I reviewed azure-vm-utils 0.4.0-2 as checked into plucky. This shouldn't be
considered a full audit but rather a quick gauge of maintainability.
azure-vm-utils is a collection of tools and udev rules for Linux on
Azure.
- CVE History
- None
- The project is relatively new.
- Build-Depends
- Standard build depends.
- pre/post inst/rm scripts
- None
- init scripts
- None
- systemd units
- None
- dbus services
- None
- setuid binaries
- None
- binaries in PATH
- None
- sudo fragments
- None
- polkit files
- None
- udev rules
- Generates 80-azure-disk.rules
- The project advertises itself as a collection of udev rules, so it is
fine for it to have udev rules.
- The rules interact with Azure and Microsoft devices, mostly reading
and creating symlink.
- unit tests / autopkgtests
- No unit tests or autopkgtests. This was mentioned before, and it was
deemed hard to test without a VM. One basic autopkgtest was added, and
the upstream repository seems to contain more tests.
- cron jobs
- None
- Build logs
- Normal build logs.
- Processes spawned
- None
- Memory management
- The memory is freed normally.
- File IO
- None
- Logging
- Provides debug prints. No issues.
- Environment variable usage
- None
- Use of privileged functions
- None
- Use of cryptography / random number sources etc
- None
- Use of temp files
- None
- Use of networking
- None
- Use of WebKit
- None
- Use of PolicyKit
- None
- Any significant cppcheck results
- None
- Any significant Coverity results
- Several Coverity issues were identified.
- src/main.c:303: Buffer not null terminated (BUFFER_SIZE)
- The string copy that happens may cause the string to overflow into
another variable if not null terminated. This could cause issues
and security vulnerabilities, such as denial of service. While
there are no checks for this, the input string ultimately is always
null terminated from scandir(). Therefore, this is not an issue with
the current inputs.
- src/main.c:193: Argument cannot be negative (NEGATIVE_RETURNS)
- In this line of code, sysconf(_SC_PAGESIZE) may return a negative
value where a negative value is not allowed. This could cause the
function to allocate too much memory, or crash.
- Other issues were deemed low severity/false positives.
- Any significant shellcheck results
- None
- Any significant Semgrep results
- None
The package is designed to be ran in a privileged environment. The
issues identified by Coverity involve a local attacker inserting maliciously
named devices physically, which is challenging in this scenario. Therefore,
these issues should not be a problem. The upstream code has removed the usage
of the problematic function for the first coverity issue in a later version,
and a PR was filed upstream for the second issue, which should not prevent
the package from being promoted regardless of the outcome of said PR due to
it being a trivial issue in this scenario.
The code itself is maintainable, with clear and concise comments as well as
normal variable naming and memory management. Upstream also utilizes
vulnerability scanning as part of their CI workflow.
Security team ACK for promoting azure-vm-utils to main.
** Changed in: azure-vm-utils (Ubuntu)
Status: New => In Progress
** Changed in: azure-vm-utils (Ubuntu)
Assignee: Ubuntu Security Team (ubuntu-security) => (unassigned)
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/2093322
Title:
[MIR] azure-vm-utils
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/azure-vm-utils/+bug/2093322/+subscriptions
--
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
