[Bug 1854362] Re: [MIR] ceph-iscsi, tcmu, python-configshell-fb, python-rtslib-fb, urwid, targetcli-fb

Wed Feb 26 22:58:06 UTC 2020

I reviewed urwid 2.0.1-2build3 as checked into focal.  This shouldn't be
considered a full audit but rather a quick gauge of maintainability. 

urwid is a console-based display and user interface framework/library
for python 2.7 and 3.4+

- CVE History: 
  - none found
- Build-Depends?
  - nothing troubling found
- pre/post inst/rm scripts?
  - n/a
- init scripts?
  - n/a
- systemd units?
  - n/a
- dbus services?
  - n/a
- setuid binaries?
  - n/a
- binaries in PATH?
  - n/a
- sudo fragments?
  - n/a
- udev rules?
  - n/a
- unit tests / autopkgtests?
  - there are some tests but no autopackage tests. The tests run fine when I 
    manually run them but I don't see them running during the build.
- cron jobs?
  - n/a
- Build logs:
  - lintian warns about old python versions

- Processes spawned?
  - the default for Terminal is using the value of SHELL env var as the command
  - it execs a command for it virtual terminal class and some for mouse pointer integration
  - it also execs some python for reraising exceptions
- Memory management?
  - n/a
- File IO?
  - paths appear to be constructed safely
  - it's not really getting input from files
  - umask is set to 0 when deamonizing
  - umask not explicitly set for file creation
- Logging?
  - looking isn't used much and looks ok
- Environment variable usage?
  - env is not sanitized
  - this could possibly be misused or produce unanticipated results but that isn't happening as used by python-configshell-fb
- Use of privileged functions?
- Use of cryptography / random number sources etc?
  - n/a
- Use of temp files?
  - pipes located in /tmp by default, this isn't being used for our purposed right now.
- Use of networking?
  - I didn't focus on this very much becuause urwid as used by python-configshell-fb doesn't use networking
  - input is parsed one character at a time.
- Use of WebKit?
- Use of PolicyKit?
  - n/a

- Any significant cppcheck results?
  - No
- Any significant Coverity results?
  - No

Bandit flagged creation of pipes in /tmp in web_display.py as potentially unsafe. That functionality of the framework is not being used
by python-configshell-fb but it could probably be improved.

Security team ACK. My recommendation is that the web_display tmp files
be cleaned up to use python's tempfile but I don't think it needs to
block inclusion into main at this time because it isn't being used.

** Changed in: urwid (Ubuntu)
     Assignee: Ubuntu Security Team (ubuntu-security) => (unassigned)

-- 
You received this bug notification because you are a member of Ubuntu
OpenStack, which is subscribed to python-rtslib-fb in Ubuntu.
https://bugs.launchpad.net/bugs/1854362

Title:
  [MIR] ceph-iscsi, tcmu, python-configshell-fb, python-rtslib-fb,
  urwid, targetcli-fb

Status in ceph-iscsi package in Ubuntu:
  Confirmed
Status in python-configshell-fb package in Ubuntu:
  In Progress
Status in python-rtslib-fb package in Ubuntu:
  Confirmed
Status in targetcli-fb package in Ubuntu:
  Confirmed
Status in tcmu package in Ubuntu:
  Confirmed
Status in urwid package in Ubuntu:
  Confirmed

Bug description:
  == ceph-iscsi ==

  [Availability]
  In universe

  [Rationale]
  Provides iSCSI gateway to a Ceph cluster, allowing clients which don't understand RBD to use Ceph storage.

  [Security]
  No security history found.

  [Quality assurance]
  Package runs tests during package build (submitted back to Debian).

  [Dependencies]
  All in main or on this MIR

  [Standards compliance]
  OK

  [Maintenance]
  ubuntu-openstack

  == tcmu ==

  [Availability]
  In universe

  [Rationale]
  Dependency for ceph-iscsi

  Handles the userspace side of the LIO TCM-User backstore allowing LIO
  to use librbd for Ceph backed block devices.

  [Security]
  Some security history:

  https://cve.mitre.org/cgi-bin/cvekey.cgi?keyword=tcmu

  All in older versions.

  [Quality assurance]
  No tests in source package for execution during package build.

  [Dependencies]
  All in main or on this MIR

  [Standards compliance]
  OK

  [Maintenance]
  ubuntu-openstack

  == python-configshell-fb ==

  [Availability]
  In universe

  [Rationale]
  Dependency for ceph-iscsi

  [Security]
  No security history

  [Quality assurance]
  No tests in source package for execution during package build.

  [Dependencies]
  All in main or on this MIR

  [Standards compliance]
  OK

  [Maintenance]
  ubuntu-openstack

  == python-rtslib-fb ==

  [Availability]
  In universe

  [Rationale]
  Dependency for ceph-iscsi

  [Security]
  No security history

  [Quality assurance]
  No tests in source package for execution during package build.

  [Dependencies]
  All in main or on this MIR

  [Standards compliance]
  OK

  [Maintenance]
  ubuntu-openstack

  == urwid ==

  [Availability]
  In universe

  [Rationale]
  Dependency for python-configshell-fb

  [Security]
  No security history

  [Quality assurance]
  Tests present and executed during package build.

  [Dependencies]
  All in main or on this MIR

  [Standards compliance]
  OK

  [Maintenance]
  ubuntu-openstack

  == targetcli-fb ==

  [Availability]
  In universe

  [Rationale]
  - Only CLI for iSCSI target feature in Linux Kernel
  - Replaces with much better performance tgt iSCSI target
  - tgt is being deprecated slowly and poorly updated
  - LIO fully supports SCSI 3 reservations (for clustering)

  [Security]
  No security history

  [Quality assurance]
  Tests present and executed during package build.

  [Dependencies]
  - python3-configshell-fb (this MIR)
  - python3-gi (main)
  - python3-rtslib-fb (this MIR)
  - python3-six (main)

  [Standards compliance]
  OK

  [Maintenance]
  ubuntu-server

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/ceph-iscsi/+bug/1854362/+subscriptions