I reviewed wireguard 1.0.20210914-1ubuntu2 as checked into jammy. This shouldn't be considered a full audit but rather a quick gauge of maintainability.
wireguard is the user space component of the WireGuard VPN, an in-kernel vpn. The tools provided are for querying and configuring the state of the kernel portion of WireGuard. - No directly applicable CVEs. - No significant Build-Depends. - pre/post inst/rm scripts deal with the wq-quick systemd unit - The wg-quick systemd unit in not enabled by default; it is a templated oneshot service to make automatic connections on boot. - No dbus services - No setuid binaries - wg and wg-quick are the binaries in added in PATH - No sudo fragments. - No polkit files. - No udev rules. - tests: - No unit tests, a couple of build time tests of key generation - Some autopkgtests to test basic functionality, no real negative tests - it is good to see built-in fuzzing support. - No cron jobs. - Build logs are clean - Processes spawned: - there are lots of wrapped calls to popen(); fortunately they are confined to contributed or android tools only, and not included in the wg binary. - Memory management is performed okay. - File IO is okay, primarily used from the command line to read and write keys and read configuration. Attempts to protect against writing world accessible keys. - Logging is done through perror(), strerror(), and gai_strerror(), and is okay. - Environment variable use is limited. - No use of privileged functions on Linux - Use of cryptography / random number sources: - uses getrandom() - curve25519 implementations are embedded code copies, implementations are good. - No use of temp files in C code, wg-quick uses a static name for writing out a config file before moving it into place. - networking for the userspace component looks to be limited to resolving ip addresses and talking via netlink to configure and query the kernel code, and looks okay. - No use of WebKit. - No use of PolicyKit. - No cppcheck warnings. - No Coverity results that weren't false positives. - shellcheck on wg-quick was mostly clean: - line 338 uses the variable $i as a loop index in multiple nested loops; it appears to work correctly, but is mildly confusing to read. - quoting issues that are likely false positives The wg-quick shell script feels like it is at that point of complexity where it might be worth re-implementing in a less error prone programming language than bash. The /usr/share/docs/wireguard-tools/examples directory contains all of the stuff in contrib/ which is of varying quality, but doesn't really provide any example configurations. Security team ACK for promoting wireguard to main. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1950317 Title: [MIR] Wireguard To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/wireguard/+bug/1950317/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs