I reviewed spice-vdagent 0.17.0-1ubuntu1 as checked into zesty. This shouldn't be considered a full audit but rather a quick gauge of maintainability.
spice-vdagent provides some services between virtual machine host and guests to make the experience less jarring. One CVE is in our database for the Windows client. - Build-Depends: debhelper, pkg-config, dh-systemd, libspice-protocol-dev, libdbus-1-dev, libx11-dev, libxrandr-dev, libxfixes-dev, desktop-file-utils, libxinerama-dev, libpciaccess-dev, autoconf, automake, libglib2.0-dev, systemd, libsystemd-dev, libasound2-dev - Provides a client and server; both daemonize - pre/post inst/rm scripts automatically generated - spice-vdagent init script starts the guest daemon, modprobes uinput - spice-vdagentd and spice-vdagent systemd service files, start their daemons - no dbus services - No setuid or setgid files - Two executables in PATH /usr/bin/spice-vdagent and /usr/sbin/spice-vdagentd - No sudo fragments - One udev rule for virtio-ports - No test suite - No cron - Clean build logs - Subprocesses spawned using system(), unsafe construction, reported upstream - Memory management looked good enough; some cases of malloc(a*b) but 'b' was often 4, 8, maybe 16, and 'a' calculated from data on the wire in a fashion that looked difficult to really abuse. - File IO looked safe except for uses of system() - Logging looked safe - No environment variable use - chmod(socket, 0666) looked out of place - other privileged ioctl() calls looked fine - No cryptography - Does networking; a quick skim looked like all Unix Domain Sockets - I didn't see privileged portions of the code - No tmp files - No WebKit - No PolicyKit - Clean cppcheck Here's some notes I collected while reviewing spice-vdagent: - vdagent_file_xfers_data() does not escape xfers->save_dir before giving it to the shell (CVE-2017-15108 was assigned for this issue) - vdagent_file_xfers_data() does not check snprintf() return code; a too-long xfers->save_dir could cause the & or ' or any number of other characters to go missing. - daemonize() from ./src/vdagentd.c only forks once - daemonize() from ./src/vdagent.c only forks once - why does main() in ./src/vdagentd.c set vdagentd_socket to 0666 This symlink looks out of place: /usr/share/gdm/greeter/autostart/spice-vdagent.desktop -> /etc/xdg/autostart/spice-vdagent.desktop Please make sure https://cgit.freedesktop.org/spice/linux/vd_agent/commit/?id=8ba174816d245757e743e636df357910e1d5eb61 is included in our package before promoting the package. Security team ACK for promoting spice-vdagent to main. Thanks ** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2017-15108 ** Changed in: spice-vdagent (Ubuntu) Assignee: Ubuntu Security Team (ubuntu-security) => (unassigned) -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to ubuntu-meta in Ubuntu. https://bugs.launchpad.net/bugs/1200296 Title: [MIR] spice-vdagent Status in spice-vdagent package in Ubuntu: Confirmed Status in ubuntu-meta package in Ubuntu: Confirmed Bug description: Availability ============ Built for all supported architectures. In sync with Debian except for one cherry-picked patch to hide spice- vdagent from Startup Applications. Rationale ========= "spice-vdagent adds some nice features to guest systems running over SPICE: copy and paste between guest and host, arbitrary resolution support, ... It's also very tiny (40kB compressed, less than 200kB installed) and won't startup when not running in a SPICE guest. Shipping it on the desktop ISOs will improve the user experience when using SPICE (eg in GNOME Boxes), and will have no impact on other use cases, so it would be really nice to add this package to the ISO." Ubuntu GNOME 16.10 and 17.04 included it in the default install. Security ======== No known open security vulnerabilities. https://rhn.redhat.com/errata/RHSA-2013-0924.html (CVE-2013-2152) Quality assurance ================= Bug subscriber: Ubuntu Desktop Bugs https://bugs.launchpad.net/ubuntu/+source/spice-vdagent https://bugs.debian.org/cgi-bin/pkgreport.cgi?src=spice-vdagent https://bugs.freedesktop.org/buglist.cgi?bug_status=__open__&component=unix agent&product=Spice No tests. Dependencies ============ check-mir reports all other binary dependencies are in main Standards compliance ==================== 3.9.8 Maintenance =========== - Actively developed upstream https://cgit.freedesktop.org/spice/linux/vd_agent/log/ https://anonscm.debian.org/git/collab-maint/spice-vdagent.git - Maintained in Debian by the same Debian Developer who maintains the other Spice packages. short dh7 style rules, dh compat 10 Background information ====================== N/A To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/spice-vdagent/+bug/1200296/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : [email protected] Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
