I reviewed python-rtslib-fb 2.1.71-0ubuntu1 as checked into focal.  This 
shouldn't be considered a full audit but rather a quick gauge of
maintainability.

python-rtslib-fb is a programmatic interface to the Linux kernel's LIO 
target. Working with Python objects causes writes to the kernel's 
/sys/kernel/config/target interface.

It also provides an executable to save the live config to a file on 
service shutdown, and load the config into the running kernel on service 
start.

- No CVEs in our database; when I reported a low severity problem, a fix
  was committed 13 hours later.
- Build-Depends?
  - debhelper-compat (= 9),, dh-python, openstack-pkg-tools (>= 99~), 
    python3-all, python3-setuptools, python3-six
- pre/post inst/rm scripts?
  - postrm script improperly removes the alternatives entry against 
    policy -- it should be called from prerm instead:
    
https://lintian.debian.org/tags/maintainer-script-should-not-use-update-alternatives-remove.html
  - py3compile command isn't guarded with || true; -- is this correct?
- init scripts?
  - initscript has multiple shellcheck warnings
  - race condition combined with busy-wait "sleep"
- systemd units?
  - Creates directory with ExecStart=mkdir -p rather than 
    ConfigurationDirectory= directive
- No dbus config
- No setuid executables
- new binary targetctl in PATH
- No sudo fragments
- No polkit rules
- No udev rules
- Very small number of tests -- as doctests -- and I can't tell if they 
  run during the build or not
- No cron jobs
- Lintian warnings and errors reported


- Spawns a subprocess to perform module loading -- the subprocess itself 
  looks fine, but the module loading feels out of place. There is probably
  a better way to do this.
- File IO is used extensively; some small helper functions are written to
  make it look easy. The tool works extensively in a virtual filesystem 
  meant to configure things.
- Very little logging
- No environment variable use
- While this performs privileged operations, it mostly does so via read 
  and write -- and the "modprobe" Popen.
- No cryptography
- No temp files
- No networking
- No webkit
- No policykit

While reading the code I found a low-severity issue and reported it:
https://github.com/open-iscsi/rtslib-fb/issues/161
Upstream checked in a fix in 13 hours.

The systemd unit file uses an explicit mkdir call rather than using a 
declarative setting.

The postrm/prerm scripts needs work.

Security team ACK for promoting python-rtslib-fb to main. I'd like the 
security fix and the packaging issues fixed before this package is 
promoted.

Thanks


** Bug watch added: github.com/open-iscsi/rtslib-fb/issues #161
   https://github.com/open-iscsi/rtslib-fb/issues/161

** Changed in: python-rtslib-fb (Ubuntu)
     Assignee: Ubuntu Security Team (ubuntu-security) => (unassigned)

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1854362

Title:
  [MIR] ceph-iscsi, tcmu, python-configshell-fb, python-rtslib-fb,
  urwid, targetcli-fb

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/ceph-iscsi/+bug/1854362/+subscriptions

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

Reply via email to