I reviewed ntirpc 3.0-0ubuntu2 as checked into focal. This shouldn't be considered a full audit but rather a quick gauge of maintainability.
ntirpc is a fork of the existing libtirpc library providing RPC services for nfs-ganesha and others. - CVE History: - Only 1 past CVEs against ntirpc - CVE-2017-8779 - was fixed reasonably quickly - This shares a lot of code with libtirpc which has had 5 CVEs (including CVE-2017-8779) so I checked these against ntirpc: - CVE-2013-1950 - ntirpc *might* be vulnerable to this - this needs more thorough code review - CVE-2018-14621 - ntirpc is not vulnerable - CVE-2018-14622 - ntirpc is not vulnerable - CVE-2016-4429 - ntirpc appears to also be vulnerable to this - I have marked this as such in our CVE tracker - I have updated our CVE tracker so that all CVEs triaged against libtirpc will also get triaged against ntirpc due to the amount of similar code between the two so that future CVEs don't get missed - No significant Build-Depends - cmake,libkrb5-dev, libjemalloc-dev, liburcu-dev - No pre/post inst/rm scripts - No init scripts - No systemd units - No dbus services - No setuid binaries - No binaries in PATH - No sudo fragments - No polkit files - No udev rules - No autopkgtests - Very simple tests run during build (tests/rpcping) - This exercises the high-level interfaces of the library - No cron jobs - Build logs are clean - No Processes spawned - Memory management appears to be careful and deliberate - Minimal file IO using hard-coded file paths to root-owned files - Logging is careful - The only environment variable used is NETPATH and this appears to be done carefully - No use of privileged functions - No use of cryptography / random number sources etc - No use of temp files - Network handling appears to be pretty good - Takes care to track buffer sizes and carefully decodes remote data - No use of WebKit - No Use of PolicyKit - Significant static analysis results - cppcheck identifies a possible NULL pointer dereference in the City hash code: - src/city.c:412:30: note: Calling function 'CityHash128WithSeed', 1st argument 'NULL' value is 0 - src/city.c:339:46: note: Calling function 'Fetch64', 1st argument 's' value is 0 - src/city.c:91:9: note: Calling function 'UNALIGNED_LOAD64', 1st argument 'p' value is 0 - src/city.c:43:18: note: Null pointer dereference - (ie due to the call to CityHash128WithSeed(NULL,...) this could result in an eventual call to memcpy with that NULL as the src argument) - coverity identifies a number of issues around handling of locks - some of these appear to be false positives but others could potentially be real issues - see attached for the full list of defects. In general, ntirpc appears to be well maintained and does not appear to have any obvious security issues. Other than the fact that this duplicates a lot of code from libtirpc, no object from the Security Team for promoting this to main - we have updated our CVE tracker so that any future CVEs against libtirpc will get automatically assigned to ntirpc as well so that we do not miss any other possible future CVEs for this. Security team ACK for promoting ntirpc to main - I suggest however that the list of Coverity defects be examined in more detail since some indicate the chance of dead-lock which would not be a good outcome for users of ntirpc. ** Changed in: nfs-ganesha (Ubuntu) Assignee: Ubuntu Security Team (ubuntu-security) => (unassigned) ** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2013-1950 ** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2016-4429 ** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2017-8779 ** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2018-14621 ** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2018-14622 -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1843403 Title: [MIR] nfs-ganesha, ntirpc To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/nfs-ganesha/+bug/1843403/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs