[Bug 2023531] Re: [MIR] dotnet6
Nishit Majithia
2023531 at bugs.launchpad.net
Fri Aug 11 03:22:29 UTC 2023
I reviewed dotnet6 6.0.120 as checked into Mantic. This shouldn't be
considered a full audit but rather a quick gauge of maintainability.
dotnet6 is an open-source platform for building desktop, web, and mobile
applications that can run natively on any operating system. The dotnet
system includes tools, libraries, and languages that support modern,
scalable, and high-performance software development.
- CVE History:
- CVE-2022-38013: Fixed in 6.0.109
- CVE-2022-41032: Fixed in 6.0.110
- CVE-2023-21538: Fixed in 6.0.113
- CVE-2023-24936: Fixed in 6.0.118
- CVE-2023-28260: Fixed in 6.0.116
- CVE-2023-29331: Fixed in 6.0.118
- CVE-2023-29337: Fixed in 6.0.118
- CVE-2023-32032: Fixed in 6.0.118
- CVE-2023-33128: Fixed in 6.0.118
- CVE-2023-33170: Fixed in 6.0.120
- Build-Depends?
- clang
- cmake
- bash-completion
- debhelper-compat (= 13)
- dotnet-sdk-6.0
- dotnet-sdk-6.0-source-built-artifacts
- git
- libicu-dev
- libkrb5-dev
- liblttng-ust-dev
- libssl-dev
- libunwind-dev
- lld
- llvm
- locales-all
- python3
- zlib1g-dev
- pre/post inst/rm scripts?
- None
- init scripts?
- None
- systemd units?
- None
- dbus services?
- None
- setuid binaries?
- no `suid` or `sgid` binaries
- binaries in PATH?
- dotnet6, dotnet-host, dotnet-hostfxr-6.0, dotnet-runtime-6.0,
aspnetcore-runtime-6.0, dotnet-templates-6.0, dotnet-sdk-6.0,
dotnet-targeting-pack-6.0, netstandard-targeting-pack-2.1,
aspnetcore-targeting-pack-6.0, dotnet-apphost-pack-6.0
- sudo fragments?
- None
- polkit files?
- None
- udev rules?
- None
- unit tests / autopkgtests?
- Yes, autopkgtests runs fine locally passing all the tests
- cron jobs?
- None
- Build logs:
- same lintian errors described in https://bugs.launchpad.net/ubuntu/+source/dotnet6/+bug/2023531/comments/1
- Processes spawned?
- Yes, it is mainly in the `src/runtime` directory which is responsible
for dotnet runtime infrastructure. Most of the process spawn
instructions are found in `coreclr` which is the execution engine for
dotnet applications. It includes the JIT compiler, garbage collector,
and other low-level components that manage the execution of dotnet code.
- It also exists in many test files in `fsharp` directory, which is
expected
- Memory management?
- Heavy usage of memory-related functions in `runtime` directory, is
expected from a framework
- File IO?
- File IO operations are heavily used in `src/aspnetcore` and
`src/runtime` dirs
- Specifically, it is being used in the `src/runtime/src/libraries` directory
which provides fundamental functionality for .NET applications, such
as data types, collections, input/output, and more.
- This looks okay
- Logging?
- Error format looks fine
- It majorly uses `Trace.TraceError()`, `std::system_error()` and
`std::runtime_error()` in various situations, which is expected
- Environment variable usage?
- Env variables use in `src/runtime/src/mono/mono/eventpipe` dir look
fine. EventPipe is a feature that collects diagnostic and
telemetry information from dotnet applications at runtime. It's used
for profiling, debugging, and monitoring application behaviour.
- Other heavy usages of environment variables are in `eglib` dir. Embedded
GLib(eglib) is a low-level library that provides data structures, utilities,
and other core functionality for building applications on Linux.
- Env variables are being used safely.
- Use of privileged functions?
- It is very much used in `System.Native` dir, it likely contains the
implementation of native interop and low-level access to various native
system APIs and features on Unix-like platforms.
- This usage is expected.
- Use of cryptography / random number sources etc?
- `aspnetcore/src/Servers` dir is for web IIS server and it is
responsible for checking certificate chains as well. Looks fine
- Cryptographic functions used in `System.Security.Cryptography.Native`
component enables managed dotnet code to call the cryptographic
functions provided by the operating system's native libraries.
- This looks okay
- Use of temp files?
- Looks fine.
- Use of networking?
- Seems fine, `aspnetcore` dir has many occurrences of network socket
communication, which is expected considering its functionality.
- Use of WebKit/PolyKit?
- none
- Any significant cppcheck results?
- Majority of them are in tests directories. Issues regarding
`unknownMacro` and `syntaxError` are false positives.
- There are few issues on `integer overflow` and `null pointer dereference`
which are outlined in the files for s390x and riscv archs.
- Any significant Coverity results?
- version information disclosure is not an issue
- Hardcoded secrets in xml files are false-positve
- Majority of the issues are in test files which can be ignored
- Looks okay
- Any significant shellcheck results?
- looks fine
- Any significant bandit results?
- parse untrusted XML data in various files.
Microsoft has weekly meetings with their .NET Security Partners (including
Canonical) where updates and any new security issues are discussed.
Canonical receives embargoed access to the details for security issues as
well as early access to new dotnet releases that address the issues in
order to build, test, and overall prepare for a coordinated disclosure and
release on Patch Tuesday. Microsoft is additionally available outside the
scheduled meetings for any questions the Ubuntu Security or Foundations
Team may have regarding new releases.
I skimmed through the source code, which is well-written with proper comments
and documentation. Upstream is quite active in development as well.
After the MIR Team's requirements have been fulfilled to their satisfaction,
the Security team ACK for promoting dotnet6 to main.
** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2022-38013
** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2022-41032
** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2023-21538
** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2023-24936
** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2023-28260
** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2023-29331
** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2023-29337
** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2023-32032
** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2023-33128
** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2023-33170
** Changed in: dotnet6 (Ubuntu)
Assignee: Ubuntu Security Team (ubuntu-security) => (unassigned)
--
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to dotnet6 in Ubuntu.
https://bugs.launchpad.net/bugs/2023531
Title:
[MIR] dotnet6
Status in dotnet6 package in Ubuntu:
New
Bug description:
[Availability]
The package dotnet6 is already in Ubuntu universe.
The package dotnet6 build for the architectures it is designed to work on.
- See: https://github.com/dotnet/core/blob/main/release-notes/6.0/supported-os.md
It currently builds and works for architetcures: amd64, arm64
Link to package https://launchpad.net/ubuntu/+source/dotnet6
[Rationale]
- The package dotnet6 is required in Ubuntu main as part of
Canonicals partnership with Microsoft to shorten the supply
chain between Canonical and Microsoft and improve the .NET
developer experience on Ubuntu. Read more here:
- https://canonical.com/blog/install-dotnet-on-ubuntu
- https://devblogs.microsoft.com/dotnet/dotnet-6-is-now-in-ubuntu-2204/
- The package dotnet6 will generally be useful for a large part of
our user base
- It would be great and useful to community/processes to have the
package dotnet6 in Ubuntu main, but there is no definitive deadline.
[Security]
- dotnet6 had security issues in the past that have been
fixed, see trackers:
- https://ubuntu.com/security/cves?package=dotnet6
- https://github.com/dotnet/core/blob/main/release-notes/6.0/cve.md
- NOTE: When searching for .NET CVEs in other trackers,
keep in mind that .NET Framework and .NET (Core) is not
the same and that many CVEs do not affect Linux distributions.
- The Security Team and Foundations Toolchain Squad already
work together with Microsoft to release security updates
to Ubuntu.
- Microsoft has weekly meetings with .NET Security Partners
(including Canonical) where they get and keep informed
about Security Issues.
- .NET Security Partners (including Canonical) have early
access to .NET releases containing CVE patches.
- Microsoft and .NET Security Partners (including Canonical)
coordinate releases to disclose and provide patches for
security issues on all plattforms at the same time.
- Microsoft informs Users about (security) issues in the
monthly release notes where they aslo recommend actions
to mitigate these issues.
See example Release Note containing CVE warning:
https://devblogs.microsoft.com/dotnet/february-2023-updates/
- no `suid` or `sgid` binaries
- no executables in `/sbin` and `/usr/sbin`
- Packages does not open privileged ports (ports < 1024)
- Packages does not contain extensions to security-sensitive software
(filters, scanners, plugins, UI skins, ...)
[Quality assurance - function/usage]
- The package works well right after install
[Quality assurance - maintenance]
- The package is maintained well in Ubuntu/Upstream and does
not have too many, long-term & critical, open bugs
- Ubuntu https://bugs.launchpad.net/ubuntu/+source/dotnet6/+bug
- There are multiple bug trackers upstream for the individual
components of the package https://github.com/dotnet
- The package has no important open bugs
- The package does not deal with exotic hardware we cannot support
[Quality assurance - testing]
- The package runs a test suite on build time, if it fails
it makes the build fail, link to build logs:
- mantic amd64: https://launchpad.net/ubuntu/+source/dotnet6/6.0.116-0ubuntu3/+build/26165948
- mantic arm64: https://launchpad.net/ubuntu/+source/dotnet6/6.0.116-0ubuntu3/+build/26165949
- lunar amd64: https://launchpad.net/~ubuntu-security/+archive/ubuntu/ppa/+build/25976292
- lunar arm64: https://launchpad.net/~ubuntu-security/+archive/ubuntu/ppa/+build/25976293
- kinetic amd64: https://launchpad.net/~ubuntu-security/+archive/ubuntu/ppa/+build/25964381
- kinetic arm64: https://launchpad.net/~ubuntu-security/+archive/ubuntu/ppa/+build/25964382
- jammy amd64: https://launchpad.net/~ubuntu-security/+archive/ubuntu/ubuntu-security-staging-private/+build/25974197
- jammy arm64: https://launchpad.net/~ubuntu-security/+archive/ubuntu/ubuntu-security-staging-private/+build/25974198
- The package runs an autopkgtest, and is currently passing
on mantic/lunar/kinetic/jammy amd64/arm64 https://autopkgtest.ubuntu.com/packages/dotnet6
- The package does NOT have failing autopkgtests tests right now.
[Quality assurance - packaging]
- debian/watch is present and works*
(*Canonical has to work around the debian/watch file to
consume embargoed releases before the official release)
- debian/control defines a correct Maintainer field
- This package does yield massive lintian Warnings/Errors,
but they are either false-postives or acceptable.
- Lintian overrides are present, but ok because of false-positive
lintian warnings. The concrete reasons are explained as a
comment in the overwrite files.
- The package will not be installed by default
- Packaging is complex, but that is ok because the software
we are packaging is complex and we are working with
Microsoft to reduce the complexity.
[UI standards]
- Application is end-user facing, Translation is NOT present,
this is ok, as the application just provides a Command Line
Interface for developers. The CLI output should not be
translated to maintain online searchable error messages.
- The exception messages of the .NET Runtime are localized.
- End-user applications without desktop file, not needed,
because it just provides libraries and command line tools
[Dependencies]
- There are further dependencies that are not yet in main, the MIR
process for them is handled as part of this bug here.
- lld binary and source package is in universe
- llvm binary and source package is in universe
- locales-all is in universe, but its source glibc is already in main
[Standards compliance]
- This package correctly follows FHS and Debian Policy (AFAICT: this package is huge and I have only limited experience)
[Maintenance/Owner]
- Team is already subscribed to the package
- This package has embedded/vendorized dependencies.
We are aware of this problem and working on getting rid of them.
- This package is not rust based
- The package has been built in the archive more recently than the last
test rebuild
[Background information]
- The Package description explains the package well
- Upstream Name is ".NET 6"
- Upstream project: https://github.com/dotnet/source-build
- This MIR exists in parralel to the MIR for dotnet7
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/dotnet6/+bug/2023531/+subscriptions
More information about the foundations-bugs
mailing list