I reviewed xdg-terminal-exec 0.10.1-1 as checked into oracular. This shouldn't be considered a full audit but rather a quick gauge of maintainability.
xdg-terminal-exec is a proposal for XDG Default Terminal Execution Specification and reference shell-based implementation. The proposal has not been merged yet, and it can be found here: https://gitlab.freedesktop.org/terminal-wg/specifications/-/merge_requests/3. The code is not a stable version and backward compatibility is not guaranteed. The code is evolving at a fast speed. - CVE History - None - Build-Depends - debhelper-compat (= 13), bats <!nocheck>, scdoc <!nodoc> - pre/post inst/rm scripts - None - init scripts - None - systemd units - None - dbus services - None - setuid binaries - None - binaries in PATH - ./usr/bin/xdg-terminal-exec - sudo fragments - None - polkit files - None - udev rules - None - unit tests / autopkgtests - The project has a test directory with some tests. - cron jobs - None - Build logs - None - Processes spawned - None - Memory management - None - File IO - It will read *.desktop files in the $APPLICATIONS_DIRS env var. This var is set by the script. In my tests this is in /var/lib/snapd/desktop/applications/:/usr/share/ applications/:/usr/local/share/applications/:/usr/share/gnome/applications/:/usr/share/ ubuntu/applications/:$HOME/.local/share/applications/. It will also read config (*.list) files in $HOME/.config:/etc/xdg/:/usr/share/:/var/lib. - Logging - debug is printed to the stdout. - Environment variable usage - HOME;IFS - Use of privileged functions - None - Use of cryptography / random number sources etc - None - Use of temp files - None - Use of networking - None - Use of WebKit - None - Use of PolicyKit - None - Any significant cppcheck results - None - Any significant Coverity results - None - Any significant shellcheck results - None - Any significant bandit results - None - Any significant govulncheck results - None - Any significant Semgrep results - None The code has some shellcheck ignore statements to ignore some shellcheck warnings. However, those are all false positives. This could potentially mean the upstream is taking care of the security of their software and running shellcheck. It is worth noting that although this is not a vulnerability of the project, this software enables an additional procedure to T1546.004 (https://attack.mitre.org/techniques/T1546/004/). The security team understands the need to promote xdg-terminal-exec to main and ACK this initiative. However, the security team wants to raise the issue that the project, at its current status, is not guaranteeing backward compatibility. ** Changed in: xdg-terminal-exec (Ubuntu) Assignee: Ubuntu Security Team (ubuntu-security) => (unassigned) -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/2069308 Title: MIR xdg-terminal-exec To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/xdg-terminal-exec/+bug/2069308/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
