[Bug 1745455] Re: [MIR] fprintd
Override component to main fprintd 0.8.0-2 in cosmic: universe/misc -> main fprintd 0.8.0-2 in cosmic amd64: universe/misc/extra/100% -> main fprintd 0.8.0-2 in cosmic arm64: universe/misc/extra/100% -> main fprintd 0.8.0-2 in cosmic armhf: universe/misc/extra/100% -> main fprintd 0.8.0-2 in cosmic i386: universe/misc/extra/100% -> main fprintd 0.8.0-2 in cosmic ppc64el: universe/misc/extra/100% -> main fprintd 0.8.0-2 in cosmic s390x: universe/misc/extra/100% -> main fprintd-doc 0.8.0-2 in cosmic amd64: universe/doc/extra/100% -> main fprintd-doc 0.8.0-2 in cosmic arm64: universe/doc/extra/100% -> main fprintd-doc 0.8.0-2 in cosmic armhf: universe/doc/extra/100% -> main fprintd-doc 0.8.0-2 in cosmic i386: universe/doc/extra/100% -> main fprintd-doc 0.8.0-2 in cosmic ppc64el: universe/doc/extra/100% -> main fprintd-doc 0.8.0-2 in cosmic s390x: universe/doc/extra/100% -> main libpam-fprintd 0.8.0-2 in cosmic amd64: universe/admin/extra/100% -> main libpam-fprintd 0.8.0-2 in cosmic arm64: universe/admin/extra/100% -> main libpam-fprintd 0.8.0-2 in cosmic armhf: universe/admin/extra/100% -> main libpam-fprintd 0.8.0-2 in cosmic i386: universe/admin/extra/100% -> main libpam-fprintd 0.8.0-2 in cosmic ppc64el: universe/admin/extra/100% -> main libpam-fprintd 0.8.0-2 in cosmic s390x: universe/admin/extra/100% -> main 19 publications overridden. ** Changed in: fprintd (Ubuntu) Status: Fix Committed => Fix Released -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1745455 Title: [MIR] fprintd To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/fprintd/+bug/1745455/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1745455] Re: [MIR] fprintd
** Changed in: fprintd (Ubuntu) Status: New => Fix Committed -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1745455 Title: [MIR] fprintd To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/fprintd/+bug/1745455/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1745455] Re: [MIR] fprintd
I reviewed fprintd version 0.8.0-2 as checked into cosmic. This isn't a full security audit but rather a quick gauge of maintainability. - fprintd is a dbus interface for libfprint - No CVEs in our database - Build-Depends: debhelper, libfprint-dev, libglib2.0-dev, libdbus-glib-1-dev, libpolkit-gobject-1-dev, gtk-doc-tools, intltool, libpam0g-dev, rename - No cryptography - No networking - Does DBus communication - Does not itself daemonize, uses systemd unit file to start - pre/post inst/rm scripts manage systemd unit, pam-auth-update, dbus configuration - No init scripts - Systemd unit file has some hardening - No setuid files - fprintd-delete fprintd-enroll fprintd-list fprintd-verify binaries in PATH - No sudo fragments - No udev rules - Some tests but they don't appear to be run during the build - Some surprising errors in build logs that don't appear to fail the build -- including Lintian run failure, make check appears to have failed too -- I suspect this package still needs work - No subprocesses spawned - Memory management is typical for glib / dbus code with type punning, "classes", etc. I believe I found several memory leaks but it's difficult to know since control flow isn't obvious. - Filenames constructed with usernames; safety of the system relies upon usernames including /../ being forbidden, etc. - No logging errors spotted - PAM module and root-powers daemon, somewhat privileged as a result - No environment variable use - No networking - No cryptography - No sql - No temporary files - No WebKit - Polkit integration, no errors spotted - Clean cppcheck _fprint_device_check_for_username() appears to leak client_username if execution continues beyond _fprint_device_check_polkit_for_action() file_storage_print_data_save() appears to leak buf if g_mkdir_with_parents() fails fprint_device_finalize() appears to clean up after only one of nine probably-owned pieces of data This codebase is similar to most dbus / glib code -- no obvious flow through the program, type punning, layers of abstraction, etc. Individual methods look fine but it's harder to get a feel for the overall program layout. The possible memory leaks may represent real problems if they can be triggered on-demand by users. It's important to note that security team considers fingerprints to be akin to usernames and not passwords. Any potential issues with this tool will be treated with this threat model in mind. At last check the security team does not have supported hardware. We will rely upon the Desktop team to provide testing when updates are needed. Security team ACK for promoting fprintd to main. Thanks ** Changed in: fprintd (Ubuntu) Assignee: Ubuntu Security Team (ubuntu-security) => (unassigned) -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1745455 Title: [MIR] fprintd To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/fprintd/+bug/1745455/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1745455] Re: [MIR] fprintd
** Changed in: fprintd (Ubuntu) Status: Fix Released => New -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1745455 Title: [MIR] fprintd To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/fprintd/+bug/1745455/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1745455] Re: [MIR] fprintd
** Changed in: fprintd (Ubuntu) Status: New => Fix Released -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1745455 Title: [MIR] fprintd To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/fprintd/+bug/1745455/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1745455] Re: [MIR] fprintd
Mh, I think it'd the case to address this, to avoid allowing services just implementing the interface. I'll look into this. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1745455 Title: [MIR] fprintd To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/fprintd/+bug/1745455/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1745455] Re: [MIR] fprintd
Are these lintian messages fatal? Unpacking sbuild-build-depends-lintian-dummy (0.invalid.0) ... Setting up sbuild-build-depends-lintian-dummy (0.invalid.0) ... E: fprintd changes: bad-distribution-in-changes-file unstable W: fprintd source: vcs-deprecated-in-debian-infrastructure vcs-git https://anonscm.debian.org/git/fingerforce/fprintd.git W: fprintd source: vcs-deprecated-in-debian-infrastructure vcs-browser https://anonscm.debian.org/cgit/fingerforce/fprintd.git/ W: fprintd: dbus-policy-without-send-destination etc/dbus-1/system.d/net.reactivated.Fprint.conf E: Lintian run failed (policy violation) The bad-distribution line may be a result of this being an 'unstable' package, rather than an ubuntu package; anonscm lines may be Someone Else's Problem for a similar reason. Is the dbus-policy-without-send-destination warning a real issue? Thanks -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1745455 Title: [MIR] fprintd To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/fprintd/+bug/1745455/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1745455] Re: [MIR] fprintd
** Changed in: fprintd (Ubuntu) Assignee: Canonical Security Team (canonical-security) => Ubuntu Security Team (ubuntu-security) -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1745455 Title: [MIR] fprintd To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/fprintd/+bug/1745455/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1745455] Re: [MIR] fprintd
Ah, and Seth... The tool has been the previous of the pam module, the one inside fprintd is not the newest, but still quite stable and does its job at my eyes (who have been through the code too) -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1745455 Title: [MIR] fprintd To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/fprintd/+bug/1745455/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1745455] Re: [MIR] fprintd
Seth, I've attached a debdiff to fix that, by changing the policykit setting. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1745455 Title: [MIR] fprintd To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/fprintd/+bug/1745455/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1745455] Re: [MIR] fprintd
Could someone go through https://bugs.launchpad.net/ubuntu/+source/fprintd/+bug/1532264 and decide if this package is intended for this use case? It's been ages but I think I had the impression this was a toy, not a tool. Thanks -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1745455 Title: [MIR] fprintd To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/fprintd/+bug/1745455/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1745455] Re: [MIR] fprintd
Looks generally good, some small things I need to get some clarification on: [ required ] - There is some lintian warning on the policy file: dbus-policy-without-send-destination (fprintd binary package). Maybe worth either: * Check for a fix with upstream * Override it in lintian with rationale - Any suggestion on https://bugs.launchpad.net/ubuntu/+source/fprintd/+bug/1619329, which seems to touch multiple people and doesn't seem dealt with? [ optional ] - the package is using dh_install --fail-missing, which is good! It's deprecated though nowdays and should use dh_missing --fail-missing for listing missing files. Otherwise, it looks good packaging and after a quick code scanning. I would like a security review ofc, due to the sensitivness of it. ** Changed in: fprintd (Ubuntu) Assignee: (unassigned) => Canonical Security Team (canonical-security) -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1745455 Title: [MIR] fprintd To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/fprintd/+bug/1745455/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs