debcrafters-packages team mailing list archive
-
debcrafters-packages team
-
Mailing list archive
-
Message #03978
[Bug 2113961] Re: [MIR] util-linux
Re-review for src:util-linux
[Summary]
The util-linux is a suite of essential Linux system maintenance utilities. It contains many basic utilities used for setting up partitions and basic system infrastructure on a Linux system. It is for expert users only.
This is a re-review of src:util-linux, which has always been in main.
Since the CVE history is significant, I will request ubuntu-security
requesting a "re-review".
Notes:
#0 Out of the 25 binary packages, 22 are in main. Binary packages currently not in main: bin:util-linux-extra, bin:libpam-lastlog2, bin:libpam-lastlog2
Required TODOs: None
Recommended TODOs:
#1 Consider resolving lintian warnings, most of them are related to man-pages.
#2 Consider addressing the upstream compiler and linker warnings.
[Rationale, Duplication and Ownership]
OK:
- There is no other package in main providing the same functionality.
=> This package is already in `main`.
- A team is committed to own long term maintenance of this package.
=> Debcrafters packages
[Dependencies]
OK:
- no other Dependencies to MIR due to this
- src:util-linux checked with check-mir
- all dependencies can be found in `seeded-in-ubuntu` (already in main)
- none of the (potentially auto-generated) dependencies (Depends and Recommends) that are present after build are not in main
- no -dev/-debug/-doc packages that need exclusion
- No dependencies in main that are only superficially tested requiring more tests now.
[Embedded sources and static linking]
OK:
- no embedded source present
- no static linking
- not a go package, no extra constraints to consider in that regard
- not a rust package, no extra constraints to consider in that regard
- Does not include vendor-ed code
Problems: none
[Security]
OK:
- does not run a daemon as root
=> ldattach runs as current user/group, uuidd runs as uuidd/uuidd
- does not use webkit1,2
- does not use lib*v8 directly
- does not parse data formats (files [images, video, audio,
xml, json, asn.1], network packets, structures, ...) from
an untrusted source.
- does not expose any external endpoint (port/socket/... or similar)
- does not process arbitrary web content
- does not use centralized online accounts
- does not integrate arbitrary javascript into the desktop
- binaries related to system authentication: su, sulogin, runuser, login
- does not deal with security attestation
- does not deal with cryptography (en-/decryption, certificates, signing, ...)
=> mcookie is only used to generate 128-bit Xauth tokens
- this makes appropriate (for its exposure) use of established risk
mitigation features (dropping permissions, using temporary environments,
restricted users/groups, seccomp, systemd isolation features,
apparmor, ...)
=> These are core system utilities. However, some of them like umount, eject, swapon do
seem to drop permissions for certain sub-tasks.
Problems:
- has a significant history of CVEs
=> https://security-tracker.debian.org/tracker/source-package/util-linux
[Common blockers]
OK:
- does not FTBFS currently
- does have a test suite that runs at build time
- test suite fails will fail the build upon error.
- does have a non-trivial test suite that runs as autopkgtest
- This does not need special HW for build or test
- no new python2 dependency
- not a Python package
- not a Go package
[Packaging red flags]
OK:
- Ubuntu does carry a delta, but it is reasonable and maintenance under control
- symbols tracking is in place.
- debian/watch is present and looks ok
- Upstream update history is good
- Debian/Ubuntu update history is good
- the latest upstream version (2.41) has been packaged
- this package is already in main
- no massive Lintian warnings
- debian/rules is rather clean
- It is not on the lto-disabled list
Problems:
- Lintian warnings
W: util-linux source: dh-exec-script-without-dh-exec-features [debian/eject-udeb.install]
W: util-linux source: dh-exec-script-without-dh-exec-features [debian/libblkid1-udeb.install]
W: util-linux source: dh-exec-script-without-dh-exec-features [debian/libblkid1.install]
W: util-linux source: dh-exec-script-without-dh-exec-features [debian/libfdisk-dev.install]
W: util-linux source: dh-exec-script-without-dh-exec-features [debian/libfdisk1-udeb.install]
W: util-linux source: dh-exec-script-without-dh-exec-features [debian/libfdisk1.install]
W: util-linux source: dh-exec-script-without-dh-exec-features [debian/liblastlog2-2.install]
W: util-linux source: dh-exec-script-without-dh-exec-features [debian/libmount-dev.install]
W: util-linux source: dh-exec-script-without-dh-exec-features [debian/libmount1-udeb.install]
W: util-linux source: dh-exec-script-without-dh-exec-features [debian/libmount1.install]
W: util-linux source: dh-exec-script-without-dh-exec-features [debian/libsmartcols-dev.install]
W: util-linux source: dh-exec-script-without-dh-exec-features [debian/libsmartcols1-udeb.install]
W: util-linux source: dh-exec-script-without-dh-exec-features [debian/libsmartcols1.install]
W: util-linux source: dh-exec-script-without-dh-exec-features [debian/libuuid1-udeb.install]
W: util-linux source: dh-exec-script-without-dh-exec-features [debian/libuuid1.install]
W: libblkid-dev: groff-message troff:<standard input>:10: warning: macro 'Aq' not defined [usr/share/man/man3/libblkid.3.gz:1]
W: liblastlog2-dev: groff-message troff:<standard input>:10: warning: macro 'Aq' not defined [usr/share/man/man3/lastlog2.3.gz:1]
W: liblastlog2-dev: groff-message troff:<standard input>:10: warning: macro 'Aq' not defined [usr/share/man/man3/ll2_import_lastlog.3.gz:1]
W: liblastlog2-dev: groff-message troff:<standard input>:10: warning: macro 'Aq' not defined [usr/share/man/man3/ll2_read_all.3.gz:1]
W: liblastlog2-dev: groff-message ... use "--tag-display-limit 0" to see all (or pipe to a file/program)
W: login: groff-message troff:<standard input>:10: warning: macro 'Aq' not defined [usr/share/man/fr/man1/login.1.gz:1]
W: util-linux-locales: groff-message troff:<standard input>:10: warning: macro 'Aq' not defined [usr/share/man/fr/man1/fallocate.1.gz:1]
W: util-linux-locales: groff-message troff:<standard input>:10: warning: macro 'Aq' not defined [usr/share/man/fr/man1/getopt.1.gz:1]
W: util-linux-locales: groff-message troff:<standard input>:10: warning: macro 'Aq' not defined [usr/share/man/fr/man1/ionice.1.gz:1]
W: util-linux-locales: groff-message ... use "--tag-display-limit 0" to see all (or pipe to a file/program)
W: uuid-dev: groff-message troff:<standard input>:10: warning: macro 'Aq' not defined [usr/share/man/man3/uuid.3.gz:1]
W: uuid-dev: groff-message troff:<standard input>:10: warning: macro 'Aq' not defined [usr/share/man/man3/uuid_clear.3.gz:1]
W: uuid-dev: groff-message troff:<standard input>:10: warning: macro 'Aq' not defined [usr/share/man/man3/uuid_compare.3.gz:1]
W: uuid-dev: groff-message ... use "--tag-display-limit 0" to see all (or pipe to a file/program)
[Upstream red flags]
OK:
- no incautious use of malloc/sprintf
=> xmalloc() mostly used, all malloc() uses guarded with NULL checks
=> asprintf/xasprintf used instead of asprintf
- no use of sudo, gksu, pkexec, or LD_LIBRARY_PATH (usage is OK inside tests)
- no use of user 'nobody' outside of tests
- use of setuid()/setgid()
=> these are core system utilities, setuid/setgid used to drop permissions, used in setpriv, mount etc.
- This package has quite a few open bug reports. However, it is a core utilities package and upstream is very active.
- no dependency on webkit, qtwebkit or libseed
- translations present
Problems:
- Quite a few upstream build warnings (compiler and linker)
login-utils/login.c:737:13: warning: ‘log_utmp’ defined but not used [-Wunused-function]
737 | static void log_utmp(struct login_context *cxt)
| ^~~~~~~~
login-utils/login.c:601:13: warning: ‘log_btmp’ defined but not used [-Wunused-function]
601 | static void log_btmp(struct login_context *cxt)
| ^~~~~~~~
login-utils/login.c:357:13: warning: ‘motd’ defined but not used [-Wunused-function]
357 | static void motd(void)
disk-utils/fdisk-menu.c: In function 'geo_menu_cb':
disk-utils/fdisk-menu.c:1071:23: warning: 'a' may be used uninitialized [-Wmaybe-uninitialized]
1071 | rc = fdisk_ask_number(cxt, i, fdisk_get_geom_heads(cxt),
| ^
disk-utils/fdisk-menu.c:1069:33: note: 'a' was declared here
1069 | unsigned int i, a;
| ^
disk-utils/fdisk-menu.c:1071:23: warning: 'i' may be used uninitialized [-Wmaybe-uninitialized]
1071 | rc = fdisk_ask_number(cxt, i, fdisk_get_geom_heads(cxt),
| ^
disk-utils/fdisk-menu.c:1069:30: note: 'i' was declared here
1069 | unsigned int i, a;
| ^
disk-utils/fdisk-menu.c:1077:23: warning: 'ma' may be used uninitialized [-Wmaybe-uninitialized]
1077 | rc = fdisk_ask_number(cxt, mi, fdisk_get_geom_sectors(cxt),
| ^
disk-utils/fdisk-menu.c:1050:28: note: 'ma' was declared here
1050 | fdisk_sector_t mi, ma;
| ^
disk-utils/fdisk-menu.c:1077:23: warning: 'mi' may be used uninitialized [-Wmaybe-uninitialized]
1077 | rc = fdisk_ask_number(cxt, mi, fdisk_get_geom_sectors(cxt),
| ^
disk-utils/fdisk-menu.c:1050:24: note: 'mi' was declared here
1050 | fdisk_sector_t mi, ma;
| ^
Linker warnings:
usr/bin/ld: /usr/lib/gcc/x86_64-linux-gnu/14/../../../x86_64-linux-gnu/libreadline.a(complete.o): in function `rl_username_completion_function':
(.text+0x4dd1): warning: Using 'getpwent' in statically linked applications requires at runtime the shared libraries from the glibc version used for linking
/usr/bin/ld: (.text+0x4dc8): warning: Using 'setpwent' in statically linked applications requires at runtime the shared libraries from the glibc version used for linking
/usr/bin/ld: (.text+0x4e69): warning: Using 'endpwent' in statically linked applications requires at runtime the shared libraries from the glibc version used for linking
/usr/bin/ld: /usr/lib/gcc/x86_64-linux-gnu/14/../../../x86_64-linux-gnu/libreadline.a(tilde.o): in function `tilde_expand_word':
(.text+0x165): warning: Using 'getpwnam' in statically linked applications requires at runtime the shared libraries from the glibc version used for linking
/usr/bin/ld: /usr/lib/gcc/x86_64-linux-gnu/14/../../../x86_64-linux-gnu/libreadline.a(shell.o): in function `sh_get_home_dir':
(.text+0x169): warning: Using 'getpwuid' in statically linked applications requires at runtime the shared libraries from the glibc version used for linking
/usr/bin/ld: /usr/lib/gcc/x86_64-linux-gnu/14/../../../x86_64-linux-gnu/libreadline.a(complete.o): in function `rl_username_completion_function':
(.text+0x4dd1): warning: Using 'getpwent' in statically linked applications requires at runtime the shared libraries from the glibc version used for linking
/usr/bin/ld: (.text+0x4dc8): warning: Using 'setpwent' in statically linked applications requires at runtime the shared libraries from the glibc version used for linking
/usr/bin/ld: /usr/lib/gcc/x86_64-linux-gnu/14/../../../x86_64-linux-gnu/libreadline.a(shell.o): in function `sh_get_home_dir':
(.text+0x19a): warning: Using 'endpwent' in statically linked applications requires at runtime the shared libraries from the glibc version used for linking
/usr/bin/ld: /usr/lib/gcc/x86_64-linux-gnu/14/../../../x86_64-linux-gnu/libreadline.a(tilde.o): in function `tilde_expand_word':
(.text+0x165): warning: Using 'getpwnam' in statically linked applications requires at runtime the shared libraries from the glibc version used for linking
/usr/bin/ld: /usr/lib/gcc/x86_64-linux-gnu/14/../../../x86_64-linux-gnu/libreadline.a(shell.o): in function `sh_get_home_dir':
(.text+0x169): warning: Using 'getpwuid' in statically linked applications requires at runtime the shared libraries from the glibc version used for linking
** Changed in: util-linux (Ubuntu)
Assignee: Pushkar Kulkarni (pushkarnk) => Ubuntu Security Team (ubuntu-security)
--
You received this bug notification because you are a member of
Debcrafters packages, which is subscribed to util-linux in Ubuntu.
https://bugs.launchpad.net/bugs/2113961
Title:
[MIR] util-linux
Status in util-linux package in Ubuntu:
New
Bug description:
[Availability]
The package src:util-linux is already in Ubuntu main.
The package src:util-linux build for the architectures it is designed to work on.
It currently builds and works for architectures: amd64, arm64, armhf, i386, ppc64el, riscv64, s390x
Link to package https://launchpad.net/ubuntu/+source/util-linux
[Rationale]
See previous rational below for what actually sparked this MIR.
Now that `bin:liblastlog2-2` has been promoted and everything is unblocked, the
rationale becomes as simple as an ask for a re-review for one of the `Essential`
packages, shipping, among other things, a few `suid` binaries in absolutely
every form Ubuntu can take.
https://canonical-ubuntu-project.readthedocs-hosted.com/MIR/mir-rereview/#opt-in-re-review
Original rationale:
Okay, it seems the MIR template doesn't apply well for this use-case, because
it more or less assumes that the MIR is about a source package that is currently
in universe. In the current situation, only an existing binary package needs to be
promoted, from a source package already in main. I'll do my best to adapt the
template and provide a good rational.
- bin:liblastlog2-2 is provided by src:util-linux, and was already there in
plucky/universe.
- The package src:util-linux is generally useful for a large part of
our user base: it provides the bin:util-linux package, that is even flagged as
`Essential: yes`.
This is the package providing, among many other things, the `su`, `fsck`,
`flock`, or `mkswap` binaries, all mostly essential to any system (random
selection of important commands to give a quick example).
- The package bin:liblastlog2-2 is a new runtime dependency of package
bin:util-linux that we already support.
- The binary packages liblastlog2-2 needs to be in main to have the latest merge
of util-linux migrate from questing-proposed to questing.
- All other binary packages currently in universe built by src:util-linux should
remain in universe.
- The package bin:liblastlog2-2 is required in Ubuntu main no later than
somewhere in July due to some partners requiring patches to be SRU'd to Noble,
and thus needing the package to migrate from -proposed (even though it's not a
hard block from the SRU team, according to what I've red on Matrix recently).
[Security]
- Obviously, util-linux has had some security issues in the past (although not
that much):
- https://ubuntu.com/security/cves?package=util-linux
- https://security-tracker.debian.org/tracker/source-package/util-linux
- Those issues seems to be handled correctly in both Ubuntu and Debian:
- https://ubuntu.com/security/CVE-2024-28085
- https://security-tracker.debian.org/tracker/CVE-2024-28085
- https://security-tracker.debian.org/tracker/CVE-2021-37600
- There are countless binaries in sbin, but I'm fairly confident taking them out
is a big plan of its own to still have a working system.
- There are just a couple systemd units:
- fstrim.{service,timer}: Discard unused filesystem blocks once a week
- lastlog2-import.service: Import lastlog data into lastlog2 database - run
only once in some particular situations to handle a data migration
- About common isolation/risk-mitigation:
- I'm not sure anything in util-linux is opening privileged ports.
- I know some binaries are dropping privileges.
- Going much further on that topic would be a full audit, for which I
unfortunately don't really have time and competency for. I hope that's okay.
- Packages does not contain extensions to security-sensitive software
(filters, scanners, plugins, UI skins, ...)
[Quality assurance - function/usage]
- The package works well right after install
[Quality assurance - maintenance]
- The package is maintained well in Debian/Ubuntu/Upstream and does
not have too many, long-term & critical, open bugs
- Ubuntu https://bugs.launchpad.net/ubuntu/+source/util-linux/+bugs?orderby=-importance&start=0
- Debian https://bugs.debian.org/cgi-bin/pkgreport.cgi?src=util-linux
- Upstream https://github.com/util-linux/util-linux/issues
- Obviously this package has tons of bugs opened, but at the same time, it has
a lot of activity, and is well maintained upstream, in Debian, and in
Ubuntu, just because of its central position in any Linux system.
- The package does not deal with exotic hardware we cannot support
[Quality assurance - testing]
- The package runs a test suite on build time, if it fails
it makes the build fail, link to build log TBD
- The package runs an autopkgtest, and is currently passing on
all architectures but i386: https://autopkgtest.ubuntu.com/packages/util-linux
- The package does have not failing autopkgtests right now
[Quality assurance - packaging]
- debian/watch is present and works
- debian/control defines a correct Maintainer field
- This package does not yield massive lintian Warnings, Errors
- Recent build: https://launchpad.net/ubuntu/+source/util-linux/2.41-4ubuntu2/+build/30908305
- Lintian overrides are present, but ok because most are well commented, and the rest is pretty obvious, like highly privileged binaries.
- This package does not rely on obsolete or about to be demoted
packages.
- The package will be installed by default, but does not ask debconf
questions higher than medium
- Packaging is quite complex, but I'm not sure how much of a choice we have.
Good thing is that this package is equally important in Debian, so it will very
likely keep being maintained.
[UI standards]
- Application is end-user facing, Translation is present, via standard
intltool/gettext. See `configure` for `libintl` and `gettext`.
- End-user applications without desktop file, not needed because it only ships
CLI tools.
[Dependencies]
- No further depends or recommends dependencies that are not yet in main
[Standards compliance]
- This package correctly follows FHS and Debian Policy.
[Maintenance/Owner]
- The owning team will be debcrafters-packages and I have their acknowledgement for
that commitment
- The future owning team is already subscribed to the package.
- This does not use static builds.
- This does not use vendored code
- This package is not rust based
- The package has been built within the last 3 months in the archive
- Build link on launchpad: https://launchpad.net/ubuntu/+source/util-linux/2.41-4ubuntu2
[Background information]
The Package description explains the package well
Upstream Name is `util-linux`
Link to upstream project: https://github.com/util-linux/util-linux/
This package has been in main since the very early beginning of Ubuntu, so never
got the chance to get a proper MIR.
This was sparked when the `bin:util-linux` has started to depend on
`bin:liblastlog2-2`, which was in Universe. `liblastlog2-2` was nicely
handled by @paelzer under the "Renamed or re-organized sources" condition.
This MIR still makes sense to me, given that `util-linux` provides many
very important binaries, among which many of them are `suid`, and is one the
`Essential` packages shipped in absolutely every form Ubuntu can take.
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/util-linux/+bug/2113961/+subscriptions
References
