I reviewed libblockdev version 2.16-2 as checked into bionic. This should not be considered a full security audit but rather a quick gauge of maintainability.
- libblockdev is a plugin-based library to work with block devices, providing an API based interface that knows how to either perform underlying operations directly or call the necessary command line applications as appropriate. - There are no CVEs in our database - Build-Depends: debhelper, libtool, dh-python, python3:any, libglib2.0-dev libgirepository1.0-dev, libcryptsetup-dev libdevmapper-dev libudev-dev libsystemd-dev, libdmraid-dev, libvolume-key-dev, libbytesize-dev, libnss3-dev libparted-dev libmount-dev libblkid-dev libpython3-dev, libkmod-dev gtk-doc-tools, gobject-introspection, pylint - libblockdev does not itself daemonize - no networking - automatically generated pre/post inst/rm scripts - no initscripts - no dbus services - no setuid files - no executables in PATH - no sudo fragments - no udev rules - There is a test suite; it is not run during the build. I suspect keeping this test suite disabled is the right approach. - No cronjobs - Noisy build logs, primarily from the documentation tools; not ideal, but at least not much from the code itself - Several plugins execute helper tools; the glib helpers make the resulting code fairly complex, but it looks like the executions were carefully written - memory management is careful; allocated memory is quickly freed when it is no longer used to simplify error handling - normally 'files' being opened are block devices - Logging functions looked careful - No environment variable use - Does not itself do cryptography -- drives LUKS, VeraCrypt, etc via helpers - Does not do networking - Does not use temporary files - Does not use WebKit - Does not use PolicyKit - Does not use JavaScript - Mostly clean cppcheck results; s390 code has legitimate errors: [src/plugins/s390.c:293]: (error) Used file that is not opened. [src/plugins/s390.c:293]: (error) Resource handle 'fd' freed twice. [src/plugins/s390.c:968]: (error) Resource leak: fd The s390 code does not feel as mature as the rest of the code base. I suspect a deeper inspection of the s390 sources would find more issues. If it can be disabled without significant loss of functionality then I recommend we disable it. Security team ACK for promoting libblockdev to main. Here's some notes I took while reviewing the code, in the hopes that they are useful: - bd_s390_dasd_online() double-closes fd, uses fd when it isn't open - bd_s390_zfcp_offline() leaks fd in rc == EOF branch - bd_s390_zfcp_online() calls fclose(fd) in a branch when fd is known to be NULL - bd_s390_zfcp_scsi_offline() does not check fopen(hba_path, "r") for an error return - bd_s390_zfcp_scsi_offline() does not check fopen(wwpn_path, "r") for an error return - bd_s390_zfcp_scsi_offline() does not check fopen(lun_path, "r") for an error return - bd_crypto_tc_open(), luks_format(), (and other functions) do not zero out secrets such as passwords. (This is difficult to do; the goal is not to be perfect, but to try. Simply adding memset_s() calls would be a step in the right direction.) - Many routines in src/plugins/crypto.c call strlen(passwd), some other functions are described as taking binary data in password parameters. Is there a chance of one interface setting, changing, or removing a password, that other interfaces cannot work with? - write_escrow_data_file() writes what looks like a secret key equivalent to a file but does not itself set a safe umask before doing so. Thanks ** Changed in: libblockdev (Ubuntu) Assignee: Ubuntu Security Team (ubuntu-security) => (unassigned) -- You received this bug notification because you are a member of Desktop Packages, which is subscribed to udisks2 in Ubuntu. https://bugs.launchpad.net/bugs/1735499 Title: [MIR] libblockdev Status in libblockdev package in Ubuntu: New Status in udisks2 package in Ubuntu: New Bug description: Availability ============ Built for all supported architectures. In sync with Debian. Rationale ========= udisks2 2.7 uses the "libblockdev library for all low level storage management tasks instead of calling command line tools." libblockdev appears to have the same maintainers ("storaged project") as udisks2. It would be nice to have the new version to support GNOME Disks 3.26's new Resize and Repair features. http://pothos.blogsport.eu/2017/08/22/last-project-phase-and-3-26-features/ There is some interest in dropping Gparted from the Ubuntu live ISO since it does not support Wayland and it still uses gtk2. Security ======== No known security issues https://security-tracker.debian.org/tracker/source-package/libblockdev https://launchpad.net/ubuntu/+source/libblockdev/+cve Quality assurance ================= - Ubuntu Desktop bugs is the subscriber (although the Desktop Team thinks that Foundations should be responsible for udisks and friends) https://bugs.launchpad.net/ubuntu/+source/libblockdev https://bugs.debian.org/cgi-bin/pkgreport.cgi?src=libblockdev https://github.com/storaged-project/libblockdev/issues dh_auto_test is run but I guess it's not actually running the upstream test suite yet. (I think the upstream test suite needs to be run as autopkgtests) See http://storaged.org/libblockdev/ch03.html No autopkgtests Dependencies ============ Debian's udisks2 recommends libblockdev-plugins-all which depends on these binary packages: - libblockdev-crypto2 which depends on the universe libvolume-key1 (source: volume-key) - libblockdev-btrfs2 which depends on the universe libbytesize1 (source: libbytesize) - libblockdev-kbd2 which depends on the universe libbytesize1 (source: libbytesize) - libblockdev-mdraid2 which depends on the universe libbytesize1 (source: libbytesize) libbytesize is another storaged project. Neither libbytesize nor volume-key have any other universe binary dependencies. It might be ok to temporarily not recommend those udisks2 plugins until the other 2 MIRs are processed. Standards compliance ==================== 4.1.1, debhelper compat 10, simple dh7 style rules Maintenance =========== Maintained in Debian by the Debian Utopia team, which is a small team focused on cross-desktop freedesktop.org stuff. upstream: https://github.com/storaged-project/libblockdev To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/libblockdev/+bug/1735499/+subscriptions -- Mailing list: https://launchpad.net/~desktop-packages Post to : desktop-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~desktop-packages More help : https://help.launchpad.net/ListHelp