devel mailing list to increase
chances to have your package reviewed. If this is your first package and you
need a sponsor, you may want to post some informal reviews. Read more at
https://fedoraproject.org/wiki/How_to_get_sponsored_into_the_packager_group.

Without any reply, this request will shortly be considered abandoned
and will be closed.
Thank you for your patience.

This is ultimately blocked by libtomcrypt which did not had a release with ECC support yet although the support has been added to their develop branch.
perl-CryptX upstream ships with a bundled copy of libtomcrypt, which is unbundled from Fedora's perl-CryptX in favor of the system libtomcrypt, hence the need for a libtomcrypt release.
See https://bugzilla.redhat.com/show_bug.cgi?id=1654710

This is an automatic check from review-stats script.

This review request ticket hasn't been updated for some time. We're sorry
it is taking so long. If you're still interested in packaging this software
into Fedora repositories, please respond to this comment clearing the
NEEDINFO flag.

You may want to update the specfile and the src.rpm to the latest version
available and to propose a review swap on Fedora devel mailing list to increase
chances to have your package reviewed. If this is your first package and you
need a sponsor, you may want to post some informal reviews. Read more at
https://fedoraproject.org/wiki/How_to_get_sponsored_into_the_packager_group.

Without any reply, this request will shortly be considered abandoned
and will be closed.
Thank you for your patience.

Above comment still applies, waiting on a libtomcrypt release.

Spec URL: https://www.bachelot.org/fedora/SPECS/perl-Crypt-U2F-Server.spec
SRPM URL: https://www.bachelot.org/fedora/SRPMS/perl-Crypt-U2F-Server-0.45-1.fc37.src.rpm

URL and Source0 addresses are usable. Ok.
TODO: Remove a trailing space from URL value.

Source0 archive (SHA-512: d27f23bb44ab69ffbab1e1a6d3adea54af83a19d9c45d304dcdfa119e98fb2350e125594aaebe7c9184703c0d10f3f66c384d8df85bab6d5077fe635c8c063e7) is original. Ok.
Summary verified from lib/Crypt/U2F/Server.pm. Ok.

TODO: The description is quite crude. Could you rephrase it like this:

  This is a very low level wrapper around libu2f-server C library. You
  might rather use a high-level Crypt::U2F::Server::Simple instead.

FIX: The license tag does not cover all licenses. It also must be in an SPDX format.
Licenses found:
lib/Crypt/U2F/Server.pm: BSD-2-Clause
lib/Crypt/U2F/Server/Simple.pm: BSD-2-Clause
u2f.c: BSD-2-Clause
u2f.h: BSD-2-Clause
ppport.h: GPL-1.0-or-later OR Artistic-1.0-Perl
README: GPL-1.0-or-later OR Artistic-1.0-Perl
I believe the correct license tag is: BSD-2-Clause AND (GPL-1.0-or-later OR Artistic-1.0-Perl)

TODO: Build-require 'perl(:VERSION) >= 5.18.1' (Makefile.PL:1).
FIX: Build-require perl(ExtUtils::Constant) (Makefile.PL:30). The branch with File::Copy cannot work because there is no "fallback" directory in the sources.
FIX: Do not build- and run-require 'perl(DynaLoader)'. It's used nowhere.
FIX: Build-require 'perl(constant)' (t/12-full-test.t:8).
FIX: Build-require 'perl(Data::Dumper)' (t/01-lowlevel-basic.t:17).
FIX: Do not run-require 'perl(:MODULE_COMPAT_...)'. It's handled by perl-generators now.

TODO: Add NO_PACKLIST=1 NO_PERLLOCAL=1 arguments to Makefile.PL and use %{make_install} as recommended in <https://fedoraproject.org/wiki/Perl/Tips#ExtUtils::MakeMaker>. You will then be able to remove all the find commands except of "find $RPM_BUILD_ROOT -type f -name '*.bs' -size 0 -exec rm -f {} \;" which could be simplified to "find $RPM_BUILD_ROOT -type f -name '*.bs' -size 0 -delete" and you have to build-require "findutils" for that.

FIX: Build-require 'coreutils' (perl-Crypt-U2F-Server.spec:45).
FIX: Build-require 'make' (perl-Crypt-U2F-Server.spec:48).

TODO: Do not package META.json. It does not contain any unique data which cannot be found elsewhere.
FIX: Do not use top-level globs in %files section, especially at the manual pages <https://docs.fedoraproject.org/en-US/packaging-guidelines/#_explicit_lists>.

FIX: The package does not build because 'perl(Authen::U2F::Tester)' build-dependency is not packaged in Fedora. Either package it first, or remove the dependency. It's an optional test.

Spec URL: https://www.bachelot.org/fedora/SPECS/perl-Crypt-U2F-Server.spec
SRPM URL: https://www.bachelot.org/fedora/SRPMS/perl-Crypt-U2F-Server-0.45-2.fc40.src.rpm

GCC warns:

u2f.c: In function ‘u2fclib_verifyRegistration’:
u2f.c:186:5: warning: ‘strncpy’ specified bound 1000 equals destination size [-Wstringop-truncation]
  186 |     strncpy(kh, u2fs_get_registration_keyHandle(reg_result), 1000);
      |     ^

u2fs_get_registration_keyHandle() returns a point to a buffer which is according to current libu2f-server sources allocated to 2000 B. It contains a base64-encoded key. If the encoding form exceeds 1000 B, the strncpy() will miss a trailing null byte and a u2fclib_verifyRegistration() of this package will in turn read over the buffer end with strlen(). The longest ECC keys used today have 512 bits. Nevertheless I recommend fixing this future-possible buffer overflow.

All tests pass. Ok.

$ rpmlint perl-Crypt-U2F-Server.spec ../SRPMS/perl-Crypt-U2F-Server-0.45-2.fc40.src.rpm ../RPMS/x86_64/perl-Crypt-U2F-Server-*
======================================== rpmlint session starts =======================================
rpmlint: 2.4.0
configuration:
    /usr/lib/python3.12/site-packages/rpmlint/configdefaults.toml
    /etc/xdg/rpmlint/fedora-legacy-licenses.toml
    /etc/xdg/rpmlint/fedora-spdx-licenses.toml
    /etc/xdg/rpmlint/fedora.toml
    /etc/xdg/rpmlint/scoring.toml
    /etc/xdg/rpmlint/users-groups.toml
    /etc/xdg/rpmlint/warn-on-functions.toml
checks: 31, packages: 5

========= 4 packages and 1 specfiles checked; 0 errors, 0 warnings, 0 badness; has taken 0.4 s ========
rpmlint is Ok.

$ rpm -q -lv -p ../RPMS/x86_64/perl-Crypt-U2F-Server-0.45-2.fc40.x86_64.rpm 
drwxr-xr-x    2 root     root                        0 Oct  4 02:00 /usr/lib/.build-id
drwxr-xr-x    2 root     root                        0 Oct  4 02:00 /usr/lib/.build-id/b6
lrwxrwxrwx    1 root     root                       71 Oct  4 02:00 /usr/lib/.build-id/b6/fe4716d766da3ca4542cfd7aef6dbfa386456f -> ../../../../usr/lib64/perl5/vendor_perl/auto/Crypt/U2F/Server/Server.so
drwxr-xr-x    2 root     root                        0 Oct  4 02:00 /usr/lib64/perl5/vendor_perl/Crypt
drwxr-xr-x    2 root     root                        0 Oct  4 02:00 /usr/lib64/perl5/vendor_perl/Crypt/U2F
drwxr-xr-x    2 root     root                        0 Oct  4 02:00 /usr/lib64/perl5/vendor_perl/Crypt/U2F/Server
-rw-r--r--    1 root     root                     6352 May  4  2019 /usr/lib64/perl5/vendor_perl/Crypt/U2F/Server.pm
-rw-r--r--    1 root     root                    15347 May  4  2019 /usr/lib64/perl5/vendor_perl/Crypt/U2F/Server/Simple.pm
drwxr-xr-x    2 root     root                        0 Oct  4 02:00 /usr/lib64/perl5/vendor_perl/auto/Crypt
drwxr-xr-x    2 root     root                        0 Oct  4 02:00 /usr/lib64/perl5/vendor_perl/auto/Crypt/U2F
drwxr-xr-x    2 root     root                        0 Oct  4 02:00 /usr/lib64/perl5/vendor_perl/auto/Crypt/U2F/Server
-rwxr-xr-x    1 root     root                    27864 Oct  4 02:00 /usr/lib64/perl5/vendor_perl/auto/Crypt/U2F/Server/Server.so
-rw-r--r--    1 root     root                       95 Oct  4 02:00 /usr/lib64/perl5/vendor_perl/auto/Crypt/U2F/Server/autosplit.ix
drwxr-xr-x    2 root     root                        0 Oct  4 02:00 /usr/share/doc/perl-Crypt-U2F-Server
-rw-r--r--    1 root     root                     1077 May  4  2019 /usr/share/doc/perl-Crypt-U2F-Server/Changes
-rw-r--r--    1 root     root                      746 Mar 12  2019 /usr/share/doc/perl-Crypt-U2F-Server/README
-rw-r--r--    1 root     root                     2932 Oct  4 02:00 /usr/share/man/man3/Crypt::U2F::Server.3pm.gz
-rw-r--r--    1 root     root                     4640 Oct  4 02:00 /usr/share/man/man3/Crypt::U2F::Server::Simple.3pm.gz
File layout and permissions are Ok.

$ rpm -q --requires -p ../RPMS/x86_64/perl-Crypt-U2F-Server-0.45-2.fc40.x86_64.rpm | sort -f | uniq -c
      1 libc.so.6()(64bit)
      1 libc.so.6(GLIBC_2.2.5)(64bit)
      1 libc.so.6(GLIBC_2.3.4)(64bit)
      1 libc.so.6(GLIBC_2.4)(64bit)
      1 libperl.so.5.38()(64bit)
      1 libu2f-server.so.0()(64bit)
      1 libu2f-server.so.0(U2F_SERVER_0.0.0)(64bit)
      1 perl(:MODULE_COMPAT_5.38.0)
      1 perl(:VERSION) >= 5.18.1
      1 perl(AutoLoader)
      1 perl(Carp)
      1 perl(Crypt::U2F::Server)
      1 perl(Exporter)
      1 perl(strict)
      1 perl(warnings)
      1 perl(XSLoader)
      1 perl-libs
      1 rpmlib(CompressedFileNames) <= 3.0.4-1
      1 rpmlib(FileDigests) <= 4.6.0-1
      1 rpmlib(PayloadFilesHavePrefix) <= 4.0-1
      1 rpmlib(PayloadIsZstd) <= 5.4.18-1
      1 rtld(GNU_HASH)
Binary requires are Ok.

$ rpm -q --provides -p ../RPMS/x86_64/perl-Crypt-U2F-Server-0.45-2.fc40.x86_64.rpm | sort -f | uniq -c
      1 perl(Crypt::U2F::Server) = 0.45
      1 perl(Crypt::U2F::Server::Simple) = 0.45
      1 perl-Crypt-U2F-Server = 0.45-2.fc40
      1 perl-Crypt-U2F-Server(x86-64) = 0.45-2.fc40
Binary provides are Ok.

$ resolvedeps rawhide ../RPMS/x86_64/perl-Crypt-U2F-Server-0.45-2.fc40.x86_64.rpm 
Binary dependencies are resolvable. Ok.

The package builds in Fedora 40 (https://koji.fedoraproject.org/koji/taskinfo?taskID=108130579). Ok.

The package is in line with Fedora and Perl packaging guidelines.
Please report the potential buffer overflow to the upstream.
This package is APPROVED.

The Pagure repository was created at https://src.fedoraproject.org/rpms/perl-Crypt-U2F-Server

Thanks for the review Petr.
I will report the potential buffer overflow to upstream.

FTR, https://rt.cpan.org/Ticket/Display.html?id=150508