I reviewed ostree 2020.8-2 as checked into hirsute. This shouldn't be
considered a full audit but rather a quick gauge of maintainability. I
didn't make any effort to find which portion of the sources correspond
with the exact binary package that is under discussion.
ostree is a tool to manage giant farms of hardlinks and boot configurations
with a goal of providing transactional system updates, complete with
chain-of-trust using gpg.
I did not inspect ostree from this perspective at all -- the security team
is not interested in supporting ostree as a system management tool.
- CVE History:
None in our database
- Build-Depends?
Includes gpg, libgpgme-dev, among others
- pre/post inst/rm scripts?
The ostree and ostree-boot package maintainer scripts have some dracut
and grub configuration file handling, systemd service management, and
will update the initrams
- init scripts?
None
- systemd units?
Not inspected, only in ostree-boot and ostree-tests
- dbus services?
None
- setuid binaries?
None
- sudo fragments?
None
- polkit files?
None
- udev rules?
None
- unit tests / autopkgtests?
Some tests run during the build, not inspected
- cron jobs?
None
- Build logs:
A lot of doc warnings; nothing code-related stood out
- Processes spawned?
A lot of process spawning; some using arrays, some using strings with
quoted filenames (presumably so the user could put pipelines into EDITOR
or VISUAL environment variables)
- Memory management?
Stack allocation is used a lot more often than I'd like.
Because it's C, there's necessarily a lot of memory management and some
of it is very fiddly. I'm pretty sure I found bugs, though maybe they
just lead to crashes and memory leaks.
- File IO?
Extensive file IO -- some file operations rely upon umask having a
sane value for the files to have sane permissions. File paths come
from packages. A lot of operations are done on files as instructed by
whatever is the equivalent of packages -- xattrs, setuid/setgid bits,
etc. It's basically a full package manager tool. The inputs must
be safe.
- Logging?
Extensive logging; I did spot-checks and didn't find errors.
- Environment variable usage?
Moderate use, some are validated and some are used as-is without any
verification at all. Probably fine.
- Use of privileged functions?
Extensive. ostree is a general system management tool. Spot checks of
calls looked careful but I did not do full call hierarchy checks to see
if all inputs to privileged functions were properly sanitized.
- Use of cryptography / random number sources etc?
Uses an embedded soup to do some https validation. It wasn't obvious
that it's correct but it did go to effort to pass the system CA store,
so someone at least tried.
- Use of temp files?
I'm slightly worried about the random number use for XXXXXX files; it is
using non-cryptographic tool. It's probably fine and I'm a worry-wart.
- Use of networking?
Yes, some, I didn't closely inspect it. What I did see looked primarily
client-oriented rather than server-oriented
- Use of WebKit?
None
- Use of PolicyKit?
None
- Any significant cppcheck results?
None
- Any significant Coverity results?
Some issues, maybe just crashes, but might be worse. A lot of false
positives.
- Any significant shellcheck results?
None
- Any significant bandit results?
None
Security team ACK for promoting strictly libostree-1-1 to main and with
the understanding that we're not supporting the ostree system management
in any way.
I've elided the notes I made while reading this, pending feedback from Red
Hat's security team. I don't like that there's no listed way to report
security issues.
Thanks
** Changed in: ostree (Ubuntu)
Assignee: Ubuntu Security Team (ubuntu-security) => (unassigned)
** Changed in: ostree (Ubuntu)
Status: New => In Progress
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1892454
Title:
[MIR] libostree-1-1
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/ostree/+bug/1892454/+subscriptions
--
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
