[Bug 1592465] Re: [MIR] swift-plugin-s3

[Seth Arnold]

I reviewed swift-plugin-s3 version 1.11-2 as checked into zesty. This
shouldn't be considered a security audit but rather a quick gauge of
maintainability.

All the files appear to be python2.7, even though 'six' is used.

- CVE-2015-8466 -- they were a little shaky on the process since they're
  not getting official OpenStack security support, but the patch is
  impressive, with ~90kb of fixes to test cases.

- swift-plugin-s3 is a middleware layer that interprets s3 requests and
  translates them to swift requests. It's a fairly complicated glue layer
  between two already complicated APIs, that runs on top of HTTP.

- Build-Depends: debhelper, dh-python, openstack-pkg-tools, python-all,
  python-pbr, python-setuptools, python-sphinx, python-boto,
  python-coverage, python-fixtures, python-hacking
  python-lxml, python-mock, python-nose, python-nose-exclude,
  python-openstack.nose-plugin, python-openstackclient, python-requests,
  python-requests-mock, python-six, python-swift

- Uses md5, sha256 from hashlib, does not itself provide cryptography
- Uses wsgi
- Does not appear to daemonize outside of tests
- pre/post inst/rm automatically added by dh_python2
- No init scripts
- No dbus service
- No setuid or setgid executables
- No binaries in PATH
- No sudo fragments
- No udev rules
- Huge test suite run during the build (seriously, it's impressive;
  79%-100% test 'coverage' per file using line-based coverage counting;
  roughly three times as many lines of code in the tests than the bulk of
  the program).
- No cronjobs
- Build log is mostly boilerplate and test output

- No subprocesses spawned
- No file management
- Simple logging
- No environment variables used outside of the tests
- No privileged syscalls used
- The only cryptography used is hash functions
- I believe the only networking is done via wsgi
- As a middleware layer it's hard to follow the full path of network
  packet inputs; code looked careful but not paranoid.
- No use of /tmp
- No WebKit
- No javascript
- No PolicyKit

This is complicated code. We'd need upstream's help to support this
package. That said, it looked well written, the test suite's size is
impressive, and the one CVE in their history appeared to be handled well
despite an uncertain start.

Here's the only note I took while reading:

- _validate_expire_param() hard-codes a year-2038 bug into the program

Security team ACK for promoting swift-plugin-s3 to main.

Thanks


** CVE added: http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=2015-8466

** Changed in: swift-plugin-s3 (Ubuntu)
     Assignee: Ubuntu Security Team (ubuntu-security) => (unassigned)

-- 
You received this bug notification because you are a member of Ubuntu
OpenStack, which is subscribed to swift-plugin-s3 in Ubuntu.
https://bugs.launchpad.net/bugs/1592465

Title:
  [MIR] swift-plugin-s3

Status in swift-plugin-s3 package in Ubuntu:
  New

Bug description:
  1. Availability: This package is already in Universe
  2. Rational:
    - This package is already installed on ALL Juju deploys of Openstack Swift
    - Adding this package to main allows us to better support Openstack Swift
  3. Security
    - 1 known public CVE: http://people.canonical.com/~ubuntu-security/cve/pkg/swift-plugin-s3.html
  4. Quality Assurance
    - This package is already maintained in universe
    - No currently open bugs in Launchpad

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/swift-plugin-s3/+bug/1592465/+subscriptions