I reviewed ippusbxd version 1.21.2-1 as checked into wily; this shouldn't be considered a full security audit but rather a quick gauge of maintainability.
- ippusbxd implements the usb-ipp standardized printer bridge; udev rules start the daemon when a supported printer is plugged in, exposing the printer to loopback interfaces. - Build-Depends: debhelper, libusb-1.0-0-dev, cmake, pkg-config, dh-apparmor - Provides a daemon - start_daemon() does not properly daemonize: - doesn't set umask() - doesn't setsid() - doesn't chdir(/) - doesn't set signals to expected dispositions - pre,post inst,rm scripts all automatically generated - No initscripts - No dbus services - No setuid executables - One executable, /usr/sbin/ippusbxd - No sudo fragments - No udev rules -- they must be packaged elsewhere? - No tests - No cronjobs - One warning in build log looks harmless - No subprocesses spawned - Memory management looked careful - No files are written to - Logging looked safe - No environment variables - No privileged operations - No cryptography - No privileged portions of code - No temporary file use - No WebKit - No javascript - No policykit - Clean cppcheck The code quality is good, with a few caveats: the software doesn't properly daemonize at startup; and the AppArmor profile doesn't look like it's been used lately. Till was very responsive to the in6addr_any issue and associated requests. Here's the remaining issues that I found, they may or may not be important enough to fix, though the AppArmor profile probably needs to be updated to allow the daemon to function: - AppArmor profile needs to be updated - usb_conn_acquire(), typo in text that may be user-visible, "aloc" - there appears to be no way to stop the usb_pump_events() thread - Really should setsid(), chdir(/), and set signal dispositions for reliable operation (umask is less important since the daemon creates no files) Security team ACK to promote ippusbxd to main. Thanks -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1455644 Title: [MIR] ippusbxd To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/ippusbxd/+bug/1455644/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs