I reviewed wireguard 1.0.20210914-1ubuntu2 as checked into jammy.
This shouldn't be considered a full audit but rather a quick
gauge of maintainability.
wireguard is the user space component of the WireGuard VPN, an
in-kernel vpn. The tools provided are for querying and configuring
the state of the kernel portion of WireGuard.
- No directly applicable CVEs.
- No significant Build-Depends.
- pre/post inst/rm scripts deal with the wq-quick systemd unit
- The wg-quick systemd unit in not enabled by default; it is a
templated oneshot service to make automatic connections on boot.
- No dbus services
- No setuid binaries
- wg and wg-quick are the binaries in added in PATH
- No sudo fragments.
- No polkit files.
- No udev rules.
- tests:
- No unit tests, a couple of build time tests of key generation
- Some autopkgtests to test basic functionality, no real
negative tests
- it is good to see built-in fuzzing support.
- No cron jobs.
- Build logs are clean
- Processes spawned:
- there are lots of wrapped calls to popen(); fortunately they
are confined to contributed or android tools only, and not
included in the wg binary.
- Memory management is performed okay.
- File IO is okay, primarily used from the command line to read
and write keys and read configuration. Attempts to protect
against writing world accessible keys.
- Logging is done through perror(), strerror(), and gai_strerror(),
and is okay.
- Environment variable use is limited.
- No use of privileged functions on Linux
- Use of cryptography / random number sources:
- uses getrandom()
- curve25519 implementations are embedded code copies,
implementations are good.
- No use of temp files in C code, wg-quick uses a static name
for writing out a config file before moving it into place.
- networking for the userspace component looks to be limited to
resolving ip addresses and talking via netlink to configure
and query the kernel code, and looks okay.
- No use of WebKit.
- No use of PolicyKit.
- No cppcheck warnings.
- No Coverity results that weren't false positives.
- shellcheck on wg-quick was mostly clean:
- line 338 uses the variable $i as a loop index in multiple nested
loops; it appears to work correctly, but is mildly confusing
to read.
- quoting issues that are likely false positives
The wg-quick shell script feels like it is at that point of
complexity where it might be worth re-implementing in a less
error prone programming language than bash.
The /usr/share/docs/wireguard-tools/examples directory contains
all of the stuff in contrib/ which is of varying quality, but
doesn't really provide any example configurations.
Security team ACK for promoting wireguard to main.
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1950317
Title:
[MIR] Wireguard
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/wireguard/+bug/1950317/+subscriptions
--
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
