[Bug 1972866] Re: [MIR] gsasl

Mark Esler 1972866 at bugs.launchpad.net
Wed Aug 24 20:06:09 UTC 2022 

I reviewed gsasl based on 2.0.1-4ubuntu1 as checked into kinetic
proposed with Libntlm disabled in d/rules and d/control.  This shouldn't
be considered a full audit but rather a quick gauge of maintainability.
This review focuses on non-Gnulib code.

- CVE History:
  - CVE-2022-2469
    - "Simon Josefsson discovered an out-of-bounds memory read in GNU SASL, an implementation of the Simple Authentication and Security Layer framework, which could result in denial of service."
    - https://www.debian.org/security/2022/dsa-5189
    - please note that the version checked into kinetic is vulnerable, the kinetic proposed version is not
  - relevant issues in https://git.savannah.gnu.org/cgit/gsasl.git/log/
    - commit history was not ported to new gitlab repo
  - https://gsasl.gitlab.io/gsasl/clang-analyzer/ 
  - several issues were reported to GNU SASL during this audit
- Build-Depends?
  - primarily Gnulib
  - debhelper-compat, gettext, help2man, libgnutls28-dev, libgssglue-dev, libidn11-dev, pkg-config, texinfo, valgrind-if-available
  - linux-vdso.so.1
  - libgsasl.so.7
  - libgnutls.so.30
  - libc.so.6
  - libidn.so.12
  - libntlm.so.0
  - libgssapi_krb5.so.2
  - libp11-kit.so.0
  - libidn2.so.0
  - libunistring.so.2
  - libtasn1.so.6
  - libnettle.so.8
  - libhogweed.so.6
  - libgmp.so.10
  - ld-linux-x86-64.so.2
  - libkrb5.so.3
  - libk5crypto.so.3
  - libcom_err.so.2
  - libkrb5support.so.0
  - libffi.so.8
  - libkeyutils.so.1
  - libresolv.so.2
- pre/post inst/rm scripts?
  - none
- init scripts?
  - none
- systemd units?
  - none
- dbus services?
  - none
- setuid binaries?
  - none
- binaries in PATH?
  - /usr/bin/gsasl
- sudo fragments?
  - none
- polkit files?
  - none
- udev rules?
  - none
- unit tests / autopkgtests?
  - gssapi test is skipped by build/autopkgtests (!)
  - gs2-krb5 test is skipped by build/autopkgtests (!)
- cron jobs?
  - none
- Build logs:
  - okay

- Processes spawned?
  - does not appear to be in binaries
- Memory management?
  - heavy use of memory
  - some issues reported upstream
- File IO?
  - yes, by Gnulib
- Logging?
  - yes
  - besides Gnulib, tests, and examples, mostly in ./src/gsasl.c main()
- Environment variable usage?
  - yes, by Gnulib
- Use of privileged functions?
  - yes, by Gnulib
- Use of cryptography / random number sources etc?
  - implements SASL
  - most crypto functions utilize Gnulib
- Use of temp files?
  - none, besides example
- Use of networking?
  - mostly by Gnulib
  - ./src/gsasl.c main
- Use of WebKit?
  - none
- Use of PolicyKit?
  - none

- Any significant cppcheck results?
  - unknown macros
    - mostly caused when macros defined in #if statements and then used elsewhere
- Any significant Coverity results?
  - many after ignoring example and Gnulib code
- Any significant shellcheck results?
  - none, ignoring build and test hits
- Any significant bandit results?
  - none

Security team ACK for promoting gsasl to main.

** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2022-2469

-- 
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to mutt in Ubuntu.
https://bugs.launchpad.net/bugs/1972866

Title:
  [MIR] gsasl

Status in gsasl package in Ubuntu:
  In Progress
Status in mutt package in Ubuntu:
  New
Status in mutt package in Debian:
  Fix Released

Bug description:
  [Summary]
  * Everything seems in order with this package, but it should
  be reviewed by the security team due to the nature of the package.
  * Build log: https://launchpadlibrarian.net/564514219/buildlog_ubuntu-jammy-amd64.gsasl_1.10.0-5_BUILDING.txt.gz

  [Availability]
  * The package is already available in Ubuntu universe and builds for the required architectures

  [Rationale]
  * mutt (which is in main) used to depend on cyrus-sasl. Due to a
  licensing conflict between mutt and cyrus-sasl, it has been updated
  to use gsasl and drop the dependency on cyrus-sasl. This change
  has been made in Debian. Mutt is used by a large part of our
  user base, so continuing to provide it is important.

  [Security]
  * Package gsasl and associated libraries do not have any
  security red-flags, but should still be reviewed by
  the security team due to the nature of the package (it
  authenticates users to servers)
  * No CVEs/security issues in this software in the past
  * No `suid` or `sgid` binaries
  * No executables in `/sbin` and `/usr/sbin`
  * Package does not install services, timers or recurring jobs
  * Package does not open privileged ports (ports < 1024)

  [Quality assurance - function/usage]
  * The package works well right after install

  [Quality assurance - maintenance]
  * The package is maintained well in Debian/Ubuntu and has not too many
  and long term critical bugs open
  * The package does not deal with exotic hardware we cannot support

  [Quality assurance - testing]
  * The package runs a test suite on build time, if it fails
  it makes the build fail
  * The package runs an autopkgtest, and is currently passing

  [Quality assurance - packaging]
  * debian/watch is present and works
  * debian/control defines a correct Maintainer field
  * This package does not yield massive lintian Warnings, Errors
  * Full output of `lintian --pedantic`:
  ```
  P: gsasl source: update-debian-copyright 2014 vs 2021 [debian/copyright:44]
  P: gsasl source: very-long-line-length-in-source-file configure line 13808 is 704 characters long (>512)
  P: gsasl source: very-long-line-length-in-source-file examples/openid20/README line 92 is 807 characters long (>512)
  P: gsasl source: very-long-line-length-in-source-file examples/saml20/README line 171 is 1396 characters long (>512)
  P: gsasl source: very-long-line-length-in-source-file ... use --no-tag-display-limit to see all (or pipe to a file/program)
  ```
  * Lintian overrides are present, but ok because upstream does
  not provide source-only tarballs
  * This package has no python2 or GTK2 dependencies
  * Packaging and build is easy. d/rules is concise and readable

  [UI standards]
  * Application is end-user facing, Translation is present, via gettext

  [Dependencies]
  * libgsasl-dev depends on a package from src:libntlm. MIR for
  libntlm is here: https://bugs.launchpad.net/ubuntu/+source/libntlm/+bug/1976405

  [Standards compliance]
  * This package correctly follows FHS and Debian Policy

  [Maintenance/Owner]
  * Owning Team will be foundations
  * Team is not yet, but will subscribe to the package before promotion
  * This does not use static builds
  * This does not use vendored code
  * The package successfully built during the most recent test rebuild

  [Background information]
  * The Package description explains the package well
  * Upstream Name is GNU SASL
  * Upstream Link is https://www.gnu.org/software/gsasl/

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/gsasl/+bug/1972866/+subscriptions

More information about the foundations-bugs mailing list