[Bug 1388889] Re: [MIR] intel-microcode & iucode-tool (multiverse -> restricted)

Tue, 02 Dec 2014 18:16:08 -0800 

I reviewed intel-microcode version 2.20140913.1ubuntu2 as checked into
vivid. This should not be considered a full security audit but rather a
quick gauge of maintainability.

- intel-microcode provides scripts to load microcode during early boot and
  intel-supplied microcode
- Build-Depends: debhelper, iucode-tool
- No cryptography
- No networking
- Does not daemonize
- No pre/post inst/rm
- No init scripts
- No dbus services
- No setuid
- No binaries
- No sudo fragments
- No udev rules
- No test suite, unsurprisingly
- No cronjobs
- Clean build logs

- Subprocesses are spawned extensively, shell scripts; nearly all looked
  safe
- No memory management
- Files written to are controlled by platform, e.g.
  /sys/devices/system/cpu/cpu*/microcode/reload and
  /sys/devices/system/cpu/microcode/reload
- No environment variables
- No cryptography
- No networking
- No privileged portions of code
- The only temporary file handling is in a maintainer-only script
  debian/diff-latest-pack.sh -- it has predictable /tmp/ names; not a big
  deal if the packager using this tool is aware of the limitation.
- No WebKit
- No PolicyKit
- No JavaScript
- slight problem with static analysis, line 92 of debian/initramfs.hook is
  probably a bug.

Here's the two issues I found with this package; the first is unlikely to
be a real problem in actual service and the second hasn't actually caused
problems despite being in deployed use -- but it's probably a bug all the
same:

debian/diff-latest-pack.sh -- it has predictable /tmp/ names; not a big
deal if the packager using this tool is aware of the limitation.

Line 92 of debian/initramfs.hook is probably a bug:
if $(dpkg --compare-versions 3.9 le ${version}) ; then

Please fix at the earliest convenience.

Security team ACK for migrating to restricted or main as appropriate.


** Changed in: intel-microcode (Ubuntu)
     Assignee: Seth Arnold (seth-arnold) => (unassigned)

** Changed in: iucode-tool (Ubuntu)
     Assignee: Seth Arnold (seth-arnold) => (unassigned)

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1388889

Title:
  [MIR] intel-microcode & iucode-tool (multiverse -> restricted)

To manage notifications about this bug go to:
https://bugs.launchpad.net/intel/+bug/1388889/+subscriptions

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

Reply via email to