[Bug 1843403] Re: [MIR] nfs-ganesha, ntirpc

Alex Murray alex.murray at canonical.com
Tue Feb 18 04:29:18 UTC 2020 

I reviewed ntirpc 3.0-0ubuntu2 as checked into focal.  This shouldn't be
considered a full audit but rather a quick gauge of maintainability.

ntirpc is a fork of the existing libtirpc library providing RPC services
for nfs-ganesha and others.

- CVE History:
  - Only 1 past CVEs against ntirpc
    - CVE-2017-8779 - was fixed reasonably quickly
  - This shares a lot of code with libtirpc which has had 5 CVEs (including
    CVE-2017-8779) so I checked these against ntirpc:
    - CVE-2013-1950 - ntirpc *might* be vulnerable to this - this needs
      more thorough code review
    - CVE-2018-14621 - ntirpc is not vulnerable
    - CVE-2018-14622 - ntirpc is not vulnerable
    - CVE-2016-4429 - ntirpc appears to also be vulnerable to this - I have
      marked this as such in our CVE tracker
  - I have updated our CVE tracker so that all CVEs triaged against
    libtirpc will also get triaged against ntirpc due to the amount of
    similar code between the two so that future CVEs don't get missed
- No significant Build-Depends
  - cmake,libkrb5-dev, libjemalloc-dev, liburcu-dev
- No pre/post inst/rm scripts
- No init scripts
- No systemd units
- No dbus services
- No setuid binaries
- No binaries in PATH
- No sudo fragments
- No polkit files
- No udev rules
- No autopkgtests
- Very simple tests run during build (tests/rpcping)
  - This exercises the high-level interfaces of the library
- No cron jobs
- Build logs are clean

- No Processes spawned
- Memory management appears to be careful and deliberate
- Minimal file IO using hard-coded file paths to root-owned files
- Logging is careful
- The only environment variable used is NETPATH and this appears to be done
  carefully
- No use of privileged functions
- No use of cryptography / random number sources etc
- No use of temp files
- Network handling appears to be pretty good
  - Takes care to track buffer sizes and carefully decodes remote data
- No use of WebKit
- No Use of PolicyKit

- Significant static analysis results
  - cppcheck identifies a possible NULL pointer dereference in the City
    hash code:
    - src/city.c:412:30: note: Calling function 'CityHash128WithSeed', 1st argument 'NULL' value is 0
    - src/city.c:339:46: note: Calling function 'Fetch64', 1st argument 's' value is 0
    - src/city.c:91:9: note: Calling function 'UNALIGNED_LOAD64', 1st argument 'p' value is 0
    - src/city.c:43:18: note: Null pointer dereference
    - (ie due to the call to CityHash128WithSeed(NULL,...) this could
      result in an eventual call to memcpy with that NULL as the src
      argument)
  - coverity identifies a number of issues around handling of locks - some
    of these appear to be false positives but others could potentially be
    real issues - see attached for the full list of defects.

In general, ntirpc appears to be well maintained and does not appear to
have any obvious security issues. Other than the fact that this duplicates
a lot of code from libtirpc, no object from the Security Team for promoting
this to main - we have updated our CVE tracker so that any future CVEs
against libtirpc will get automatically assigned to ntirpc as well so that
we do not miss any other possible future CVEs for this.

Security team ACK for promoting ntirpc to main - I suggest however that the
list of Coverity defects be examined in more detail since some indicate the
chance of dead-lock which would not be a good outcome for users of ntirpc.


** Changed in: nfs-ganesha (Ubuntu)
     Assignee: Ubuntu Security Team (ubuntu-security) => (unassigned)

** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2013-1950

** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2016-4429

** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2017-8779

** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2018-14621

** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2018-14622

-- 
You received this bug notification because you are a member of Ubuntu
OpenStack, which is subscribed to nfs-ganesha in Ubuntu.
https://bugs.launchpad.net/bugs/1843403

Title:
  [MIR] nfs-ganesha, ntirpc

Status in nfs-ganesha package in Ubuntu:
  New
Status in ntirpc package in Ubuntu:
  New

Bug description:
  == nfs-ganesha ==

  [Availability]
  In universe

  [Rationale]
  Ganesha provides the NFS header/proxy for use of CephFS shared file systems as part of OpenStack Manila

  [Security]
  No security history:

  https://cve.mitre.org/cgi-bin/cvekey.cgi?keyword=nfs-ganesha

  [Quality assurance]
  Test suite currently disabled in package build.
  No autopkgtest's.

  [Dependencies]
  daemon in universe - any alternatives?

  [Standards compliance]
  OK - modern debhelper style package (compat level 9).

  [Maintenance]
  maintained in Debian
  ubuntu-openstack for Ubuntu

  [Background information]
  Specifically nfs-ganesha-ceph will be seeded for support

  == ntirpc ==

  [Availability]
  In universe

  [Rationale]
  Dependency for nfs-ganesha

  [Security]
  One CVE, much older version:

  https://cve.mitre.org/cgi-bin/cvekey.cgi?keyword=ntirpc

  [Quality assurance]
  Test suite currently disabled in package build.
  No autopkgtest's.

  [Dependencies]
  all in main or detailed on this MIR

  [Standards compliance]
  OK - modern debhelper style package (compat level 9).

  [Maintenance]
  maintained in Debian
  ubuntu-openstack for Ubuntu

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/nfs-ganesha/+bug/1843403/+subscriptions

More information about the Ubuntu-openstack-bugs mailing list