[Bug 1891929] Re: [MIR] google-guest-agent

Alex Murray 1891929 at bugs.launchpad.net
Tue Oct 20 01:13:17 UTC 2020 

Regarding the vendored packages, I have updated our CVE tracker to try
and capture as many of these as possible in https://git.launchpad.net
/ubuntu-cve-tracker/commit/?id=e31511491f1d3258c609e449ecab26765ecf0f9f
- this should allow the security team to automatically have CVEs that
are in one of those vendored components be marked against google-guest-
agent as well. This was based on the list in
debian/extra/vendor/modules.txt so assuming that is up-to-date, consider
this an ACK for that addition.

Regarding the unconfined externally-controlled services, this feels like
a primary function of this package from what I can see, so whilst this
is clearly a prime target to attack for remote-code-execution etc, from
a cursory look, I can't see any obvious vulnerabilities in the current
implementation so I don't think it makes sense to NAK this MIR based on
that. I would definitely prefer to see these confined via an AppArmor
profile or similar if possible however I understand that this may not be
achievable.

As such, Security Team ACK (again) for promoting google-guest-agent to
main.

** Changed in: google-guest-agent (Ubuntu)
     Assignee: Ubuntu Security Team (ubuntu-security) => (unassigned)

-- 
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to gce-compute-image-packages in
Ubuntu.
https://bugs.launchpad.net/bugs/1891929

Title:
  [MIR] google-guest-agent

Status in gce-compute-image-packages package in Ubuntu:
  Invalid
Status in google-guest-agent package in Ubuntu:
  New

Bug description:
  [Availability]
  Google-guest-agent is in universe and only depends on packages provided in main or by the source package itself. The package is new in Groovy, but it replaces part of old gce-compute-image-packages. The package builds for all architectures.

  [Rationale]

  This package is included on the GCE images and the Ubuntu Foundations
  team has been supporting it as such. We'd like to get it included in
  main as that's the right thing to do.

  [Security]
  This is a new package, and as such has no security history to speak of. Since it will be installed on every Ubuntu system in GCE and performs system configuration and network communication as well a security review is warranted thus I'm subscribing the Security Team

  [Quality assurance]
  There are currently 0 open bug reports (excluding this one) about the package and the Ubuntu Foundations team (foundations-bugs) is subscribed to bugs about the package.

  The package build runs the build-time testsuite.

  Packaging is minimal. There is an ongoing discussion about
  configuration file handling started in
  https://bugs.launchpad.net/ubuntu/+bug/1870314/comments/7 .

  [Dependencies]
  All binary dependencies are from main or come from the source package itself.
  Per the Golang policy exception Go build dependencies must also be in main.

  Golang build dependency chain with MIR bugs:
  google-guest-agent:
   golang-github-go-ini-ini LP: #1894731
   golang-github-golang-groupcache LP: #1894731
   golang-github-kardianos-service LP: #1894731
    golang-github-kardianos-osext LP: #1894731
   golang-github-tarm-serial LP: #1894731
   golang-github-gcp-guest-logging-go LP: #1894731
    golang-google-genproto
   golang-google-cloud
    golang-github-golang-mock (test only?)
    golang-github-google-btree LP: #1894731
    golang-github-google-martian
    golang-github-google-pprof
     golang-github-chzyer-readline
     golang-github-ianlancetaylor-demangle
    golang-github-googleapis-gax-go
    golang-go.opencensus
     golang-github-hashicorp-golang
    golang-golang-x-net LP: #1894731
     golang-google-cloud-compute-metadata
    golang-golang-x-time LP: #1894731
    golang-google-api
     golang-golang-x-oauth2 LP: #1894731
    golang-google-genproto
    golang-rsc-binaryregexp
   golang-google-grpc
    golang-golang-x-sys LP: #1894731
   golang-goprotobuf (main)
    golang-google-protobuf LP: #1894731

  [Standards compliance]
  Conforms to Debian Policy 4.5.0

  [Maintenance]
  The Ubuntu Foundations Team will continue to maintain the package as they have been doing.

  [Background information]
  The split of the old gce-compute-image-packages is described in https://bugs.launchpad.net/ubuntu/+bug/1870314/comments/2

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/gce-compute-image-packages/+bug/1891929/+subscriptions

More information about the foundations-bugs mailing list