I reviewed gamemode 1.5-1 as checked into focal. This shouldn't be considered a full audit but rather a quick gauge of maintainability.
gamemode tries to improve the Linux gaming experience by switching to more reliable CPU governors, rescheduling processes, changing io priorities, inhibiting screensaver, etc. - CVE History: - No CVEs; upstream responded to an issue I filed very quickly - Build-Depends: debhelper-compat, git, libdbus-1-dev, libinih-dev, libinih1, libsystemd-dev, meson, ninja-build, pkg-config, systemd - pre/post inst/rm scripts automatically generated - no init scripts - systemd unit starts gamemode daemon when the dbus binding is needed - dbus unit starts gamemode daemon when the dbus binding is needed - no setuid binaries - binaries gamemoded and gamemoderun - no sudo fragments - polkit file: allows active users to run cpugovctl and gpuclockctl - no udev rules - tests are not run during build, probably they do not belong on the build; unknown if they work well enough for autopkgtest, but they look promising. - no cron jobs - Build logs: W: gamemode source: debhelper-compat-file-is-missing W: gamemode source: package-uses-deprecated-debhelper-compat-version 1 E: gamemode source: package-uses-debhelper-but-lacks-build-depends E: gamemode source: missing-build-dependency debhelper W: gamemode source: newer-standards-version 4.5.0 (current is 4.1.4) Probably the last warning can be ignored. - Processes spawned safely - Memory management looks simple, sane - File IO paths and contents looked safe enough; some assumptions were made about how much data the kernel ABI files will return but these are probably safe assumptions to make. - Logging looked safe - Environment variables looked safe - No privileged functions, but some privileged kernel operations - No cryptography - No temp files - Networking only via dbus - No use of webkit - Provides a polkit backend - cppcheck only one false positive - SEE cppcheck.txt - many coverity false positives, a few legit findings of small value - no shellcheck results in shipped code The issue I filed was responded to very quickly: https://github.com/FeralInteractive/gamemode/issues/203 And the handful of issues that looked real from Coverity: game_mode_resolve_wine_preloader() proc_fd = INVALID_PROCFD causes a game_mode_close_proc(-1) call. get_gov_state() the ftell(3) call could return -1, which would give a bad contents VLA and bad input to fread(3). daemonize() if the open("/dev/null") calls fail, dup2(2) and close(2) are given bad inputs Honestly these are all pretty low impact. I filed https://github.com/FeralInteractive/gamemode/issues/206 for these issues. Security team ACK for promoting gamemode to main. Thanks ** Bug watch added: github.com/FeralInteractive/gamemode/issues #203 https://github.com/FeralInteractive/gamemode/issues/203 ** Bug watch added: github.com/FeralInteractive/gamemode/issues #206 https://github.com/FeralInteractive/gamemode/issues/206 ** Changed in: gamemode (Ubuntu) Assignee: Ubuntu Security Team (ubuntu-security) => (unassigned) -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1853830 Title: [MIR] gamemode To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/gamemode/+bug/1853830/+subscriptions -- ubuntu-bugs mailing list [email protected] https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
