I reviewed galera-4 26.4.23-1 as checked into questing. This shouldn't be
considered a full audit but rather a quick gauge of maintainability.
galera-4 is a high availability database solution that provides scalability
for database growth.
- CVE History
- `CVE-2023-5157`
- The CVE mentioned mariadb but seems to be a vulnerability in
`galera-4`. Fixed in 26.4.12.
- There seem to have been CVEs assigned for mariadb-galera, however
they seem to be MariaDB package specific. These seem to have been
handled properly.
- Build-Depends
- Normal build depends.
- pre/post inst/rm scripts
- Creates a default galera system user in preinst script for
`galera-arbitrator-4.deb`.
- Other scripts are automatically generated to manage the systemd
service by `dh_installsystemd`.
- init scripts
- ./etc/init.d/garb
- systemd units
- `galera-arbitrator-4`
- ./usr/lib/systemd/system/garb.service
- ./usr/lib/systemd/system/garbd.service -> garb.service
- The systemd services seem to be rather basic, launching the
garb-systemd executable as the newly created `_galera` system user.
The service doesn't provide any additional protections or rules,
which is something to keep in mind.
- dbus services
- None
- setuid binaries
- None
- binaries in PATH
- ./usr/bin/garbd
- ./usr/bin/garb-systemd
- sudo fragments
- None
- polkit files
- None
- udev rules
- None
- unit tests / autopkgtests
- There seem to be a few (7) unit tests running at build time.
- For autopkgtests, there seems to only be a smoke test.
- It seems to execute `garbd` and displays the usage information about
the program.
- It would be appreciated if more tests could be included in the package.
- cron jobs
- None
- Build logs
- Seem fine.
- Processes spawned
- None
- Memory management
- Memory management seems fine, the size during memcpy and malloc seems
to be checked. There seem to be some custom implementation of malloc
(such as RingBuffer) which also seem to do some size checks.
- File IO
- Vendors ASIO library
- It is recommended to not vendor code unless necessary. This would
simplify the security team's ability to provide updates in case ASIO
contains a vulnerability.
- It appears like `galera-4` does not build with ASIO version 1.33+.
There are issues tracking this upstream. Ubuntu currently ships ASIO
1.30, but an update to the version could break `galera-4`.
- https://jira.mariadb.org/browse/MDEV-36926
- https://github.com/codership/galera/issues/679
- ASIO is currently in universe.
- Any significant shellcheck results
- Logging
- Seems fine. Extensive logging for debug purposes exists, and it is
handled without issues.
- Environment variable usage
- None
- Use of privileged functions
- None
- Use of cryptography / random number sources etc
- Seems to support TLS (not enabled by default). Code refers to SSL when
talking about TLS.
- mariadb-server needs to be compiled with TLS support (configuration
option) on all nodes. On Ubuntu, TLS support is enabled for both
mariadb-server and galera-4 and so it is available. Setup like
generating CA certificates is required by the user.
- Seems to use the vendored ASIO library for SSL.
- Use of temp files
- None
- Use of networking
- In order to make connections, it seems like networking to other galera
nodes has to be defined in configuration files. So, without defining
other nodes in configuration files, galera won't connect to them.
- Seems fine. Communicates using IPv4 and IPv6 with sockets.
- Use of WebKit
- None
- Use of PolicyKit
- None
- Any significant cppcheck results
- Nothing of note, seem to be false positives.
- Any significant Coverity results
- Apart from a small copy paste error, the results seem to be fine. Many
cases of waiting with lock which seems to be intended, and overall most
detections were in thread locks.
- There were some results for the vendored ASIO code that weren't looked
into in depth due to the intention of using system ASIO instead of
vendoring.
- Any significant bandit results
- N/A
- Any significant govulncheck results
- N/A
- Any significant Semgrep results
- None
The code looks fine and maintainable. The project is rather large and has
been around for some time, has decent comments and readable code. The only
issue would be the vendoring of ASIO library, but this is an issue that has
already been talked about previously and is being handled, so it is not a
concern. While some code quality aspects could be considered "aging" in
some parts of the code, this would be a natural result due to the project's
history, and the parts seem to be maintained well.
Something to note is the small amount of unit tests and autopkgtests. More
tests would be appreciated.
Security team ACK for promoting galera-4 to main
** Bug watch added: github.com/codership/galera/issues #679
https://github.com/codership/galera/issues/679
** CVE added: https://cve.org/CVERecord?id=CVE-2023-5157
** Changed in: galera-4 (Ubuntu)
Assignee: Ubuntu Security Team (ubuntu-security) => (unassigned)
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/2122096
Title:
[MIR] galera-4
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/galera-4/+bug/2122096/+subscriptions
--
ubuntu-bugs mailing list
[email protected]
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
