I reviewed ntirpc 3.0-0ubuntu2 as checked into focal. This shouldn't be
considered a full audit but rather a quick gauge of maintainability.
ntirpc is a fork of the existing libtirpc library providing RPC services
for nfs-ganesha and others.
- CVE History:
- Only 1 past CVEs against ntirpc
- CVE-2017-8779 - was fixed reasonably quickly
- This shares a lot of code with libtirpc which has had 5 CVEs (including
CVE-2017-8779) so I checked these against ntirpc:
- CVE-2013-1950 - ntirpc *might* be vulnerable to this - this needs
more thorough code review
- CVE-2018-14621 - ntirpc is not vulnerable
- CVE-2018-14622 - ntirpc is not vulnerable
- CVE-2016-4429 - ntirpc appears to also be vulnerable to this - I have
marked this as such in our CVE tracker
- I have updated our CVE tracker so that all CVEs triaged against
libtirpc will also get triaged against ntirpc due to the amount of
similar code between the two so that future CVEs don't get missed
- No significant Build-Depends
- cmake,libkrb5-dev, libjemalloc-dev, liburcu-dev
- No pre/post inst/rm scripts
- No init scripts
- No systemd units
- No dbus services
- No setuid binaries
- No binaries in PATH
- No sudo fragments
- No polkit files
- No udev rules
- No autopkgtests
- Very simple tests run during build (tests/rpcping)
- This exercises the high-level interfaces of the library
- No cron jobs
- Build logs are clean
- No Processes spawned
- Memory management appears to be careful and deliberate
- Minimal file IO using hard-coded file paths to root-owned files
- Logging is careful
- The only environment variable used is NETPATH and this appears to be done
carefully
- No use of privileged functions
- No use of cryptography / random number sources etc
- No use of temp files
- Network handling appears to be pretty good
- Takes care to track buffer sizes and carefully decodes remote data
- No use of WebKit
- No Use of PolicyKit
- Significant static analysis results
- cppcheck identifies a possible NULL pointer dereference in the City
hash code:
- src/city.c:412:30: note: Calling function 'CityHash128WithSeed', 1st
argument 'NULL' value is 0
- src/city.c:339:46: note: Calling function 'Fetch64', 1st argument 's'
value is 0
- src/city.c:91:9: note: Calling function 'UNALIGNED_LOAD64', 1st argument
'p' value is 0
- src/city.c:43:18: note: Null pointer dereference
- (ie due to the call to CityHash128WithSeed(NULL,...) this could
result in an eventual call to memcpy with that NULL as the src
argument)
- coverity identifies a number of issues around handling of locks - some
of these appear to be false positives but others could potentially be
real issues - see attached for the full list of defects.
In general, ntirpc appears to be well maintained and does not appear to
have any obvious security issues. Other than the fact that this duplicates
a lot of code from libtirpc, no object from the Security Team for promoting
this to main - we have updated our CVE tracker so that any future CVEs
against libtirpc will get automatically assigned to ntirpc as well so that
we do not miss any other possible future CVEs for this.
Security team ACK for promoting ntirpc to main - I suggest however that the
list of Coverity defects be examined in more detail since some indicate the
chance of dead-lock which would not be a good outcome for users of ntirpc.
** Changed in: nfs-ganesha (Ubuntu)
Assignee: Ubuntu Security Team (ubuntu-security) => (unassigned)
** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2013-1950
** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2016-4429
** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2017-8779
** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2018-14621
** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2018-14622
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1843403
Title:
[MIR] nfs-ganesha, ntirpc
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/nfs-ganesha/+bug/1843403/+subscriptions
--
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
