I reviewed websockify version 0.8.0+dfsg1-7ubuntu1 as checked into artful. This should not be considered a full security audit but rather a quick gauge of maintainability.
Websockify has no CVEs in our database - Websockify provides a daemon to turn arbitrary TCP sockets into "websockets" suitable for use with browsers. Typically JS in the browsers would then implement whatever protocol is being converted. There's multiple implementations of this tool in this package. The C version is not suitable for main. It does not appear to be built in this package, so I'd like to ask for this file to either be deleted or patched to add a poison pill like: #error See https://bugs.launchpad.net/bugs/1108935 before using this file - rebind will LD_PRELOAD symbol shadow bind() to force a program to listen on a different port - Build-Depends: debhelper, dh-python, openstack-pkg-tools, python-dev, python-mox3, python-nose, python-numpy, python-setuptools, python3-dev, python3-mox3, python3-nose, python3-numpy, python3-setuptools, - pre/post inst/rm commands install or remove 'websockify' alternatives - websockify/websocket.py daemonize() implementation looks good; C daemonize() does not. - No initscripts / systemd service files - No dbus services - No setuid - python3-websockify, python2-websockify, and rebind executables in PATH - No sudo fragments - No udev rules - Some tests appear to be run during the build - No cronjobs - Clean build logs - Python subprocesses spawned fine - Python file management looked fine - Python logging looked fine - Python networking looked fine - Python privileged syscall handling looked fine - No webkit - No javascript - No policykit One question about the python code: - ./websockify/websocket.py daemonize() sets umask(0), is this the best setting? A packaging bug: - /usr/lib/websockify/rebind.o appears in the websockify package, why? A Debian standards-compliance bug: - /usr/bin/rebind in the websockify package has no manpage And a long list of reasons why the C version of the program is not suitable for use. This list is not exhaustive, I stopped after finding this many issues: - ./other/websockify.c main() settings.listen_host and target_host buffer overflow - ./other/websocket.c alloc_ws_ctx() doesn't check ctx->headers allocation failure as it does other allocations - ./other/websocket.c free_ws_ctx() doesn't free ctx->headers as it does other allocations - ./other/websocket.c parse_hixie76_key() divide by zero if key includes no spaces (BTW this for loop is O(N^2) unless the compiler hoists out the strlen(key) call) - ./other/websocket.c ws_socket_ssl() msg buffer overflows via use_keyfile and certfile parameters - ./other/websocket.c do_handshake() handshake buffer underflow -- use of recv(2) return value as an array index without doing any error checking - ./other/websocket.c parse_handshake() buffer overflows for: - headers->origin - headers->version - headers->key1 - headers->connection - headers->protocols - headers->key2 - ./other/websocket.c daemonize() setgid(getgid()); - ./other/websocket.c daemonize() setuid(getuid()); - ./other/websocket.c daemonize() sets umask(0), is this the best setting? websocket.c and websockify.c issues not exhaustive Security team ACK for promoting websockify to main on several conditions: - other/websockify.c and other/websocket.c MUST be patched with an: #error See https://bugs.launchpad.net/bugs/1108935 before using this file - please remove /usr/lib/websockify/rebind.o from the package Thanks -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1108935 Title: [MIR] websockify, spice-html5 To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/spice-html5/+bug/1108935/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
