I reviewed volume-key version 0.3.9-3 as checked into bionic. This should not be considered a full security audit but rather a quick gauge of maintainability.
- No CVEs in our database. - volume-key's main purpose is to provide some key escrow capabilities for encrypted storage - Build-Depends: debhelper, libglib2.0-dev, libcryptsetup-dev, libnss3-dev, libgpgme11-dev, libblkid-dev, swig, python-dev, libnss3-tools - Does not daemonize - No networking - Does Cryptography - No pre/post inst/rm - No init scripts - No systemd unit files - No dbus services - No setuid files - volume_key in PATH - No sudo fragments - No udev rules - There is a test suite but it doesn't appear useful as a quality tool - No cron jobs - Some warnings in the build logs, not ideal - No subprocesses spawned - I found some probable errors in memory management, but mostly good: - kmip_decode_object_symmetric_key() return -1 case leaks res? - kmip_decode_key_value() default: case leaks res? - kmip_decode_object_secret_data() return -1 case leaks res? - Files opened are controlled by the user - Logging looked careful - No privileged operations - Extensive cryptographic operations - No networking - No privileged portions of code - No temp files - No WebKit - No JavaScript - Clean cppcheck - No PolicyKit I don't like promoting this package to main already. The tests shouldn't be failing in a brand-new project. The fact that nss's certutil's use of UpdateRNG() does a bunch of garbage with the terminal and prints lies about what it is doing suggests that certutil itself is not suitable for use by this project: https://sources.debian.org/src/nss/2:3.35-2/nss/cmd/certutil/keystuff.c/?hl=67#L67 I'd be much happier promoting volume-key for 18.10. However, we've already gotten complaints from our users that their encrypted storage no longer works because the old mechanism has apparently already been torn down. If there's no way to bring back the old mechanism, then.. Security team begrudging ACK for promoting volume-key to main. But I'd be happier if we could just bring back what used to work. Thanks ** Changed in: volume-key (Ubuntu) Assignee: Ubuntu Security Team (ubuntu-security) => (unassigned) -- You received this bug notification because you are a member of Desktop Packages, which is subscribed to volume-key in Ubuntu. https://bugs.launchpad.net/bugs/1754422 Title: [MIR] volume-key Status in volume-key package in Ubuntu: Incomplete Bug description: Availability ============ Built for all supported architectures. In sync with Debian. Rationale ========= GNOME Disks uses udisks2. Debian's udisks2 recommends libblockdev-crypto2 which depends on libvolume-key1. The package description for libblockdev-crypto2 is: "The libblockdev library plugin (and in the same time a standalone library) providing the functionality related to encrypted devices (LUKS)." This sounds like a very useful feature for Ubuntu since we offer full disk encryption using LUKS. Security ======== No known security issues. Presumably should get a Security review. https://security-tracker.debian.org/tracker/source-package/volume-key https://launchpad.net/ubuntu/+source/volume-key/+cve Quality assurance ================= - Please subscribe Ubuntu Desktop bugs (although the Desktop Team thinks that Foundations should be responsible for udisks and friends) https://bugs.launchpad.net/ubuntu/+source/volume-key https://bugs.debian.org/cgi-bin/pkgreport.cgi?src=volume-key https://pagure.io/volume_key/issues dh_auto_test is run but tests are failing and ignored. No autopkgtests Dependencies ============ No universe dependencies Standards compliance ==================== 4.1.3, debhelper compat 11, simple dh7 style rules Maintenance =========== Maintained in Debian by the Debian Utopia team, which is a small team focused on cross-desktop freedesktop.org stuff. https://salsa.debian.org/utopia-team/volume-key upstream: https://pagure.io/volume_key To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/volume-key/+bug/1754422/+subscriptions -- Mailing list: https://launchpad.net/~desktop-packages Post to : desktop-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~desktop-packages More help : https://help.launchpad.net/ListHelp
