Re-review for src:util-linux [Summary] The util-linux is a suite of essential Linux system maintenance utilities. It contains many basic utilities used for setting up partitions and basic system infrastructure on a Linux system. It is for expert users only.
This is a re-review of src:util-linux, which has always been in main. Since the CVE history is significant, I will request ubuntu-security requesting a "re-review". Notes: #0 Out of the 25 binary packages, 22 are in main. Binary packages currently not in main: bin:util-linux-extra, bin:libpam-lastlog2, bin:libpam-lastlog2 Required TODOs: None Recommended TODOs: #1 Consider resolving lintian warnings, most of them are related to man-pages. #2 Consider addressing the upstream compiler and linker warnings. [Rationale, Duplication and Ownership] OK: - There is no other package in main providing the same functionality. => This package is already in `main`. - A team is committed to own long term maintenance of this package. => Debcrafters packages [Dependencies] OK: - no other Dependencies to MIR due to this - src:util-linux checked with check-mir - all dependencies can be found in `seeded-in-ubuntu` (already in main) - none of the (potentially auto-generated) dependencies (Depends and Recommends) that are present after build are not in main - no -dev/-debug/-doc packages that need exclusion - No dependencies in main that are only superficially tested requiring more tests now. [Embedded sources and static linking] OK: - no embedded source present - no static linking - not a go package, no extra constraints to consider in that regard - not a rust package, no extra constraints to consider in that regard - Does not include vendor-ed code Problems: none [Security] OK: - does not run a daemon as root => ldattach runs as current user/group, uuidd runs as uuidd/uuidd - does not use webkit1,2 - does not use lib*v8 directly - does not parse data formats (files [images, video, audio, xml, json, asn.1], network packets, structures, ...) from an untrusted source. - does not expose any external endpoint (port/socket/... or similar) - does not process arbitrary web content - does not use centralized online accounts - does not integrate arbitrary javascript into the desktop - binaries related to system authentication: su, sulogin, runuser, login - does not deal with security attestation - does not deal with cryptography (en-/decryption, certificates, signing, ...) => mcookie is only used to generate 128-bit Xauth tokens - this makes appropriate (for its exposure) use of established risk mitigation features (dropping permissions, using temporary environments, restricted users/groups, seccomp, systemd isolation features, apparmor, ...) => These are core system utilities. However, some of them like umount, eject, swapon do seem to drop permissions for certain sub-tasks. Problems: - has a significant history of CVEs => https://security-tracker.debian.org/tracker/source-package/util-linux [Common blockers] OK: - does not FTBFS currently - does have a test suite that runs at build time - test suite fails will fail the build upon error. - does have a non-trivial test suite that runs as autopkgtest - This does not need special HW for build or test - no new python2 dependency - not a Python package - not a Go package [Packaging red flags] OK: - Ubuntu does carry a delta, but it is reasonable and maintenance under control - symbols tracking is in place. - debian/watch is present and looks ok - Upstream update history is good - Debian/Ubuntu update history is good - the latest upstream version (2.41) has been packaged - this package is already in main - no massive Lintian warnings - debian/rules is rather clean - It is not on the lto-disabled list Problems: - Lintian warnings W: util-linux source: dh-exec-script-without-dh-exec-features [debian/eject-udeb.install] W: util-linux source: dh-exec-script-without-dh-exec-features [debian/libblkid1-udeb.install] W: util-linux source: dh-exec-script-without-dh-exec-features [debian/libblkid1.install] W: util-linux source: dh-exec-script-without-dh-exec-features [debian/libfdisk-dev.install] W: util-linux source: dh-exec-script-without-dh-exec-features [debian/libfdisk1-udeb.install] W: util-linux source: dh-exec-script-without-dh-exec-features [debian/libfdisk1.install] W: util-linux source: dh-exec-script-without-dh-exec-features [debian/liblastlog2-2.install] W: util-linux source: dh-exec-script-without-dh-exec-features [debian/libmount-dev.install] W: util-linux source: dh-exec-script-without-dh-exec-features [debian/libmount1-udeb.install] W: util-linux source: dh-exec-script-without-dh-exec-features [debian/libmount1.install] W: util-linux source: dh-exec-script-without-dh-exec-features [debian/libsmartcols-dev.install] W: util-linux source: dh-exec-script-without-dh-exec-features [debian/libsmartcols1-udeb.install] W: util-linux source: dh-exec-script-without-dh-exec-features [debian/libsmartcols1.install] W: util-linux source: dh-exec-script-without-dh-exec-features [debian/libuuid1-udeb.install] W: util-linux source: dh-exec-script-without-dh-exec-features [debian/libuuid1.install] W: libblkid-dev: groff-message troff:<standard input>:10: warning: macro 'Aq' not defined [usr/share/man/man3/libblkid.3.gz:1] W: liblastlog2-dev: groff-message troff:<standard input>:10: warning: macro 'Aq' not defined [usr/share/man/man3/lastlog2.3.gz:1] W: liblastlog2-dev: groff-message troff:<standard input>:10: warning: macro 'Aq' not defined [usr/share/man/man3/ll2_import_lastlog.3.gz:1] W: liblastlog2-dev: groff-message troff:<standard input>:10: warning: macro 'Aq' not defined [usr/share/man/man3/ll2_read_all.3.gz:1] W: liblastlog2-dev: groff-message ... use "--tag-display-limit 0" to see all (or pipe to a file/program) W: login: groff-message troff:<standard input>:10: warning: macro 'Aq' not defined [usr/share/man/fr/man1/login.1.gz:1] W: util-linux-locales: groff-message troff:<standard input>:10: warning: macro 'Aq' not defined [usr/share/man/fr/man1/fallocate.1.gz:1] W: util-linux-locales: groff-message troff:<standard input>:10: warning: macro 'Aq' not defined [usr/share/man/fr/man1/getopt.1.gz:1] W: util-linux-locales: groff-message troff:<standard input>:10: warning: macro 'Aq' not defined [usr/share/man/fr/man1/ionice.1.gz:1] W: util-linux-locales: groff-message ... use "--tag-display-limit 0" to see all (or pipe to a file/program) W: uuid-dev: groff-message troff:<standard input>:10: warning: macro 'Aq' not defined [usr/share/man/man3/uuid.3.gz:1] W: uuid-dev: groff-message troff:<standard input>:10: warning: macro 'Aq' not defined [usr/share/man/man3/uuid_clear.3.gz:1] W: uuid-dev: groff-message troff:<standard input>:10: warning: macro 'Aq' not defined [usr/share/man/man3/uuid_compare.3.gz:1] W: uuid-dev: groff-message ... use "--tag-display-limit 0" to see all (or pipe to a file/program) [Upstream red flags] OK: - no incautious use of malloc/sprintf => xmalloc() mostly used, all malloc() uses guarded with NULL checks => asprintf/xasprintf used instead of asprintf - no use of sudo, gksu, pkexec, or LD_LIBRARY_PATH (usage is OK inside tests) - no use of user 'nobody' outside of tests - use of setuid()/setgid() => these are core system utilities, setuid/setgid used to drop permissions, used in setpriv, mount etc. - This package has quite a few open bug reports. However, it is a core utilities package and upstream is very active. - no dependency on webkit, qtwebkit or libseed - translations present Problems: - Quite a few upstream build warnings (compiler and linker) login-utils/login.c:737:13: warning: ‘log_utmp’ defined but not used [-Wunused-function] 737 | static void log_utmp(struct login_context *cxt) | ^~~~~~~~ login-utils/login.c:601:13: warning: ‘log_btmp’ defined but not used [-Wunused-function] 601 | static void log_btmp(struct login_context *cxt) | ^~~~~~~~ login-utils/login.c:357:13: warning: ‘motd’ defined but not used [-Wunused-function] 357 | static void motd(void) disk-utils/fdisk-menu.c: In function 'geo_menu_cb': disk-utils/fdisk-menu.c:1071:23: warning: 'a' may be used uninitialized [-Wmaybe-uninitialized] 1071 | rc = fdisk_ask_number(cxt, i, fdisk_get_geom_heads(cxt), | ^ disk-utils/fdisk-menu.c:1069:33: note: 'a' was declared here 1069 | unsigned int i, a; | ^ disk-utils/fdisk-menu.c:1071:23: warning: 'i' may be used uninitialized [-Wmaybe-uninitialized] 1071 | rc = fdisk_ask_number(cxt, i, fdisk_get_geom_heads(cxt), | ^ disk-utils/fdisk-menu.c:1069:30: note: 'i' was declared here 1069 | unsigned int i, a; | ^ disk-utils/fdisk-menu.c:1077:23: warning: 'ma' may be used uninitialized [-Wmaybe-uninitialized] 1077 | rc = fdisk_ask_number(cxt, mi, fdisk_get_geom_sectors(cxt), | ^ disk-utils/fdisk-menu.c:1050:28: note: 'ma' was declared here 1050 | fdisk_sector_t mi, ma; | ^ disk-utils/fdisk-menu.c:1077:23: warning: 'mi' may be used uninitialized [-Wmaybe-uninitialized] 1077 | rc = fdisk_ask_number(cxt, mi, fdisk_get_geom_sectors(cxt), | ^ disk-utils/fdisk-menu.c:1050:24: note: 'mi' was declared here 1050 | fdisk_sector_t mi, ma; | ^ Linker warnings: usr/bin/ld: /usr/lib/gcc/x86_64-linux-gnu/14/../../../x86_64-linux-gnu/libreadline.a(complete.o): in function `rl_username_completion_function': (.text+0x4dd1): warning: Using 'getpwent' in statically linked applications requires at runtime the shared libraries from the glibc version used for linking /usr/bin/ld: (.text+0x4dc8): warning: Using 'setpwent' in statically linked applications requires at runtime the shared libraries from the glibc version used for linking /usr/bin/ld: (.text+0x4e69): warning: Using 'endpwent' in statically linked applications requires at runtime the shared libraries from the glibc version used for linking /usr/bin/ld: /usr/lib/gcc/x86_64-linux-gnu/14/../../../x86_64-linux-gnu/libreadline.a(tilde.o): in function `tilde_expand_word': (.text+0x165): warning: Using 'getpwnam' in statically linked applications requires at runtime the shared libraries from the glibc version used for linking /usr/bin/ld: /usr/lib/gcc/x86_64-linux-gnu/14/../../../x86_64-linux-gnu/libreadline.a(shell.o): in function `sh_get_home_dir': (.text+0x169): warning: Using 'getpwuid' in statically linked applications requires at runtime the shared libraries from the glibc version used for linking /usr/bin/ld: /usr/lib/gcc/x86_64-linux-gnu/14/../../../x86_64-linux-gnu/libreadline.a(complete.o): in function `rl_username_completion_function': (.text+0x4dd1): warning: Using 'getpwent' in statically linked applications requires at runtime the shared libraries from the glibc version used for linking /usr/bin/ld: (.text+0x4dc8): warning: Using 'setpwent' in statically linked applications requires at runtime the shared libraries from the glibc version used for linking /usr/bin/ld: /usr/lib/gcc/x86_64-linux-gnu/14/../../../x86_64-linux-gnu/libreadline.a(shell.o): in function `sh_get_home_dir': (.text+0x19a): warning: Using 'endpwent' in statically linked applications requires at runtime the shared libraries from the glibc version used for linking /usr/bin/ld: /usr/lib/gcc/x86_64-linux-gnu/14/../../../x86_64-linux-gnu/libreadline.a(tilde.o): in function `tilde_expand_word': (.text+0x165): warning: Using 'getpwnam' in statically linked applications requires at runtime the shared libraries from the glibc version used for linking /usr/bin/ld: /usr/lib/gcc/x86_64-linux-gnu/14/../../../x86_64-linux-gnu/libreadline.a(shell.o): in function `sh_get_home_dir': (.text+0x169): warning: Using 'getpwuid' in statically linked applications requires at runtime the shared libraries from the glibc version used for linking ** Changed in: util-linux (Ubuntu) Assignee: Pushkar Kulkarni (pushkarnk) => Ubuntu Security Team (ubuntu-security) -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to util-linux in Ubuntu. https://bugs.launchpad.net/bugs/2113961 Title: [MIR] util-linux Status in util-linux package in Ubuntu: New Bug description: [Availability] The package src:util-linux is already in Ubuntu main. The package src:util-linux build for the architectures it is designed to work on. It currently builds and works for architectures: amd64, arm64, armhf, i386, ppc64el, riscv64, s390x Link to package https://launchpad.net/ubuntu/+source/util-linux [Rationale] See previous rational below for what actually sparked this MIR. Now that `bin:liblastlog2-2` has been promoted and everything is unblocked, the rationale becomes as simple as an ask for a re-review for one of the `Essential` packages, shipping, among other things, a few `suid` binaries in absolutely every form Ubuntu can take. https://canonical-ubuntu-project.readthedocs-hosted.com/MIR/mir-rereview/#opt-in-re-review Original rationale: Okay, it seems the MIR template doesn't apply well for this use-case, because it more or less assumes that the MIR is about a source package that is currently in universe. In the current situation, only an existing binary package needs to be promoted, from a source package already in main. I'll do my best to adapt the template and provide a good rational. - bin:liblastlog2-2 is provided by src:util-linux, and was already there in plucky/universe. - The package src:util-linux is generally useful for a large part of our user base: it provides the bin:util-linux package, that is even flagged as `Essential: yes`. This is the package providing, among many other things, the `su`, `fsck`, `flock`, or `mkswap` binaries, all mostly essential to any system (random selection of important commands to give a quick example). - The package bin:liblastlog2-2 is a new runtime dependency of package bin:util-linux that we already support. - The binary packages liblastlog2-2 needs to be in main to have the latest merge of util-linux migrate from questing-proposed to questing. - All other binary packages currently in universe built by src:util-linux should remain in universe. - The package bin:liblastlog2-2 is required in Ubuntu main no later than somewhere in July due to some partners requiring patches to be SRU'd to Noble, and thus needing the package to migrate from -proposed (even though it's not a hard block from the SRU team, according to what I've red on Matrix recently). [Security] - Obviously, util-linux has had some security issues in the past (although not that much): - https://ubuntu.com/security/cves?package=util-linux - https://security-tracker.debian.org/tracker/source-package/util-linux - Those issues seems to be handled correctly in both Ubuntu and Debian: - https://ubuntu.com/security/CVE-2024-28085 - https://security-tracker.debian.org/tracker/CVE-2024-28085 - https://security-tracker.debian.org/tracker/CVE-2021-37600 - There are countless binaries in sbin, but I'm fairly confident taking them out is a big plan of its own to still have a working system. - There are just a couple systemd units: - fstrim.{service,timer}: Discard unused filesystem blocks once a week - lastlog2-import.service: Import lastlog data into lastlog2 database - run only once in some particular situations to handle a data migration - About common isolation/risk-mitigation: - I'm not sure anything in util-linux is opening privileged ports. - I know some binaries are dropping privileges. - Going much further on that topic would be a full audit, for which I unfortunately don't really have time and competency for. I hope that's okay. - Packages does not contain extensions to security-sensitive software (filters, scanners, plugins, UI skins, ...) [Quality assurance - function/usage] - The package works well right after install [Quality assurance - maintenance] - The package is maintained well in Debian/Ubuntu/Upstream and does not have too many, long-term & critical, open bugs - Ubuntu https://bugs.launchpad.net/ubuntu/+source/util-linux/+bugs?orderby=-importance&start=0 - Debian https://bugs.debian.org/cgi-bin/pkgreport.cgi?src=util-linux - Upstream https://github.com/util-linux/util-linux/issues - Obviously this package has tons of bugs opened, but at the same time, it has a lot of activity, and is well maintained upstream, in Debian, and in Ubuntu, just because of its central position in any Linux system. - The package does not deal with exotic hardware we cannot support [Quality assurance - testing] - The package runs a test suite on build time, if it fails it makes the build fail, link to build log TBD - The package runs an autopkgtest, and is currently passing on all architectures but i386: https://autopkgtest.ubuntu.com/packages/util-linux - The package does have not failing autopkgtests right now [Quality assurance - packaging] - debian/watch is present and works - debian/control defines a correct Maintainer field - This package does not yield massive lintian Warnings, Errors - Recent build: https://launchpad.net/ubuntu/+source/util-linux/2.41-4ubuntu2/+build/30908305 - Lintian overrides are present, but ok because most are well commented, and the rest is pretty obvious, like highly privileged binaries. - This package does not rely on obsolete or about to be demoted packages. - The package will be installed by default, but does not ask debconf questions higher than medium - Packaging is quite complex, but I'm not sure how much of a choice we have. Good thing is that this package is equally important in Debian, so it will very likely keep being maintained. [UI standards] - Application is end-user facing, Translation is present, via standard intltool/gettext. See `configure` for `libintl` and `gettext`. - End-user applications without desktop file, not needed because it only ships CLI tools. [Dependencies] - No further depends or recommends dependencies that are not yet in main [Standards compliance] - This package correctly follows FHS and Debian Policy. [Maintenance/Owner] - The owning team will be debcrafters-packages and I have their acknowledgement for that commitment - The future owning team is already subscribed to the package. - This does not use static builds. - This does not use vendored code - This package is not rust based - The package has been built within the last 3 months in the archive - Build link on launchpad: https://launchpad.net/ubuntu/+source/util-linux/2.41-4ubuntu2 [Background information] The Package description explains the package well Upstream Name is `util-linux` Link to upstream project: https://github.com/util-linux/util-linux/ This package has been in main since the very early beginning of Ubuntu, so never got the chance to get a proper MIR. This was sparked when the `bin:util-linux` has started to depend on `bin:liblastlog2-2`, which was in Universe. `liblastlog2-2` was nicely handled by @paelzer under the "Renamed or re-organized sources" condition. This MIR still makes sense to me, given that `util-linux` provides many very important binaries, among which many of them are `suid`, and is one the `Essential` packages shipped in absolutely every form Ubuntu can take. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/util-linux/+bug/2113961/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : [email protected] Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
