Re-review for src:util-linux [Summary] The util-linux is a suite of essential Linux system maintenance utilities. It contains many basic utilities used for setting up partitions and basic system infrastructure on a Linux system. It is for expert users only.
This is a re-review of src:util-linux, which has always been in main. Since the CVE history is significant, I will request ubuntu-security requesting a "re-review". Notes: #0 Out of the 25 binary packages, 22 are in main. Binary packages currently not in main: bin:util-linux-extra, bin:libpam-lastlog2, bin:libpam-lastlog2 Required TODOs: None Recommended TODOs: #1 Consider resolving lintian warnings, most of them are related to man-pages. #2 Consider addressing the upstream compiler and linker warnings. [Rationale, Duplication and Ownership] OK: - There is no other package in main providing the same functionality. => This package is already in `main`. - A team is committed to own long term maintenance of this package. => Debcrafters packages [Dependencies] OK: - no other Dependencies to MIR due to this - src:util-linux checked with check-mir - all dependencies can be found in `seeded-in-ubuntu` (already in main) - none of the (potentially auto-generated) dependencies (Depends and Recommends) that are present after build are not in main - no -dev/-debug/-doc packages that need exclusion - No dependencies in main that are only superficially tested requiring more tests now. [Embedded sources and static linking] OK: - no embedded source present - no static linking - not a go package, no extra constraints to consider in that regard - not a rust package, no extra constraints to consider in that regard - Does not include vendor-ed code Problems: none [Security] OK: - does not run a daemon as root => ldattach runs as current user/group, uuidd runs as uuidd/uuidd - does not use webkit1,2 - does not use lib*v8 directly - does not parse data formats (files [images, video, audio, xml, json, asn.1], network packets, structures, ...) from an untrusted source. - does not expose any external endpoint (port/socket/... or similar) - does not process arbitrary web content - does not use centralized online accounts - does not integrate arbitrary javascript into the desktop - binaries related to system authentication: su, sulogin, runuser, login - does not deal with security attestation - does not deal with cryptography (en-/decryption, certificates, signing, ...) => mcookie is only used to generate 128-bit Xauth tokens - this makes appropriate (for its exposure) use of established risk mitigation features (dropping permissions, using temporary environments, restricted users/groups, seccomp, systemd isolation features, apparmor, ...) => These are core system utilities. However, some of them like umount, eject, swapon do seem to drop permissions for certain sub-tasks. Problems: - has a significant history of CVEs => https://security-tracker.debian.org/tracker/source-package/util-linux [Common blockers] OK: - does not FTBFS currently - does have a test suite that runs at build time - test suite fails will fail the build upon error. - does have a non-trivial test suite that runs as autopkgtest - This does not need special HW for build or test - no new python2 dependency - not a Python package - not a Go package [Packaging red flags] OK: - Ubuntu does carry a delta, but it is reasonable and maintenance under control - symbols tracking is in place. - debian/watch is present and looks ok - Upstream update history is good - Debian/Ubuntu update history is good - the latest upstream version (2.41) has been packaged - this package is already in main - no massive Lintian warnings - debian/rules is rather clean - It is not on the lto-disabled list Problems: - Lintian warnings W: util-linux source: dh-exec-script-without-dh-exec-features [debian/eject-udeb.install] W: util-linux source: dh-exec-script-without-dh-exec-features [debian/libblkid1-udeb.install] W: util-linux source: dh-exec-script-without-dh-exec-features [debian/libblkid1.install] W: util-linux source: dh-exec-script-without-dh-exec-features [debian/libfdisk-dev.install] W: util-linux source: dh-exec-script-without-dh-exec-features [debian/libfdisk1-udeb.install] W: util-linux source: dh-exec-script-without-dh-exec-features [debian/libfdisk1.install] W: util-linux source: dh-exec-script-without-dh-exec-features [debian/liblastlog2-2.install] W: util-linux source: dh-exec-script-without-dh-exec-features [debian/libmount-dev.install] W: util-linux source: dh-exec-script-without-dh-exec-features [debian/libmount1-udeb.install] W: util-linux source: dh-exec-script-without-dh-exec-features [debian/libmount1.install] W: util-linux source: dh-exec-script-without-dh-exec-features [debian/libsmartcols-dev.install] W: util-linux source: dh-exec-script-without-dh-exec-features [debian/libsmartcols1-udeb.install] W: util-linux source: dh-exec-script-without-dh-exec-features [debian/libsmartcols1.install] W: util-linux source: dh-exec-script-without-dh-exec-features [debian/libuuid1-udeb.install] W: util-linux source: dh-exec-script-without-dh-exec-features [debian/libuuid1.install] W: libblkid-dev: groff-message troff:<standard input>:10: warning: macro 'Aq' not defined [usr/share/man/man3/libblkid.3.gz:1] W: liblastlog2-dev: groff-message troff:<standard input>:10: warning: macro 'Aq' not defined [usr/share/man/man3/lastlog2.3.gz:1] W: liblastlog2-dev: groff-message troff:<standard input>:10: warning: macro 'Aq' not defined [usr/share/man/man3/ll2_import_lastlog.3.gz:1] W: liblastlog2-dev: groff-message troff:<standard input>:10: warning: macro 'Aq' not defined [usr/share/man/man3/ll2_read_all.3.gz:1] W: liblastlog2-dev: groff-message ... use "--tag-display-limit 0" to see all (or pipe to a file/program) W: login: groff-message troff:<standard input>:10: warning: macro 'Aq' not defined [usr/share/man/fr/man1/login.1.gz:1] W: util-linux-locales: groff-message troff:<standard input>:10: warning: macro 'Aq' not defined [usr/share/man/fr/man1/fallocate.1.gz:1] W: util-linux-locales: groff-message troff:<standard input>:10: warning: macro 'Aq' not defined [usr/share/man/fr/man1/getopt.1.gz:1] W: util-linux-locales: groff-message troff:<standard input>:10: warning: macro 'Aq' not defined [usr/share/man/fr/man1/ionice.1.gz:1] W: util-linux-locales: groff-message ... use "--tag-display-limit 0" to see all (or pipe to a file/program) W: uuid-dev: groff-message troff:<standard input>:10: warning: macro 'Aq' not defined [usr/share/man/man3/uuid.3.gz:1] W: uuid-dev: groff-message troff:<standard input>:10: warning: macro 'Aq' not defined [usr/share/man/man3/uuid_clear.3.gz:1] W: uuid-dev: groff-message troff:<standard input>:10: warning: macro 'Aq' not defined [usr/share/man/man3/uuid_compare.3.gz:1] W: uuid-dev: groff-message ... use "--tag-display-limit 0" to see all (or pipe to a file/program) [Upstream red flags] OK: - no incautious use of malloc/sprintf => xmalloc() mostly used, all malloc() uses guarded with NULL checks => asprintf/xasprintf used instead of asprintf - no use of sudo, gksu, pkexec, or LD_LIBRARY_PATH (usage is OK inside tests) - no use of user 'nobody' outside of tests - use of setuid()/setgid() => these are core system utilities, setuid/setgid used to drop permissions, used in setpriv, mount etc. - This package has quite a few open bug reports. However, it is a core utilities package and upstream is very active. - no dependency on webkit, qtwebkit or libseed - translations present Problems: - Quite a few upstream build warnings (compiler and linker) login-utils/login.c:737:13: warning: ‘log_utmp’ defined but not used [-Wunused-function] 737 | static void log_utmp(struct login_context *cxt) | ^~~~~~~~ login-utils/login.c:601:13: warning: ‘log_btmp’ defined but not used [-Wunused-function] 601 | static void log_btmp(struct login_context *cxt) | ^~~~~~~~ login-utils/login.c:357:13: warning: ‘motd’ defined but not used [-Wunused-function] 357 | static void motd(void) disk-utils/fdisk-menu.c: In function 'geo_menu_cb': disk-utils/fdisk-menu.c:1071:23: warning: 'a' may be used uninitialized [-Wmaybe-uninitialized] 1071 | rc = fdisk_ask_number(cxt, i, fdisk_get_geom_heads(cxt), | ^ disk-utils/fdisk-menu.c:1069:33: note: 'a' was declared here 1069 | unsigned int i, a; | ^ disk-utils/fdisk-menu.c:1071:23: warning: 'i' may be used uninitialized [-Wmaybe-uninitialized] 1071 | rc = fdisk_ask_number(cxt, i, fdisk_get_geom_heads(cxt), | ^ disk-utils/fdisk-menu.c:1069:30: note: 'i' was declared here 1069 | unsigned int i, a; | ^ disk-utils/fdisk-menu.c:1077:23: warning: 'ma' may be used uninitialized [-Wmaybe-uninitialized] 1077 | rc = fdisk_ask_number(cxt, mi, fdisk_get_geom_sectors(cxt), | ^ disk-utils/fdisk-menu.c:1050:28: note: 'ma' was declared here 1050 | fdisk_sector_t mi, ma; | ^ disk-utils/fdisk-menu.c:1077:23: warning: 'mi' may be used uninitialized [-Wmaybe-uninitialized] 1077 | rc = fdisk_ask_number(cxt, mi, fdisk_get_geom_sectors(cxt), | ^ disk-utils/fdisk-menu.c:1050:24: note: 'mi' was declared here 1050 | fdisk_sector_t mi, ma; | ^ Linker warnings: usr/bin/ld: /usr/lib/gcc/x86_64-linux-gnu/14/../../../x86_64-linux-gnu/libreadline.a(complete.o): in function `rl_username_completion_function': (.text+0x4dd1): warning: Using 'getpwent' in statically linked applications requires at runtime the shared libraries from the glibc version used for linking /usr/bin/ld: (.text+0x4dc8): warning: Using 'setpwent' in statically linked applications requires at runtime the shared libraries from the glibc version used for linking /usr/bin/ld: (.text+0x4e69): warning: Using 'endpwent' in statically linked applications requires at runtime the shared libraries from the glibc version used for linking /usr/bin/ld: /usr/lib/gcc/x86_64-linux-gnu/14/../../../x86_64-linux-gnu/libreadline.a(tilde.o): in function `tilde_expand_word': (.text+0x165): warning: Using 'getpwnam' in statically linked applications requires at runtime the shared libraries from the glibc version used for linking /usr/bin/ld: /usr/lib/gcc/x86_64-linux-gnu/14/../../../x86_64-linux-gnu/libreadline.a(shell.o): in function `sh_get_home_dir': (.text+0x169): warning: Using 'getpwuid' in statically linked applications requires at runtime the shared libraries from the glibc version used for linking /usr/bin/ld: /usr/lib/gcc/x86_64-linux-gnu/14/../../../x86_64-linux-gnu/libreadline.a(complete.o): in function `rl_username_completion_function': (.text+0x4dd1): warning: Using 'getpwent' in statically linked applications requires at runtime the shared libraries from the glibc version used for linking /usr/bin/ld: (.text+0x4dc8): warning: Using 'setpwent' in statically linked applications requires at runtime the shared libraries from the glibc version used for linking /usr/bin/ld: /usr/lib/gcc/x86_64-linux-gnu/14/../../../x86_64-linux-gnu/libreadline.a(shell.o): in function `sh_get_home_dir': (.text+0x19a): warning: Using 'endpwent' in statically linked applications requires at runtime the shared libraries from the glibc version used for linking /usr/bin/ld: /usr/lib/gcc/x86_64-linux-gnu/14/../../../x86_64-linux-gnu/libreadline.a(tilde.o): in function `tilde_expand_word': (.text+0x165): warning: Using 'getpwnam' in statically linked applications requires at runtime the shared libraries from the glibc version used for linking /usr/bin/ld: /usr/lib/gcc/x86_64-linux-gnu/14/../../../x86_64-linux-gnu/libreadline.a(shell.o): in function `sh_get_home_dir': (.text+0x169): warning: Using 'getpwuid' in statically linked applications requires at runtime the shared libraries from the glibc version used for linking ** Changed in: util-linux (Ubuntu) Assignee: Pushkar Kulkarni (pushkarnk) => Ubuntu Security Team (ubuntu-security) -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/2113961 Title: [MIR] util-linux To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/util-linux/+bug/2113961/+subscriptions -- ubuntu-bugs mailing list [email protected] https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
