I reviewed gnome-remote-desktop 0.1.7-1 as checked into eoan. This
shouldn't be considered a full audit but rather a quick gauge of
maintainability.
gnome-remote-desktop is a remote desktop daemon for GNOME using VNC with
pipewire. It is suppose to work with both X and Wayland.
- No CVEs.
Also Examined the git histories at both
* https://gitlab.gnome.org/jadahl/gnome-remote-desktop
* https://salsa.debian.org/gnome-team/gnome-remote-desktop
- Build-Depends: debhelper (>= 11), gnome-pkg-tools, libglib2.0-dev,
libnotify-dev, libpipewire-0.2-dev, libsecret-1-dev, libvncserver-dev, meson
(>= 0.36.0)
**Note: Uses meson build system
- No Debian pre/post inst/rm scripts. However, there is a meson_post_install.py
script that appears to compile gsettings schemas.
- No init scripts.
- There is a systemd service unit file installed in /usr/lib/systemd/user
directory. It is used to start the daemon.
- Appears to use glib bindings for dbus. Uses introspection data format and is
used for both screen casting and remote desktop. The remote desktop uses dbus
to, create, start, and stop remote desktop sessions. Notifications for pointer
button motions and whether pressed. Notification if a key identified by a
keysym was pressed.
- Remote desktop driven screen casts are started and stopped by the remote
desktop session using
dbus. Also uses dbus to record a monitor during the screen cast.
- No setuid/setgid binaries nor in the code.
- Nothing added to PATH.
- No sudo fragments.
- No udev rules.
- No testcases. However, when I looked upstream, a few have been added.
https://gitlab.gnome.org/jadahl/gnome-remote-desktop/tree/master/tests
- No cron jobs.
- Build logs showed a successful build, but there were following warnings:
Binary packages built successfully but there was the following warning(s):
dpkg-gencontrol: warning: package gnome-remote-desktop: substitution
variable ${gnome:NextVersion} unused, but is defined
dpkg-gencontrol: warning: package gnome-remote-desktop: substitution
variable ${gnome:Version} unused, but is defined
dpkg-gencontrol: warning: package gnome-remote-desktop: substitution
variable ${gnome:NextVersion} unused, but is defined
dpkg-gencontrol: warning: package gnome-remote-desktop: substitution
variable ${gnome:Version} unused, but is defined
-Error during source build:
dh clean --with gnome --buildsystem=meson
dh: Sorry, but 10 is the highest compatibility level supported by this
debhelper.
debian/rules:7: recipe for target 'clean' failed
make: *** [clean] Error 25
dpkg-buildpackage: error: fakeroot debian/rules clean gave error exit status 2
debuild: fatal error at line 1376:
dpkg-buildpackage -rfakeroot -d -us -uc -S failed
FAIL
- No spawned processes.
- Memory management uses quite a bit of glib memory mgmt calls. They all seen
to be used ok.
- No File IO issues.
- Logging uses glib logging and looks ok.
- Environment variable usage looks ok and only one is used to enable debugging.
- No privileged functions.
- This app uses libsecret for password storage and lookup.
Calls into libsecret to get and store encrypted passwords.
Uses libvncserver to encrypt keys for storage. Uses 3DES encryption algo.
encrypts user password and then compares it with the stored one to validate.
- No temp files.
- For networking, uses libpipewire for data transfer when doing screen casting.
Using glib calls, vnc server listens on a socket|port for all interfaces.
It seems to handle only one session an on the listening socket. Could not get
it to work to test that out. The socket handling seems ok.
- Does not use WebKit
- Does not seem to use PolicyKit
- Clean cppcheck
MISC NOTES
Authentication seems to be permitted in 1 of 2 ways:
1. password authentication
2. prompting - that is user is alerted that someone wants to connect and
whether they will give permission or not.
The hardening-check tool reported,
Fortify Source functions: no, only unprotected functions found!
The old Free Software Foundation address is used in many of the source
files.
A lintian warning about debian/control
W: gnome-remote-desktop source: newer-standards-version 4.3.0 (current is 3.9.7)
(but googling reported latest version is 4.3.0.3)
The debian/control has following sentence in it,
"This feature will not work on Ubuntu until mutter is recompiled
with the remote desktop option enabled."
Security team ACK only on condition that it works, and help preparing updates
and testing.
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1802614
Title:
[MIR] gnome-remote-desktop
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/gnome-remote-desktop/+bug/1802614/+subscriptions
--
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
