[Bug 1459692] Re: [MIR] anope
** No longer affects: inspircd (Ubuntu) -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1459692 Title: [MIR] anope To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/anope/+bug/1459692/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1459692] Re: [MIR] anope
** Also affects: inspircd (Ubuntu) Importance: Undecided Status: New -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1459692 Title: [MIR] anope To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/anope/+bug/1459692/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1459692] Re: [MIR] anope
Override component to main anope 2.0.6-1 in disco: universe/misc -> main anope 2.0.6-1 in disco amd64: universe/net/optional/100% -> main anope 2.0.6-1 in disco arm64: universe/net/optional/100% -> main anope 2.0.6-1 in disco armhf: universe/net/optional/100% -> main anope 2.0.6-1 in disco i386: universe/net/optional/100% -> main anope 2.0.6-1 in disco ppc64el: universe/net/optional/100% -> main anope 2.0.6-1 in disco s390x: universe/net/optional/100% -> main 7 publications overridden. ** Changed in: anope (Ubuntu) Status: Confirmed => Fix Released -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1459692 Title: [MIR] anope To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/anope/+bug/1459692/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1459692] Re: [MIR] anope
Seed change committed. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1459692 Title: [MIR] anope To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/anope/+bug/1459692/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1459692] Re: [MIR] anope
** Merge proposal linked: https://code.launchpad.net/~racb/ubuntu-seeds/+git/platform/+merge/361874 -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1459692 Title: [MIR] anope To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/anope/+bug/1459692/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1459692] Re: [MIR] anope
Anope developers finally replied that Anope is still being maintained, despite the lack of replies on the ticket that I've opened. I believe they will take a closer look to the reported issues in the near future. And if anyone is interested, PRs can be send to them to fix any of those issues. Security team ACK for promoting anope to main. ** Changed in: anope (Ubuntu) Status: New => Confirmed ** Changed in: anope (Ubuntu) Assignee: Eduardo dos Santos Barretto (ebarretto) => (unassigned) -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1459692 Title: [MIR] anope To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/anope/+bug/1459692/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1459692] Re: [MIR] anope
I reviewed anope version 2.0.6-1 as checked into cosmic.
This shouldn't be considered a full audit but rather a quick gauge of
maintainability.
Anope is a set of services for IRC networks. It allow users/admins to
manage their nicks/channels/networks and more.
Quick list of services:
- NickServ
- ChanServ
- MemoServ
- BotServ
- OperServ
- HostServ
- No CVEs registered against anope.
- Build-depends:
- debhelper (>= 10),
- cmake,
- default-libmysqlclient-dev,
- libldap2-dev,
- libpcre3-dev,
- libgnutls28-dev,
- libsqlite3-dev
- postinst and post/pre rm automatically added
- init script: /etc/init.d/anope
- Has a: chown irc /var/run/anope (not recursive)
- No systemd services
- No dbus services
- No setuid bit
- Binaries in PATH: /usr/sbin/anope
- No sudo fragments
- No udev rules
- No tests
- No cron jobs
- Some lintian warning/error. The permission warning I would ignore,
0700 permission looks better than 0755 for db backups.
E: anope changes: bad-distribution-in-changes-file unstable
W: anope: non-standard-dir-perm var/lib/anope/db/backups/ 0700 !=
0755
W: anope: binary-without-manpage usr/sbin/anope
N: 12 tags overridden (12 warnings)
- Lack of input sanitization:
./modules/extra/m_regex_pcre.cpp:36: return pcre_exec(this->regex,
NULL, str.c_str(), str.length(), 0, 0, NULL, 0) > -1;
./modules/extra/m_regex_tre.cpp:38: return regexec(&this->regbuf,
str.c_str(), 0, NULL, 0) == 0;
./modules/extra/m_regex_posix.cpp:37: return regexec(&this->regbuf,
str.c_str(), 0, NULL, 0) == 0;
None of those regex engines do input sanitization, and there is no
sanitization on anope's code. We reported it to upstream, see more
information at the bottom of this comment.
- Processes spawned:
./src/main.cpp:212: execve(Anope::ServicesBin.c_str(), av, envp);
./src/config.cpp:681: this->fp = (this->executable ? popen(this-
>name.c_str(), "r") : fopen((Anope::ConfigDir + "/" + this-
>name).c_str(), "r"));
./src/mail.cpp:30: FILE *pipe = popen(sendmail_path.c_str(), "w");
Although they look dangerous, we understood that the input come from Anope's
configuration file, which is under administrator control, so probably fine.
- There are many file IO operations and memory management operations in
the project. After spending some time I couldn't find any trivial way
to trigger an overflow/underflow, but more time would be required in
order to be truly sure.
- Logging looks ok
- Make use of the following environment languages: LANGUAGE e LANG.
Looks safe.
./src/language.cpp:104: setenv("LANG", lang, 1);
./src/language.cpp:105: setenv("LANGUAGE", lang, 1);
./src/language.cpp:115: unsetenv("LANGUAGE");
./src/language.cpp:116: unsetenv("LANG");
- Anope make use of the following privileged functions. All of them are
used in the same function setuidgid(), which is executed during Anope's
initialization.
The setgid and setuid will only be triggered if the user specifies a
specific user and group on anope's config file. The chown will be
executed on every initialization to set the owner of the log files to
either the specified user (if defined in the config file) or to the
current user that is running Anope.
./src/init.cpp:272: if (setgid(gid) == -1)
./src/init.cpp:279: if (setuid(uid) == -1)
./src/init.cpp:266: chown(lf->filename.c_str(),
uid, gid);
We certainly didn't love that chown, but since Ubuntu has YAMA loaded
it is probably safe. We wonder if this could be a problem in kernels
without YAMA.
- Anope implements MD5, SHA1, SHA256 and BLOWFISH in
modules/encryption/, those modules are used when dealing with passwords
so it stores the password in the databases securely. Another way to
authenticate users can be done by using sasl and ldap modules found on
modules/extras/m_sasl or modules/extras/m_ldap.
Anope also has two modules for SSL/TLS: modules/extras/m_ssl_openssl
and modules/extras/m_ssl_gnutls. Both of them provide SSL services to
Anope using either openssl and gnutls.
- Extensive networking. Didn't check all of them, just a couple and
they looked safe.
- No WebKit
- No PolicyKit
- The build log has some warnings:
/<>/src/init.cpp:109:9: warning: ignoring return value of
‘FILE* freopen(const char*, const char*, FILE*)’, declared with
attribute warn_unused_result [-Wunused-result]
/<>/src/init.cpp:110:9: warning: ignoring return value of
‘FILE* freopen(const char*, const char*, FILE*)’, declared with
attribute warn_unused_result [-Wunused-result]
/<>/src/init.cpp:111:9: warning: ignoring return value of
‘FILE* freopen(const char*, const char*, FILE*)’, declared with
attribute warn_unused_result [-Wunused-result]
> Those seem ok, nothing catastrophic but would be nice to see those
warnings solved.
/<>/src/init.cpp:266:9: warning: ignoring return value of
‘int chown(const char*, __uid_t, __gid_t)’, declared with attribute
warn_unused_result [-Wunused-result]
/<>/src/main.cpp:209:8: warning: ignoring return value of
‘int chdir(
[Bug 1459692] Re: [MIR] anope
** Changed in: anope (Ubuntu) Assignee: Ubuntu Security Team (ubuntu-security) => Eduardo dos Santos Barretto (ebarretto) -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1459692 Title: [MIR] anope To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/anope/+bug/1459692/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1459692] Re: [MIR] anope
** Changed in: anope (Ubuntu) Assignee: (unassigned) => Ubuntu Security Team (ubuntu-security) -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1459692 Title: [MIR] anope To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/anope/+bug/1459692/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1459692] Re: [MIR] anope
Subscribed ubuntu-server to the bugs due to the usage of this project by Canonical IS. Marking this bug as new and removing myself. ** Changed in: anope (Ubuntu) Status: Incomplete => New ** Changed in: anope (Ubuntu) Assignee: Joshua Powers (powersj) => (unassigned) -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1459692 Title: [MIR] anope To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/anope/+bug/1459692/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1459692] Re: [MIR] anope
Passed on to Josh. ** Changed in: anope (Ubuntu) Assignee: Robie Basak (racb) => Joshua Powers (powersj) -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1459692 Title: [MIR] anope To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/anope/+bug/1459692/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1459692] Re: [MIR] anope
Per https://wiki.ubuntu.com/UbuntuMainInclusionRequirements, "All packages must have a designated "owning" team, regardless of complexity, which is set as a package bug contact." It isn't clear (to me anyway) who the owner of this package will be. The requester no longer works for Canonical. Is this something the server team is committed to? I'm going to assign Robie to answer this question, but please reassign/unassign as desired. If an owning team is assigned, please feel free to assign back to ubuntu-security. Thanks! ** Changed in: anope (Ubuntu) Status: Confirmed => Incomplete ** Changed in: anope (Ubuntu) Assignee: Ubuntu Security Team (ubuntu-security) => Robie Basak (racb) -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1459692 Title: [MIR] anope To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/anope/+bug/1459692/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1459692] Re: [MIR] anope
** Changed in: anope (Ubuntu) Assignee: (unassigned) => Ubuntu Security Team (ubuntu-security) -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1459692 Title: [MIR] anope To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/anope/+bug/1459692/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1459692] Re: [MIR] anope
The Apparmor profile bug remains open in Debian. It looks like it's feasible to drive that to resolution in Debian. Failing that the security team will probably ask for it to be included in a delta in Ubuntu. In general the packaging looks to be good quality. I can look more thoroughly later, but I think it's likely that I won't have any objection to main inclusion in Ubuntu once the few minor things have been addressed. I think it makes sense to request a security review next, as that's the biggest question mark for this package as it's particularly security sensitive. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1459692 Title: [MIR] anope To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/anope/+bug/1459692/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1459692] Re: [MIR] anope
It looks like bug 1473231 hasn't been addressed. It needs forwarding upstream and/or adding/maintaining as a delta to Ubuntu. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1459692 Title: [MIR] anope To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/anope/+bug/1459692/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1459692] Re: [MIR] anope
> Check for security relevant binaries. If any are present, this requires a more in-depth security review I think the nature of this package means that it certainly needs an ack from the security team. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1459692 Title: [MIR] anope To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/anope/+bug/1459692/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1459692] Re: [MIR] anope
This is the services daemon Canonical IS uses for irc.canonical.com, so we would certainly be glad to see it included in main. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1459692 Title: [MIR] anope To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/anope/+bug/1459692/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1459692] Re: [MIR] anope
is this still relevant? -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1459692 Title: [MIR] anope To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/anope/+bug/1459692/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1459692] Re: [MIR] anope
Status changed to 'Confirmed' because the bug affects multiple users. ** Changed in: anope (Ubuntu) Status: New => Confirmed -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1459692 Title: [MIR] anope To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/anope/+bug/1459692/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
