I reviewed librdkafka 2.8.0-1 as checked into questing. This shouldn't be
considered a full audit but rather a quick gauge of maintainability.
librdkafka is a C library implementation of the Apache Kafka protocol,
providing Producer, Consumer and Admin clients.
- CVE History
- No CVEs directly associated to librdkafka.
- Build-Depends
- authentication library - libsasl2-dev
- encryption libraries - libssl-dev, libcurl4-openssl-dev
- compression libraries - zlib1g-dev, libzstd-dev, liblz4-dev
- build and tests - pkgconf, python
- serialization library - rapidjson-dev
- pre/post inst/rm scripts
- none
- init scripts
- none
- systemd units
- none
- dbus services
- none
- setuid binaries
- none
- binaries in PATH
- none
- sudo fragments
- none
- polkit files
- none
- udev rules
- none
- unit tests / autopkgtests
- The library comes with a test suite. The test suite does not run
at build time. It is run though by the autopkgtests. The test
suite seems to be of good quality. There is also initial support
to run fuzz tests. The fuzz test needs some manual configuration
in order to be run.
- cron jobs
- none
- Build logs
- the build log contains a lot of warnings like "free called on
pointer x with nonzero offset", all rooted to one inline wrapper
to "free". I checked a few samples and decided to consider all of
them as false positives.
- Processes spawned
- the library makes use of the library call `system()` to be able to
renew a kerberos ticket via `kinit`.
- Memory management
- Memory allocations are mostly performed through wrappers like
rd_malloc. Checks on the outcome of the allocation are done from
the wrappers via assert().
I did not find anything concerning there.
- File IO
- The library supports loading plugins via dlopen(). The libraries
to be loaded are specified via the `plugin.library.paths` config
property.
- Logging
- The library seems to be careful while constructing error messages.
- Environment variable usage
- only in unit tests.
- Use of privileged functions
- none
- Use of cryptography / random number sources etc
- the library uses TLS to connect to the brokers. Certificates seem
to be checked correctly although it is up to the users of the
library to set up TLS properly. Nice detail, if ssl/tls is enabled
certificate validation is set by default to true.
- Use of temp files
- none
- Use of networking
- yes it does, it is a kafka client library
- Use of WebKit
- none
- Use of PolicyKit
- none
- Any significant cppcheck results
- mostly false positives and possible issues affecting unit tests
- Any significant Coverity results
- mostly false positives. The only issues I was able to confirm
involve unit tests.
- Any significant shellcheck results
- configure scripts, test harnesses and examples. No shell scripts in the
library.
- Any significant bandit results
- code is c/c++. bandit results are false positives in tools used
for packaging the library with nuget and tests.
- Any significant govulncheck results
- none
- Any significant Semgrep results
- semgrep points to the usage of system() which makes the library
vunlerable to command injection.
librdkafka includes an extensive test suite for validating changes and
potential regressions. The codebase is largely C and some C++. The
code seems well written and documented.
Summarizing: a command injection is possible by customizing the string
property `sasl.kerberos.principal`.
E.g. `kcat -b example.com -L \
-X security.protocol=SASL_PLAINTEXT \
-X sasl.kerberos.keytab=/tmp/nonexistent \
-X sasl.kerberos.principal=';id'`
It is also possible to take over the library taking advantage of
the plugin loading facility by customizing the string property
`plugin.library.paths` thus forcing the library to load and execute a
possibly malicious payload.
Wether the aforementioned cases represent real vulnerabilities depends
on how the library is used. E.g. in the provided example involving the
cli tool `kcat` it is not an issue since the net effect would be
executing commands the user already has permission to run.
Same applies to the plugin loading facility.
In any case it is important to keep in mind these possible flaws wherever
the library is used.
Security team ACK for promoting librdkafka to main.
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/2119045
Title:
[MIR] librdkafka
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/librdkafka/+bug/2119045/+subscriptions
--
ubuntu-bugs mailing list
[email protected]
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
