MainInclusionReportSysstat
|
Size: 3867
Comment:
|
← Revision 6 as of 2008-08-06 16:39:43 ⇥
Size: 3973
Comment: converted to 1.6 markup
|
| Deletions are marked like this. | Additions are marked like this. |
| Line 5: | Line 5: |
| 0. ''Availability:'' [http://archive.ubuntu.com/ubuntu/pool/universe/s/sysstat]; available for all supported architectures. | 0. ''Availability:'' [[http://archive.ubuntu.com/ubuntu/pool/universe/s/sysstat]]; available for all supported architectures. |
| Line 9: | Line 9: |
| * [http://cve.mitre.org/cgi-bin/cvekey.cgi?keyword=sysstat CVE entries]: 4 entries. none of them seem to affect the version in hardy. * [http://secunia.com/search/?search=sysstat Secunia history]: same story as CVE db. |
* [[http://cve.mitre.org/cgi-bin/cvekey.cgi?keyword=sysstat|CVE entries]]: 4 entries. none of them seem to affect the version in hardy. * [[http://secunia.com/search/?search=sysstat|Secunia history]]: same story as CVE db. |
| Line 50: | Line 50: |
| * undergoing security further analysis (potential problem which is easily fixed) | * spot-checked memory and string functions and it performs them properly * found slight problem with call to execvp function, but will report upstream and upload |
| Line 57: | Line 58: |
| * [http://bugs.debian.org/src:sysstat Debian bugs]: nothing scary. * [http://packages.qa.debian.org/s/sysstat.html Maintenance in Debian] is vigorous * [http://pagesperso-orange.fr/sebastien.godard/] is vigorous |
* [[http://bugs.debian.org/src:sysstat|Debian bugs]]: nothing scary. * [[http://packages.qa.debian.org/s/sysstat.html|Maintenance in Debian]] is vigorous * [[http://pagesperso-orange.fr/sebastien.godard/]] is vigorous |
| Line 63: | Line 64: |
| * [http://www.pathname.com/fhs/ FHS], [http://www.de.debian.org/doc/debian-policy/ Debian Policy] | * [[http://www.pathname.com/fhs/|FHS]], [[http://www.de.debian.org/doc/debian-policy/|Debian Policy]] |
| Line 65: | Line 66: |
| * [http://www.netfort.gr.jp/~dancer/column/libpkg-guide/libpkg-guide.html Debian library packaging guide] standards compliance ? | * [[http://www.netfort.gr.jp/~dancer/column/libpkg-guide/libpkg-guide.html|Debian library packaging guide]] standards compliance ? |
| Line 75: | Line 76: |
| MIR bug: [https://bugs.launchpad.net/bugs/183469] | MIR bug: [[https://bugs.launchpad.net/bugs/183469]] |
Main Inclusion Report for sourcepackage
Requirements
Availability: http://archive.ubuntu.com/ubuntu/pool/universe/s/sysstat; available for all supported architectures.
Rationale:
Security:
CVE entries: 4 entries. none of them seem to affect the version in hardy.
Secunia history: same story as CVE db.
- Any binaries running as root or suid/sgid ? Any daemons ?
- Yes one daemon running as root to collect data.
- Network activity: does it open any port ? Does it handle incoming network data ?
- no open ports. daemon run locally.
High level source code review performed by JamieStrandboge
- sa1
- /bin/sh script
- called via /etc/cron.d/sysstat and /etc/init.d/sysstat
- wrapper for sadc and does file manipulation in /var/log/sysstat properly
- sa2
- /bin/sh
- called via /etc/cron.daily/sysstat
- wrapper for sar.sysstat and does file manipulation properly (oddly, it does a cd to /usr/bin, then does 'rm' and 'find ... -exec' ..., but the paths to 'rm' and 'find' are absolute paths in /var/log/sysstat)
- sadc
- ELF binary
- called via sa1 and sar.sysstat (and therefore sa2)
- vulnerable to TOCTOU via access() in open_ofile(). High-level review shows this should not be an issue in practice, as checked files when run from cron and initscript are all in /var/log/sysstat, which is owned by root. Should only be a problem if run by root and output file is somewhere writable be normal users (eg /tmp)
- spot-checked memory and string functions and it performs them properly
- reads the following files (which can't be manipulated by users):
- /proc/stat
- /proc/loadavg
- /proc/meminfo
- /proc/vmstat
- /proc/tty/driver/serial (requires root)
- /proc/interrupts
- /proc/sys/fs/dentry-state
- /proc/sys/fs/file-nr
- /proc/sys/fs/inode-state
- /proc/net/dev
- /proc/net/sockstat
- /proc/net/rpc/nfs
- /proc/net/rpc/nfsd
- /proc/diskstats
- /proc/partitions
- /proc/uptime
- it would be nice if sadc could be run as non-root, as it needs it for only one file (/proc/tty/driver/serial)
- sar.sysstat
- ELF binary
- called via sa2
- spot-checked memory and string functions and it performs them properly
- found slight problem with call to execvp function, but will report upstream and upload
- sa1
Quality assurance:
- In what situations does the package not work out of the box without configuration ?
- none
- Does the package ask any debconf questions higher than priority 'medium' ?
Yes, only when upgrading from < 8.0.0
Debian bugs: nothing scary.
Maintenance in Debian is vigorous
http://pagesperso-orange.fr/sebastien.godard/ is vigorous
- Hardware: Does this package deal with hardware and if so how exotic is it ?
- no
- In what situations does the package not work out of the box without configuration ?
Standards compliance:
- Yeps.
Debian library packaging guide standards compliance ?
- no libs
- Packaging system (debhelper/cdbs/dbs) ? Patch system ? Any packaging oddities ?
- none.
Dependencies:
- B-D are all in main.
- Depends for isag binary are not but it could easily stay in universe. The stuff for the core is all in main.
Reviewers
MIR bug: https://bugs.launchpad.net/bugs/183469
The author of this report should put their name here; reviewers will add comments etc. too
MainInclusionReportSysstat (last edited 2008-08-06 16:39:43 by localhost)