MainInclusionReportObexftp

Main Inclusion Report for obexftp

Requirements

  1. Availability: http://archive.ubuntu.com/ubuntu/pool/universe/o/obexftp/, available for all supported architectures

  2. Rationale:

    • kdebluetooth-1.0~beta4 build depends on libobexftp-dev

  3. Security:

    • No CVE entries.

    • No Secunia history.

    • No binaries running as root or suid/sgid.
    • Does not open any port.

    • Security review: MartinPitt reviewed for common traps (like sprintf and integer overflows during memory allocations), nothing alarming was found.

  4. Quality assurance:

    • Package works out of the box without configuration.
    • Package does not ask any debconf questions higher than priority 'medium'.

    • No showstopper Debian bugs.

    • Good maintenance in Debian.

    • Active upstream.

    • Does not deal with exotic hardware which we cannot support.

  5. Standards compliance:

  6. Dependencies:

    • All in main.

Reviewers

Ian Jackson:

  • This package build-depends on an XML tool called "sablotron" which is not mentioned in this MIR and which is in universe.
  • OpenOBEX (libopenobex1 in main) has had vulnerabilities in the past. Looking at the code, obexftp is likely to have them too, but they should generally be exploitable only when obexftp is actually used. Under what circumstances and with what level of user approval will kdebluetooth use libobexftp on a bluetooth device ?

Anthony Mercatante:

  • Sablotron build-dep is now obsolete. I reuploaded the package with a fixed debian/control. I'll get the change sync with debian.
  • kbluetooth uses libobexftp for file transfert within the obex2:/ ioslave, while copy/pasting or drag and drop between the device and the pc. There is no confirm actions asked on that point as the ioslave mimics a file system.

MartinPitt: Thanks for the clarifications. So this does introduce a particular attack vector, but it won't happen automatically, and the actual vulns are usually in the libopenobex1 library. libobexftp-dev is quite easy compared to that. Approved.

MainInclusionReportObexftp (last edited 2008-08-06 16:37:22 by localhost)