[Bug 1200296] Re: [MIR] spice-vdagent

Seth Arnold 1200296 at bugs.launchpad.net
Fri Dec 1 04:19:45 UTC 2017 

I reviewed spice-vdagent 0.17.0-1ubuntu1 as checked into zesty. This
shouldn't be considered a full audit but rather a quick gauge of
maintainability.

spice-vdagent provides some services between virtual machine host and
guests to make the experience less jarring.

One CVE is in our database for the Windows client.

- Build-Depends: debhelper, pkg-config, dh-systemd, libspice-protocol-dev,
  libdbus-1-dev, libx11-dev, libxrandr-dev, libxfixes-dev,
  desktop-file-utils, libxinerama-dev, libpciaccess-dev, autoconf, automake,
  libglib2.0-dev, systemd, libsystemd-dev, libasound2-dev
- Provides a client and server; both daemonize
- pre/post inst/rm scripts automatically generated
- spice-vdagent init script starts the guest daemon, modprobes uinput
- spice-vdagentd and spice-vdagent systemd service files, start their
  daemons
- no dbus services
- No setuid or setgid files
- Two executables in PATH /usr/bin/spice-vdagent and
  /usr/sbin/spice-vdagentd
- No sudo fragments
- One udev rule for virtio-ports
- No test suite
- No cron
- Clean build logs

- Subprocesses spawned using system(), unsafe construction, reported
  upstream
- Memory management looked good enough; some cases of malloc(a*b) but 'b'
  was often 4, 8, maybe 16, and 'a' calculated from data on the wire in a
  fashion that looked difficult to really abuse.
- File IO looked safe except for uses of system()
- Logging looked safe
- No environment variable use
- chmod(socket, 0666) looked out of place
- other privileged ioctl() calls looked fine
- No cryptography
- Does networking; a quick skim looked like all Unix Domain Sockets
- I didn't see privileged portions of the code
- No tmp files
- No WebKit
- No PolicyKit
- Clean cppcheck


Here's some notes I collected while reviewing spice-vdagent:

- vdagent_file_xfers_data() does not escape xfers->save_dir before giving
  it to the shell (CVE-2017-15108 was assigned for this issue)
- vdagent_file_xfers_data() does not check snprintf() return code; a
  too-long xfers->save_dir could cause the & or ' or any number of other
  characters to go missing.
- daemonize() from ./src/vdagentd.c only forks once
- daemonize() from ./src/vdagent.c only forks once
- why does main() in ./src/vdagentd.c set vdagentd_socket to 0666


This symlink looks out of place:

/usr/share/gdm/greeter/autostart/spice-vdagent.desktop ->
/etc/xdg/autostart/spice-vdagent.desktop

Please make sure
https://cgit.freedesktop.org/spice/linux/vd_agent/commit/?id=8ba174816d245757e743e636df357910e1d5eb61
is included in our package before promoting the package.

Security team ACK for promoting spice-vdagent to main.

Thanks


** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2017-15108

** Changed in: spice-vdagent (Ubuntu)
     Assignee: Ubuntu Security Team (ubuntu-security) => (unassigned)

-- 
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to ubuntu-meta in Ubuntu.
https://bugs.launchpad.net/bugs/1200296

Title:
  [MIR] spice-vdagent

Status in spice-vdagent package in Ubuntu:
  Confirmed
Status in ubuntu-meta package in Ubuntu:
  Confirmed

Bug description:
  Availability
  ============
  Built for all supported architectures.

  In sync with Debian except for one cherry-picked patch to hide spice-
  vdagent from Startup Applications.

  Rationale
  =========
  "spice-vdagent adds some nice features to guest systems running over SPICE: copy and paste between guest and host, arbitrary resolution support, ... It's also very tiny (40kB compressed, less than 200kB installed) and won't startup when not running in a SPICE guest.
  Shipping it on the desktop ISOs will improve the user experience when using SPICE (eg in GNOME Boxes), and will have no impact on other use cases, so it would be really nice to add this package to the ISO."

  Ubuntu GNOME 16.10 and 17.04 included it in the default install.

  Security
  ========
  No known open security vulnerabilities.

  https://rhn.redhat.com/errata/RHSA-2013-0924.html (CVE-2013-2152)

  Quality assurance
  =================
  Bug subscriber: Ubuntu Desktop Bugs

  https://bugs.launchpad.net/ubuntu/+source/spice-vdagent
  https://bugs.debian.org/cgi-bin/pkgreport.cgi?src=spice-vdagent
  https://bugs.freedesktop.org/buglist.cgi?bug_status=__open__&component=unix agent&product=Spice

  No tests.

  Dependencies
  ============
  check-mir reports all other binary dependencies are in main

  Standards compliance
  ====================
  3.9.8

  Maintenance
  ===========
  - Actively developed upstream
  https://cgit.freedesktop.org/spice/linux/vd_agent/log/
  https://anonscm.debian.org/git/collab-maint/spice-vdagent.git

  - Maintained in Debian by the same Debian Developer who maintains the
  other Spice packages.

  short dh7 style rules, dh compat 10

  Background information
  ======================
  N/A

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/spice-vdagent/+bug/1200296/+subscriptions

More information about the foundations-bugs mailing list