[Bug 1976405] Re: [MIR] libntlm

Thu Aug 18 20:17:20 UTC 2022

I reviewed libntlm 1.6-4 as checked into kinetic.  This shouldn't be
considered a full audit but rather a quick gauge of maintainability.

- CVE History:
  - CVE-2019-17455
    - "It was discovered that Libntlm incorrectly handled specially crafted NTML requests. An attacker could possibly use this issue to cause a denial of service or another unspecified impact."
    - https://ubuntu.com/security/notices/USN-5108-1
- Open Bugs?
  - "Problem with cross domain authentication"
    - https://gitlab.com/gsasl/libntlm/-/issues/1
- Build-Depends?
  - gnulib built into package for DES
  - linux-vdso.so.1
  - libc.so.6
  - ld-linux-x86-64.so.2 
- pre/post inst/rm scripts?
  - none
- init scripts?
  - none
- systemd units?
  - none
- dbus services?
  - none
- setuid binaries?
  - none
- binaries in PATH?
  - none
- sudo fragments?
  - none
- polkit files?
  - none
- udev rules?
  - none
- unit tests / autopkgtests?
  - yes
- cron jobs?
  - none
- Build logs:
  - handful of "warning: inlining failed in call to 'getUnicodeString.constprop'" on build

- Processes spawned?
  - not checked
- Memory management?
  - four memcpy calls in smbutil.c
  - first use is very obtuse
  - no size checking--might be fine
- File IO?
  - no, only test code
- Logging?
  - no, only example code
- Environment variable usage?
  - none
- Use of privileged functions?
  - none
- Use of cryptography / random number sources etc?
  - NTLMv1 is deprecated and highly unsafe (!)
  - implementation looks good
- Use of temp files?
  - none
- Use of networking?
  - no, only example code
- Use of WebKit?
  - none
- Use of PolicyKit?
  - none

- Any significant cppcheck results?
  - smbutil.c:317 assigns a pointer to Null
    - AddString appears to be purposely built this way
- Any significant Coverity results?
  - gnulib overwrites part of a buffer being copied in md4_process_bytes function
    - perhaps intentional if buffer is under 16? should use memmove otherwise
    - Libntlm calls md4_buffer which calls md4_process_bytes
    - ./gl/md4.c:269
  - test code reports ignored
- Any significant shellcheck results?
  - none
- Any significant bandit results?
  - none

This package encourages the use of NTLMv1. It implies that a NTLM server should use deprecated authentication. In many scenarios this means enabling SMBv1 as well! This is only acceptable in completely controlled environments.
 - https://support.microsoft.com/en-us/topic/security-guidance-for-ntlmv1-and-lm-network-authentication-da2168b6-4a31-0088-fb03-f081acde6e73

>From Libntlm's README:
"""
I don't consider NTLM a secure authentication protocol -- it uses MD4
and single-DES.  MD4 has been broken, and single-DES have a too small
key size to be considered secure against brute-force attacks.  You
should only use libntlm for interoperability purposes, not to achieve
any kind of security.
"""

Security team ACK for promoting libntlm to main.

** Bug watch added: gitlab.com/gsasl/libntlm/-/issues #1
   https://gitlab.com/gsasl/libntlm/-/issues/1

** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2019-17455

** Changed in: libntlm (Ubuntu)
     Assignee: Ubuntu Security Team (ubuntu-security) => (unassigned)

** Changed in: libntlm (Ubuntu)
       Status: New => In Progress

-- 
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to mutt in Ubuntu.
https://bugs.launchpad.net/bugs/1976405

Title:
  [MIR] libntlm

Status in libntlm package in Ubuntu:
  In Progress
Status in mutt package in Ubuntu:
  New

Bug description:
  [Summary]
  * Due to the nature of the package (an authentication library) it should
  be reviewed by the security team before promotion
  * build log: https://launchpad.net/ubuntu/+source/libntlm/1.6-4/+build/22298428

  [Availability]
  * The package is already in Ubuntu universe.
  * The package build for the architectures it is designed to work on.

  [Rationale]
  *This MIR is transitive for an MIR of gsasl. It is needed to resolve
  a component mismatch for mutt

  [Security]
  * CVE-2019-17455 was fixed and is the only CVE listed for this package
  * No `suid` or `sgid` binaries
  * No executables in `/sbin` and `/usr/sbin`
  * Package does not install services, timers or recurring jobs
  * Packages does not open privileged ports (ports < 1024)
  * Due to the nature of the package (an authentication library) it should
  be reviewed by the security team before promotion

  [Quality assurance - function/usage]
  * The package works well right after install

  [Quality assurance - maintenance]
  * The package is maintained well in Debian/Ubuntu and has not too many
   and long term critical bugs open
  * The package does not deal with exotic hardware we cannot support

  [Quality assurance - testing]
  * The package runs a test suite on build time, if it fails
  it makes the build fail
  * The package runs an autopkgtest, and is currently passing
  * The package does have not failing autopkgtests right now

  [Quality assurance - packaging]
  * debian/watch is present and works
  * debian/control defines a correct Maintainer field
  * This package does not yield massive lintian Warnings, Errors
  * Full output of `lintian --pedantic`:
  ```
  P: libntlm source: very-long-line-length-in-source-file configure line 11350 is 704 characters long (>512)
  P: libntlm source: very-long-line-length-in-source-file m4/libtool.m4 line 6621 is 738 characters long (>512)
  ```
  * Lintian overrides are not present
  * This package has no python2 or GTK2 dependencies
  * Packaging and build is easy

  [UI standards]
  * Application is not end-user facing (does not need translation)

  [Dependencies]
  * No further depends or recommends dependencies that are not yet in main

  [Standards compliance]
  * This package correctly follows FHS and Debian Policy

  [Maintenance/Owner]
  * Owning Team will be foundations
  * Team is not yet, but will subscribe to the package before promotion
  * This does not use static builds
  * This does not use vendored code
  * The package successfully built during the most recent test rebuild

  [Background information]
  * The Package description explains the package well
  * Upstream name is libntlm
  * Link to upstream project https://www.nongnu.org/libntlm/

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/libntlm/+bug/1976405/+subscriptions