I reviewed tracker-miners 3.8.2-4 as checked into plucky. This shouldn't be
considered a full audit but rather a quick gauge of maintainability.
trackers-miners was previously reviewed in version 2.0.4-2, and therefore
this is a re-review of the package. The package will also be renamed to
"localsearch" in the future.
localsearch is a crawler and indexer of user documents and other files on
a system, and storing it for future consumption by other applications (such
as nautilus).
- CVE History
- The package was vulnerable to 1 CVE in the past.
- This CVE was categorized as a system hardening measure bypass, in
which the security sandboxing environment of tracker-extract could be
bypassed, and therefore would be an issue if a second vulnerability
were to be discovered. The package has since been updated with the
security fix. (CVE-2023-5557)
- Build-Depends
- debhelper-compat, dh-sequence-gnome, gir1.2-glib-2.0, meson, pkgconf,
libglib2.0-dev, libgirepository-1.0-dev, libgstreamer1.0-dev,
libgstreamer-plugins-base1.0-dev, libgudev-1.0-dev, libstemmer-dev,
libtinysparql-dev, libtracker-sparql-3.0-dev, libpoppler-glib-dev,
libgsf-1-dev, libexif-dev, libgexiv2-dev, libnm-dev, libpng-dev,
libtiff-dev, libdbus-1-dev, libtotem-plparser-dev, libexempi-dev,
libxml2-dev, libupower-glib-dev, libicu-dev, libiptcdata0-dev,
tinysparql, libgif-dev, libgxps-dev, libosinfo-1.0-dev, libcue-dev,
libseccomp-dev, asciidoc-base, xsltproc, docbook-xsl, dbus, dbus-x11,
gstreamer1.0-libav, gstreamer1.0-plugins-good, gstreamer1.0-tools,
procps, python3-gi, python3-tap, shared-mime-info, systemd-dev.
- There are multiple build dependencies that are currently in universe.
- python3-tap and libgxps-dev are among the examples of these that
are listed in debian/control. Quite a few more could be identified
from the build logs. While some of them seem doc related, it is not
clear whether all of these are only doc/testing related.
- pre/post inst/rm scripts
- Contains a postinst script which applies a sysctl configuration file.
Afterwards, a systemd service is added by dh_installsystemduser.
- The sysctl file seems to increase the fs.inotify.max_user_watches,
this is fine for a file crawler and indexer.
- The systemd services look normal to me.
- The other preinst/prerm/postrm scripts seem to have been added by
dh_installdeb.
- init scripts
- None
- systemd units
- Some user services
- The program itself runs in the background to index files on the
system. The services themselves look fine.
- dbus services
- Some session services
- These seem fine. There are some services generated with the old
tracker3 name that get mapped to localsearch.
- setuid binaries
- None
- binaries in PATH
- None
- sudo fragments
- None
- polkit files
- None
- udev rules
- None
- unit tests / autopkgtests
- None
- cron jobs
- None
- Build logs
- Some of the build logs were concerning.
- Two warnings about seccomp and landlock being disabled.
- The libseccomp dependency is being pulled, but both seccomp and
landlock are explicitly disabled in debian/rules. Enabling these
causes a build-time test to fail. It is important to have these
enabled as the application does parse files which could come from
untrusted sources, including automatic parsing upon a new file
appearing (as an example, a user downloading a file from a browser
which would immediately get parsed by localsearch).
- A few deprecation warnings and version warnings.
- These were already mentioned in the launchpad comment above (#3).
- Processes spawned
- Seem to be normal and handled properly. Uses threads.
- Memory management
- The code seems to utilize glib functions throughout, and they seem to
provide better checks than their normal counterparts. The code also
utilizes reference counting in some instances from glib. The memory
management seems fine.
- File IO
- File IO looks normal. Glib functions are also utilized here throughout
and the errors seem to be handled properly.
- Logging
- Logging seems normal. Many debug logs.
- Environment variable usage
- Environment variable handling seems fine. The application ensures that
the environment variables are proper. Mostly uses application specific
environment variables.
- While perhaps these environment variables could be manipulated in
some way or another to have the application behave unexpectedly, it
is important to note that the application should be securely confined
and not ran with elevated privileges from the beginning, to minimize
the impact as much as possible.
- Use of privileged functions
- Seems normal
- Use of cryptography / random number sources etc
- None
- Use of temp files
- None
- Use of networking
- None
- Use of WebKit
- None
- Use of PolicyKit
- None
- Any significant cppcheck results
- No significant issues
- Any significant Coverity results
- Several coverity issues were identified. While some of them are true
positives, upstream does perform coverity scanning, and has already
fixed many issues that were identified. However, those fixes are not
currently present on plucky, which is something to note. Others were
mostly test file issues.
- The PRs that fix the coverity defects are the following:
- https://gitlab.gnome.org/GNOME/localsearch/-/merge_requests/592
- https://gitlab.gnome.org/GNOME/localsearch/-/merge_requests/596
- One fix is important to single out if landlock were to be enabled, as
it contains a fix for landlock rules not being checked properly.
-
https://gitlab.gnome.org/GNOME/localsearch/-/commit/1f562499e65dcaa13305006b29cf2b86c13afe40
- Any significant shellcheck results
- Some small issues, nothing of note
- Any significant bandit results
- None, just some hits on test files and test utilities.
- Any significant Semgrep results
- None
The package itself seems maintainable. The use of glib functions helps in
many instances to minimize potential errors, the code is readable, and the
upstream repository also seems to implement coverity scanning and valgrind.
While some coverity issues have been identified, these were fixed by
upstream, and fairly recently as well (1 week ago at the time of writing).
The project is actively maintained, and no big issues were identified that
would prevent the promotion.
However, seccomp and landlock are protection mechanisms which are fairly
important to have enabled for the package, as the application parses files
which could come from untrusted sources. These are very useful in general,
and as the package already implements them, enabling these options would
prevent many potential issues that may arise, and shouldn't be a big
effort. If these features will not be enabled, some reasoning behind that
decision would be highly appreciated.
Security team ACK for promoting tracker-miners to main, given that seccomp
and landlock are enabled for the package, or proper reasoning and
explanation is provided for their disablement.
** Changed in: tracker-miners (Ubuntu)
Assignee: Ubuntu Security Team (ubuntu-security) => (unassigned)
** Changed in: tracker-miners (Ubuntu)
Status: New => Fix Committed
** Changed in: tracker-miners (Ubuntu)
Status: Fix Committed => In Progress
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/2099160
Title:
[MIR] localsearch
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/tracker-miners/+bug/2099160/+subscriptions
--
ubuntu-bugs mailing list
[email protected]
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
