I reviewed wsdd 2:0.8-2ubuntu3 as checked into oracular. This shouldn't be
considered a full audit but rather a quick gauge of maintainability.
wsdd is a deamon that enables samba hosts to be discoverable by Web Service
Discovery Clients like Windows. It also contains a client that enables to
discover Windows hosts.
- CVE History
- None
- Build-Depends
- debhelper (>= 13.11.8~bpo12+1)
- debhelper-compat (= 13)
- dh-apparmor
- python3-all (>= 3.11)
- dh-python
- python3-setuptools (>= 3.11)
- python3 (>= 3.11)
- build-essential
- fakeroot
- pre/post inst/rm scripts
- It has a few scripts. I didn't see anything out of normal.
- init scripts
- None
- systemd units
- /usr/lib/systemd/system/wsdd-server.service
This file will set DynamicUser=yes.
- dbus services
- None
- setuid binaries
- None
- binaries in PATH
- None
- sudo fragments
- None
- polkit files
- None
- udev rules
- None
- unit tests / autopkgtests
- They have a test folder. During build, the "regression" test are ran.
In my build I have:
Running 3 tests...
[1/3] 01_asyncio_changes_python310 -> run_tcp.sh... OK
[2/3] 01_asyncio_changes_python310 -> run_unix.sh... OK
[3/3] 02_non_existing_interface -> run.sh... OK
------------------------------------------
3 succeeded, 0 failed.
- cron jobs
- None
- Build logs
- None
- Processes spawned
- only to call multiple times platform.system().
- Memory management
- None
- File IO
- It will call urllib.request.urlopen with an url that must start with
https:// or http://.
- it will read /etc/machine-id and /etc/hostid in order to generate an
uuid.
- Logging
- It's using the python "{}".format() syntax to log messages into
logging.Logger. It's not logging sensitive data.
However, I think I spotted a bug: they are calling
logger.debug('invalid input utf8', e) which will cause an exception
since debug only takes one parameter.
- Environment variable usage
- None
- Use of privileged functions
- os.chroot(root)
they use this function to chroot into a separate directory to
prevent access to other directories of the system.
They also recommend considering running the process under a user,
and if you executed the software with the chroot option and you're
running as root they will throw a warning: "chrooted but running as
root, consider -u option"
- os.setgid(gid)
- os.setegid(gid)
- os.setuid(uid)
- os.seteuid(uid)
They call these functions based to switch to the specific user and
group. They take the uid from the output of
pwd.getpwnam(user).pw_uid and the gid from the output of
grp.getgrnam(group).gr_gid.
They are dropping privileges in the right order.
- Use of cryptography / random number sources etc
- it uses random.randint() twice to generate a random time to sleep.
They are sleeping in two times:
- to avoid packet storm when hosts come up by delaying initial probe.
- wating before sending a dataframe.
Both cases seems to be safe.
- Use of temp files
- None
- Use of networking
- W: line 257: they are binding a port to :: in an exception catching.
- W: line 284: they are binding a port to '' in an exception catching.
- Use of WebKit
- None
- Use of PolicyKit
- None
- Any significant cppcheck results
- None
- Any significant Coverity results
- W: line 257: they are binding a port to :: in an exception catching.
- W: line 284: they are binding a port to '' in an exception catching.
- Any significant shellcheck results
- None
- Any significant bandit results
- potential use of insecure xml parser library.
- Any significant govulncheck results
- None
- Any significant Semgrep results
- None
Upstream has been notified about the potential use of an insecure xml parser
and about the sockets binding to '' and ::. We are still waiting
for a reply on their end.
they are calling platform.linux() multiple times. This could be optimized by
saving the result into a variable.
This project has not set up a SECURITY.md.
Security team ACK for promoting wsdd to main.
** Changed in: wsdd (Ubuntu)
Assignee: Ubuntu Security Team (ubuntu-security) => (unassigned)
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/2070025
Title:
[MIR] wsdd
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/wsdd/+bug/2070025/+subscriptions
--
ubuntu-bugs mailing list
[email protected]
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
