I reviewed sshfs-fuse version 2.10+repack-2 as checked into disco. This should not be considered a full security audit, but rather a quick gauge of maintainability.
- sshfs is a fuse file system that allows you to mount a remote filesystem using SFTP. - There are no prior CVEs against sshfs. - sshfs daemonizes by calling fuse_daemonize() - Build Depends: debhepler, libglib2.0-dev, libfuse-dev, pkg-config, meson, python3, python3-pytest - no initscripts - no dbus services - no setuid files - no sudo fragments - no udev rules - There is a test suite; it is not run during the build. I recommend some autopkg tests be written that run the test suite. While the test suite omits a few important file system functions. It is reasonably complete. - no cronjobs - Logging functions are careful when using fprintf - The code was generally defensive and took proactive steps to avoid security vulnerabilities. - Memory management is careful; allocated memory is quickly freed when it is no longer needed. Bounds are checked before allocating or copying memory. - Leverages SSH for cryptographic needs - The project seems well maintained. Point releases or minor versions are released every few months. There are many years between major version upgrades, indicating that backporting fixes may be feasible over the life of an Ubuntu LTS release. - Hardening flags were enabled at compile time - 2.10 is the latest on the 2.x branch (Aug 2017), however 3.5.1 is the latest release. I recommend we update to the latest version. - A few warnings were issued during build. An issue has been submitted to the upstream developers on github.com regarding the warning in sshfs.c. meson.build:42: WARNING: The variable(s) 'UNMOUNT_COMMAND' in the input file 'sshfs.1.in' are not present in the given configuration data. WARNING: Project targetting '>= 0.38' but tried to use feature introduced in '0.40.0': build_by_default arg in custom_target WARNING: Project specifies a minimum meson_version '>= 0.38' but uses features which were added in newer versions: ../sshfs.c:1385:44: warning: cast between incompatible function types from ‘int (*)(void *, struct request *)’ to ‘gboolean (*)(void *, void *, void *)’ {aka ‘int (*)(void *, void *, void *)’} [-Wcast-function-type] - The sshfs.randseed variable is initialized using time(0). An attacker could potentially guess the random seed based on the time that the sshfs process was started and and therefore create files in /tmp/ that would lead to a DoS. The risk and impact of this is very low. - does not use WebKit - does not use PolicyKit - does not use Javascript Security team ACK for promoting sshfs-fuse to main. ** Changed in: sshfs-fuse (Ubuntu) Assignee: Mike Salvatore (mikesalvatore) => (unassigned) -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1783317 Title: [MIR] sshfs-fuse To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/sshfs-fuse/+bug/1783317/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs