I reviewed sshfs-fuse version 2.10+repack-2 as checked into disco. This should
not be considered a full security audit, but rather a quick gauge of
maintainability.
- sshfs is a fuse file system that allows you to mount a remote filesystem using
SFTP.
- There are no prior CVEs against sshfs.
- sshfs daemonizes by calling fuse_daemonize()
- Build Depends: debhepler, libglib2.0-dev, libfuse-dev, pkg-config, meson,
python3, python3-pytest
- no initscripts
- no dbus services
- no setuid files
- no sudo fragments
- no udev rules
- There is a test suite; it is not run during the build. I recommend some
autopkg tests be written that run the test suite.
While the test suite omits a few important file system functions. It is
reasonably complete.
- no cronjobs
- Logging functions are careful when using fprintf
- The code was generally defensive and took proactive steps to avoid security
vulnerabilities.
- Memory management is careful; allocated memory is quickly freed when it is
no longer needed. Bounds are checked before allocating or copying memory.
- Leverages SSH for cryptographic needs
- The project seems well maintained. Point releases or minor versions are
released every few months. There are many years between major version upgrades,
indicating that backporting fixes may be feasible over the life of an Ubuntu
LTS release.
- Hardening flags were enabled at compile time
- 2.10 is the latest on the 2.x branch (Aug 2017), however 3.5.1 is the latest
release. I recommend we update to the latest version.
- A few warnings were issued during build. An issue has been submitted to the
upstream developers on github.com regarding the warning in sshfs.c.
meson.build:42: WARNING: The variable(s) 'UNMOUNT_COMMAND' in the input
file 'sshfs.1.in' are not present in the given configuration data.
WARNING: Project targetting '>= 0.38' but tried to use feature introduced
in '0.40.0': build_by_default arg in custom_target
WARNING: Project specifies a minimum meson_version '>= 0.38' but uses
features which were added in newer versions:
../sshfs.c:1385:44: warning: cast between incompatible function types from
‘int (*)(void *, struct request *)’ to ‘gboolean (*)(void *, void *, void *)’
{aka ‘int (*)(void *, void *, void *)’} [-Wcast-function-type]
- The sshfs.randseed variable is initialized using time(0). An attacker could
potentially guess the random seed based on the time that the sshfs process
was started and and therefore create files in /tmp/ that would lead to a
DoS. The risk and impact of this is very low.
- does not use WebKit
- does not use PolicyKit
- does not use Javascript
Security team ACK for promoting sshfs-fuse to main.
** Changed in: sshfs-fuse (Ubuntu)
Assignee: Mike Salvatore (mikesalvatore) => (unassigned)
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1783317
Title:
[MIR] sshfs-fuse
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/sshfs-fuse/+bug/1783317/+subscriptions
--
ubuntu-bugs mailing list
[email protected]
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
