I reviewed exfatprogs 1.2.6-1 as checked into plucky and 1.2.5-2 as checked
into oracular. This shouldn't be considered a full audit but rather a
quick gauge of maintainability. plucky version was mainly considered for
the most part of this review but it is also valid for oracular as they are
pretty much similar and the differences are not concerning.
exfatprogs is a set of utilities to be used with exFAT file system. It is
claimed to be the only existing userspace utility for the exFAT, and it is
maintained by the same maintainers of the file system in the Linux kernel.
- CVE History
- It has one CVE reported and fixed, CVE-2023-45897. This CVE is somewhat
similar with the issue found in the exFAT Linux kernel driver
(CVE-2023-4273). It is an out-of-bounds write while accessing directory
entries of an image.
- Build-Depends
- linux-vdso.so and libc.so, not concerning
- pre/post inst/rm scripts
- None
- init scripts
- None
- systemd units
- None
- dbus services
- None
- setuid binaries
- None
- binaries in PATH
- The utilities are installed in /usr/sbin:
-rwxr-xr-x root/root 18960 2024-11-20 06:12 ./usr/sbin/dump.exfat
-rwxr-xr-x root/root 35344 2024-11-20 06:12 ./usr/sbin/exfat2img
-rwxr-xr-x root/root 27184 2024-11-20 06:12 ./usr/sbin/exfatlabel
-rwxr-xr-x root/root 64832 2024-11-20 06:12 ./usr/sbin/fsck.exfat
-rwxr-xr-x root/root 31192 2024-11-20 06:12 ./usr/sbin/mkfs.exfat
-rwxr-xr-x root/root 39664 2024-11-20 06:12 ./usr/sbin/tune.exfat
- sudo fragments
- None
- polkit files
- None
- udev rules
- None
- unit tests / autopkgtests
- There are tests but only for fsck (that checks the consistencyof a
exfat filesystem), so it basically checks the test images for bad and
good cases. The test are executed during build time and also in the
autopkgtests. if during build the tests fail, the build is stopped.
There are no tests for the other utilities.
- cron jobs
- None
- Build logs
- there are a few warnings about variables that "may be used
uninitialized", but they are all initialized with
exfat_de_iter_get(), which the compiler does not get. not an issue.
- Processes spawned
- None
- Memory management
- many allocation calls (malloc and calloc) and also copies with memcpy.
the allocations are all checking the result and handling errors just
fine (deallocating things if needed). didn't track if every copy fits
the destination buffer but the ones I checked are fine.
- File IO
- seems fine, don't really have content sanitization but I don't think is
concerning as it is used.
- Logging
- printing is wrapped around exfat_msg with care. nothing concerning.
- Environment variable usage
- None
- Use of privileged functions
- only found usage of ioctl to fetch block sizes, nothing concerning.
- Use of cryptography / random number sources etc
- None
- Use of temp files
- None
- Use of networking
- None
- Use of WebKit
- None
- Use of PolicyKit
- None
- Any significant cppcheck results
- None
- Any significant Coverity results
- Not Available
- Any significant shellcheck results
- Mainly on build scripts and I don't spot anything concerning.
- Any significant bandit results
- None
- Any significant govulncheck results
- None
- Any significant Semgrep results
- Nothing concerning
The maintainers seems interested in fuzzing as per
https://github.com/exfatprogs/exfatprogs/issues/274 as already provided
here. And as they are the same maintainers of the file system in the Linux
kernel it felt confident that both the file system and the utilities are
aligned.
Security team ACK for promoting exfatprogs to main.
** Changed in: exfatprogs (Ubuntu)
Status: New => In Progress
** Changed in: exfatprogs (Ubuntu)
Assignee: Ubuntu Security Team (ubuntu-security) => (unassigned)
** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2023-4273
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/2073783
Title:
[MIR] exfatprogs
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/exfatprogs/+bug/2073783/+subscriptions
--
ubuntu-bugs mailing list
[email protected]
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
