I performed a cursory code review. Click is coded well and defensively and I am not concerned about its maintenance. There are a couple of interesting things to note: * uses LD_PRELOAD to load /usr/lib/x86_64-linux-gnu/click/libclickpreload.so to override various libc functions similar to fakeroot * the model for dropping privileges is that click runs as root and drops for certain operations, such as when calling dpkg or running user hooks. This works fine but it should be noted that some operations such as opening the arfile and examining it or loading the manifest file happen as root. Because this is python, a crafted click package would have to most likely exploit a python bug, but a useful hardening measure might be to perform input verification on these files as non-root * _drop_privileges() is implemented slightly differently in three different places in the code, but coded correctly in each * hooks.py _run_commands() uses shell=True. hooks.py reads in the hooks file in /usr/share/click/hooks using debian.deb822 and self["exec"] is set and executed unconditionally based on the contents of the hooks file. This is fine as implemented because you need privilege to modify files in /usr/share/click/hooks but it should be noted in case non-system hooks are ever considered. Also, because of the click privilege model, if click could be subverted to perform a file write while running privileged, this provides a convenient way to turn that directly to code execution. A useful hardening measure might be to perform input sanitization for "Exec" in the manifest file.
No blockers. ACK from the security team. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1208800 Title: [MIR] click To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/click/+bug/1208800/+subscriptions -- ubuntu-bugs mailing list [email protected] https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
