[Bug 2093322] Re: [MIR] azure-vm-utils

[Hlib Korzhynskyy]

I reviewed azure-vm-utils 0.4.0-2 as checked into plucky.  This shouldn't be
considered a full audit but rather a quick gauge of maintainability.

azure-vm-utils is a collection of tools and udev rules for Linux on
Azure.

- CVE History
  - None
- The project is relatively new.
- Build-Depends
  - Standard build depends.
- pre/post inst/rm scripts
  - None
- init scripts
  - None
- systemd units
  - None
- dbus services
  - None
- setuid binaries
  - None
- binaries in PATH
  - None
- sudo fragments
  - None
- polkit files
  - None
- udev rules
  - Generates 80-azure-disk.rules
- The project advertises itself as a collection of udev rules, so it is
  fine for it to have udev rules.
- The rules interact with Azure and Microsoft devices, mostly reading
  and creating symlink.
- unit tests / autopkgtests
  - No unit tests or autopkgtests. This was mentioned before, and it was
deemed hard to test without a VM. One basic autopkgtest was added, and
the upstream repository seems to contain more tests.
- cron jobs
  - None
- Build logs
  - Normal build logs.

- Processes spawned
  - None
- Memory management
  - The memory is freed normally.
- File IO
  - None
- Logging
  - Provides debug prints. No issues.
- Environment variable usage
  - None
- Use of privileged functions
  - None
- Use of cryptography / random number sources etc
  - None
- Use of temp files
  - None
- Use of networking
  - None
- Use of WebKit
  - None
- Use of PolicyKit
  - None

- Any significant cppcheck results
  - None
- Any significant Coverity results
  - Several Coverity issues were identified.
- src/main.c:303: Buffer not null terminated (BUFFER_SIZE)
  - The string copy that happens may cause the string to overflow into
another variable if not null terminated. This could cause issues
and security vulnerabilities, such as denial of service. While
there are no checks for this, the input string ultimately is always
null terminated from scandir(). Therefore, this is not an issue with
the current inputs.
- src/main.c:193: Argument cannot be negative (NEGATIVE_RETURNS)
  - In this line of code, sysconf(_SC_PAGESIZE) may return a negative
value where a negative value is not allowed. This could cause the
function to allocate too much memory, or crash.
- Other issues were deemed low severity/false positives.
- Any significant shellcheck results
  - None
- Any significant Semgrep results
  - None

The package is designed to be ran in a privileged environment. The
issues identified by Coverity involve a local attacker inserting maliciously
named devices physically, which is challenging in this scenario. Therefore,
these issues should not be a problem. The upstream code has removed the usage
of the problematic function for the first coverity issue in a later version,
and a PR was filed upstream for the second issue, which should not prevent
the package from being promoted regardless of the outcome of said PR due to
it being a trivial issue in this scenario.

The code itself is maintainable, with clear and concise comments as well as
normal variable naming and memory management. Upstream also utilizes
vulnerability scanning as part of their CI workflow.

Security team ACK for promoting azure-vm-utils to main.

** Changed in: azure-vm-utils (Ubuntu)
   Status: New => In Progress

** Changed in: azure-vm-utils (Ubuntu)
 Assignee: Ubuntu Security Team (ubuntu-security) => (unassigned)

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/2093322

Title:
  [MIR] azure-vm-utils

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/azure-vm-utils/+bug/2093322/+subscriptions


-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 2093322] Re: [MIR] azure-vm-utils

[Seth Arnold]

** Tags added: sec-5937

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/2093322

Title:
  [MIR] azure-vm-utils

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/azure-vm-utils/+bug/2093322/+subscriptions


-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 2093322] Re: [MIR] azure-vm-utils

[Ioanna Alifieraki]

Review for Source Package: azure-vm-utils

[Summary]

The package is in good shape. The only problem is the lack of tests.
There is sufficient explanation in the bug description why testing is 
challenging
at build or autopkgtest due to the infrastructure required.
CPC team commits to test it and a plan is in place. 
Therefore the lack of tests is not a blocker for promotion.

The package provides a utility to identify nvme disks in azure, issuing
NVME_IOCTL_ADMIN_CMD commands. Therefore I would suggest a security check.
The code base is tiny (less than 500 lines of C code).

MIR team ACK
This does need a security review, so I'll assign ubuntu-security
List of specific binary packages to be promoted to main: azure-vm-utils
Specific binary packages built, but NOT to be promoted to main: None

Notes:
- The package should get a team bug subscriber before being promoted

[Rationale, Duplication and Ownership]
There is no other package in main providing the same functionality.
CPC team is committed to own long term maintenance of this package.
The rationale given in the report seems valid and useful for Ubuntu

[Dependencies]
OK:
- no other Dependencies to MIR due to this
- no -dev/-debug/-doc packages that need exclusion
- No dependencies in main that are only superficially tested requiring
  more tests now.

Problems: None

[Embedded sources and static linking]
OK:
- no embedded source present
- no static linking
- does not have unexpected Built-Using entries
- not a go package, no extra constraints to consider in that regard
- not a rust package, no extra constraints to consider in that regard

Problems: None

[Security]
OK:
- history of CVEs does not look concerning
- does not run a daemon as root
- does not use webkit1,2
- does not use lib*v8 directly
- does not parse data formats (files [images, video, audio,
  xml, json, asn.1], network packets, structures, ...) from
  an untrusted source.
- does not expose any external endpoint (port/socket/... or similar)
- does not process arbitrary web content
- does not use centralized online accounts
- does not integrate arbitrary javascript into the desktop
- does not deal with system authentication (eg, pam), etc)
- does not deal with security attestation (secure boot, tpm, signatures)
- does not deal with cryptography (en-/decryption, certificates,
  signing, ...)
- this makes appropriate (for its exposure) use of established risk
  mitigation features (dropping permissions, using temporary environments,
  restricted users/groups, seccomp, systemd isolation features,
  apparmor, ...)

Problems: None

[Common blockers]
OK:
- does not FTBFS currently
- This does seem to need special HW for build or test so it can't be
  automatic at build or autopkgtest time. But as outlined
  by the requester in [Quality assurance - testing] there:
   - is hardware and a test plan or code
- no new python2 dependency

Problems:
- does not have a test suite that runs at build time

[Packaging red flags]
OK:
- Ubuntu does not carry a delta
- symbols tracking not applicable for this kind of code.
- debian/watch is present and looks ok (if needed, e.g. non-native)
- Upstream update history is good
- Debian/Ubuntu update history is good
- the current release is packaged
- promoting this does not seem to cause issues for MOTUs that so far
  maintained the package
- no massive Lintian warnings
- debian/rules is rather clean
- It is not on the lto-disabled list

Problems: None

[Upstream red flags]
OK:
- no Errors/warnings during the build
- no incautious use of malloc/sprintf (as far as we can check it)
- no use of sudo, gksu, pkexec, or LD_LIBRARY_PATH (usage is OK inside
  tests)
- no use of user nobody
- no use of setuid / setgid
- no important open bugs (crashers, etc) in Debian or Ubuntu
- no dependency on webkit, qtwebkit or libseed
- not part of the UI for extra checks
- no translation present, but none needed for this case (user visible)?

Problems: None


** Changed in: azure-vm-utils (Ubuntu)
 Assignee: Ioanna Alifieraki (joalif) => (unassigned)

** Changed in: azure-vm-utils (Ubuntu)
 Assignee: (unassigned) => Ubuntu Security Team (ubuntu-security)

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/2093322

Title:
  [MIR] azure-vm-utils

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/azure-vm-utils/+bug/2093322/+subscriptions


-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 2093322] Re: [MIR] azure-vm-utils

[Miriam España Acebal]

** Description changed:

  [Availability]
  The package azure-vm-utils is already in Ubuntu universe.
  The package azure-vm-utils build for the architectures it is designed to work 
on.
  It currently builds and works for architectures:  
amd64,arm64,armhf,ppc64el,riscv64,s390x
  Link to package https://launchpad.net/ubuntu/+source/azure-vm-utils
  PPA for the proposed package: 
https://launchpad.net/~mirespace/+archive/ubuntu/azure/+packages
    
https://launchpad.net/~mirespace/+archive/ubuntu/azure/+sourcepub/16868631/+listing-archive-extra
  
  [Rationale]
  The package azure-vm-utils is required in Ubuntu main for enhacing the 
experience of the users of our Azure images using NVMe devices nowadays: this 
package provides a home for core utilities, udev rules and other  configuration 
to support Linux VMs on Azure.
  The package azure-vm-utils will not generally be useful for a large part of 
our user base, but is important/helpful still because the users of our Azure 
images will have in this package any essential udev rules & relevant utilities.
  Package azure-vm-utils covers the same use case as walinuxagent for SCSI 
devices, but there is a plan in the near future to decouple that from 
walinuxagent [1]. Therefore,
  we want to be ready for when that transition occurs to prevent the impact in 
our users.
  Additionally new use-cases enabled by this are the automatic support of NVMe 
devices in Azure images.
  Aditional reasons are that users who only need the dev rules don't need the 
heavy load of the agent and can get that throught this light azure-vm-utils 
package.
  There is no other/better way to solve this that is already in main or should 
go universe->main instead of this.
  The binary package azure-vm-utils needs to be in main to be available in our 
official Azure cloud images by default.
  
  The package azure-vm-utils is required in Ubuntu main no later than this
  cycle (target is release of 25.04) due to the transistion of the udev
  rules from walinuxagent to vm-azure-utils.
  
  [Security]
  No CVEs/security issues in this software in the past
  No `suid` or `sgid` binaries
  Binary azure-nvme in /usr/sbin is no problem because it is not suid/sgid; it 
as query tool over the NVME namespace to enumerate Microsoft Azure NVMe 
controllers that could be executed in command line and from the udev rules file 
that the package installs.
  Package does not install services, timers or recurring jobs
  Security has been kept in mind and common isolation/risk-mitigation patterns 
are in place by the security of Windows Azure Cloud (Iaas) itself, being 
tangential to it.
  Packages does not open privileged ports (ports < 1024).
  Package does not expose any external endpoints, althought it elaborates LUN 
calculation for user's data disks by namespace identifier throught the MSFT 
NVMe Accelerator v1.0 controllers when the NMVe device is remote. This is done 
in the udev rules file installed by the package.
  Packages does not contain extensions to security-sensitive software (filters, 
scanners, plugins, UI skins, ...)
  
  [Quality assurance - function/usage]
  The package works well right after install
  
  [Quality assurance - maintenance]
  
  The package is maintained well in Debian/Ubuntu/Upstream and does
  not have too many, long-term & critical, open bugs (also beacuse it was 
accepted in Debian recently -Oct 12, 2024- and first released version
  in upstream happened in Feb 12, 2024):
  - Ubuntu (0) https://bugs.launchpad.net/ubuntu/+source/azure-vm-utils/+bug
  - Debian (0) https://bugs.debian.org/cgi-bin/pkgreport.cgi?src=azure-vm-utils
  - Upstream's bug tracker (1) https://github.com/Azure/azure-vm-utils/issues
     + Upstream's repo last activity:
     - last commit: in main, Nov 26, 2024
     - Issues without answer: 1
     - Updated issue/PR: Dec 10, 2024
     - last fixed/closed/merged issue: Nov 26, 2024
     - last merged PR: Mar 30, 2015
  The package has not important/old open bugs on upstream.
  The package does deal with exotic hardware, such hardware is available to the 
team for debugging, test, verification and development via Azure cloud providers
  
  [Quality assurance - testing]
  - The package does not run a test at build time
  - The package does not run an autopkgtest, but the proposed package include a 
trivial one based un upstream's github CI for the deb package [2]. It passes:
  
  autopkgtest [13:00:04]: test installation: [---
  Checking files provided by the package are present
  Checking binary is present and its usefulness
  azure-nvme-id 0.4.0-2
  autopkgtest [13:00:05]: test installation: ---]
  autopkgtest [13:00:06]: test installation:  - - - - - - - - - - results - 
- - - - - - - - -
  installation PASS (superficial)
  autopkgtest [13:00:06]:  summary
  installation PASS (superficial)

[Bug 2093322] Re: [MIR] azure-vm-utils

[Christian Ehrhardt ]

** Changed in: azure-vm-utils (Ubuntu)
 Assignee: (unassigned) => Ioanna Alifieraki (joalif)

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/2093322

Title:
  [MIR] azure-vm-utils

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/azure-vm-utils/+bug/2093322/+subscriptions


-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 2093322] Re: [MIR] azure-vm-utils

[Miriam España Acebal]

** Description changed:

  [Availability]
- TODO: The package TBDSRC is already in Ubuntu universe.
- TODO: The package TBDSRC build for the architectures it is designed to work 
on.
- TODO: It currently builds and works for architectures: TBD
- TODO: Link to package https://launchpad.net/ubuntu/+source/TBDSRC
+ The package azure-vm-utils is already in Ubuntu universe.
+ The package azure-vm-utils build for the architectures it is designed to work 
on.
+ It currently builds and works for architectures:  
amd64,arm64,armhf,ppc64el,riscv64,s390x
+ Link to package https://launchpad.net/ubuntu/+source/azure-vm-utils
+ PPA for the proposed package: 
https://launchpad.net/~mirespace/+archive/ubuntu/azure/+packages
+   
https://launchpad.net/~mirespace/+archive/ubuntu/azure/+sourcepub/16868631/+listing-archive-extra
  
  [Rationale]
- RULE: There must be a certain level of demand for the package
- TODO: - The package TBDSRC is required in Ubuntu main for TBD
- TODO-A: - The package TBDSRC will generally be useful for a large part of
- TODO-A:   our user base
- TODO-B: - The package TBDSRC will not generally be useful for a large part of
- TODO-B:   our user base, but is important/helpful still because TBD
- TODO: - Additional reasons TBD
- TODO: - Additionally new use-cases enabled by this are TBD
- TODO: - Package TBDSRC covers the same use case as TBD, but is better
- TODO:   because TBD, thereby we want to replace it.
- TODO: - The package TBDSRC is a new runtime dependency of package TBD that
- TODO:   we already support
- RULE: Sometimes there are other/better ways, often are achieved by using a
- RULE: library with similar functionality that is more commonly used and
- RULE: thereby already in main or a better candidate to promote.
- RULE: Reducing the set of supported software in Ubuntu helps to focus on the
- RULE: right things, otherwise Ubuntu developers will be consumed by updating
- RULE: many variations of the same - wasting valuable time that could be better
- RULE: spent elsewhere.
- RULE: If there are other packages in the archive that are close, but unable to
- RULE: address the problem you might spend some time explaining what exists and
- RULE: why it isn't a sufficient alternative.
- TODO: - There is no other/better way to solve this that is already in main or
- TODO:   should go universe->main instead of this.
- RULE: You truly need to understand the difference between main and universe
- RULE: in general and in the context of changed rules (build-depends) and
- RULE: constraints (Ubuntu Pro made it less of a difference in many cases).
- RULE: We have seen requests that were mostly based on old "I said supported (a
- RULE: weakly defined term to begin with) in a contract, so it has to be in 
main"
- RULE: feelings, but with sometimes no true reason - neither technically nor
- RULE: helping the user base of Ubuntu. Hence we need to ask for that clearly.
- TODO: - The binary package TBD needs to be in main to achieve TBD
+ The package azure-vm-utils is required in Ubuntu main for enhacing the 
experience of the users of our Azure images using NVMe devices nowadays: this 
package provides a home for core utilities, udev rules and other  configuration 
to support Linux VMs on Azure.
+ The package azure-vm-utils will not generally be useful for a large part of 
our user base, but is important/helpful still because the users of our Azure 
images will have in this package any essential udev rules & relevant utilities.
+ Package azure-vm-utils covers the same use case as walinuxagent for SCSI 
devices, but there is a plan in the near future to decouple that from 
walinuxagent [1]. Therefore,
+ we want to be ready for when that transition occurs to prevent the impact in 
our users.
+ Additionally new use-cases enabled by this are the automatic support of NVMe 
devices in Azure images.
+ Aditional reasons are that users who only need the dev rules don't need the 
heavy load of the agent and can get that throught this light azure-vm-utils 
package.
+ There is no other/better way to solve this that is already in main or should 
go universe->main instead of this.
+ The binary package azure-vm-utils needs to be in main to be available in our 
official Azure cloud images by default.
  
- RULE: Reviews will take some time. Also the potential extra work out of review
- RULE: feedback from either MIR-team and/or security-team will take time.
- RULE: For better prioritization it is quite helpful to clearly state the
- RULE: target release and set a milestone to the bug task.
- RULE: When doing so do not describe what you "wish" or "would like to have".
- RULE: Only milestones that are sufficiently well-founded and related to
- RULE: major releases will be considered
- TODO-A: - The package TBDSRC is required in Ubuntu main no later than TBD
- TODO-A:   due to TBD
- TODO-B: - It would be great and useful to community/processes to have the
- TODO-B:   package TBD in Ubuntu main, but th