I reviewed heat-dashboard version 1.4.0-0ubuntu1 as checked into cosmic. This shouldn't be considered a full audit but rather a quick gauge of maintainability.
heat-dashboard is a web interface to the heat openstack orchestration tool, which can help spin up repeatable instances of guests and networks. - No CVEs in our database - Huge list of build-depends, long enough I'll skip pasting it here - pre/post inst/rm scripts mostly automatically added, but there is a section to "compress the JS and CSS"[1] that also uses a recursive chown. This is dangerous on many kernels. - No init scripts - No systemd units - No dbus services - No setuid - No binaries in PATH - No sudo fragments - No udev rules - There are some tests but I didn't see their results in the logs - No cron jobs - lintian failure in the build logs[2] - No processes spawned - No file IO - Minimal logging, looked fine - No environment use - No privileged functions - Random numbers are generated in Javascript for some reason; using safe sources before falling back to unsafe sources - OpenStack settings OPENSTACK_SSL_NO_VERIFY and OPENSTACK_SSL_CACERT can configure TLS verification and trust root - No temp files - Extensive networking via django; a handful of inspected methods looked properly defensive - No WebKit - No PolicyKit I also found and reported a potential problem with incorrectly escaped URLs: https://storyboard.openstack.org/#!/story/2004454 I can't tell if this would break anything important or not. Security team ACK for promoting heat-dashboard to main. I'd like to see the chown -R removed but don't know what to suggest in its place. Thanks [1]: Note especially the 'chown -R' command; on kernels that follow hardlinks from one uid to another, this can allow horizon to gain ownership of any other files on the filesystem. if [ "$1" = "configure" ] ; then # Compress the JS and CSS with python-compressor and python-lesscpy python /usr/share/openstack-dashboard/manage.py collectstatic --clear --noinput python /usr/share/openstack-dashboard/manage.py compress --force if [ -f '/var/lib/openstack-dashboard/secret-key/.secret_key_store' ]; then rm -f /var/lib/openstack-dashboard/secret-key/.secret_key_store fi if [ -d /var/lib/openstack-dashboard ]; then chown -R horizon:horizon /var/lib/openstack-dashboard fi fi [2]: E: heat-dashboard source: source-is-missing xstatic/pkg/js_yaml/data/js-yaml.js line length is 846 characters (>512) E: heat-dashboard source: source-is-missing heat_dashboard/static/dashboard/project/heat_dashboard/template_generator/js/libs/angular-material.js line length is 1539 characters (>512) W: python-heat-dashboard: priority-extra-is-replaced-by-priority-optional W: python-heat-dashboard: maintainer-script-should-not-use-recursive-chown-or-chmod postinst:13 W: python3-heat-dashboard: priority-extra-is-replaced-by-priority-optional W: python3-heat-dashboard: maintainer-script-should-not-use-recursive-chown-or-chmod postinst:13 W: heat-dashboard-common: priority-extra-is-replaced-by-priority-optional E: heat-dashboard-common: python-package-missing-depends-on-python ** Changed in: heat-dashboard (Ubuntu) Assignee: Ubuntu Security Team (ubuntu-security) => (unassigned) -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1750576 Title: [MIR] heat-dashboard To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/heat-dashboard/+bug/1750576/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
