[Bug 2031304] Re: [MIR] dracut

[Nishit Majithia]

I reviewed dracut 059-4ubuntu2 as checked into mantic.  This shouldn't be
considered a full audit but rather a quick gauge of maintainability.

dracut is used to create an initramfs image by copying tools and files from
an installed system and combining it with the dracut framework, usually
found in /usr/lib/dracut/modules.d.

- CVE History
  - CVE-2010-4176(high) - Ubuntu package not-affected
  - CVE-2012-4453(low) - Ubuntu package not-affected
  - CVE-2015-0794(low) - Ubuntu package not-affected
  - CVE-2016-8637(medium) - Ubuntu package not-affected
- Build-Depends (from debian/control)
  - debhelper-compat (= 12), debhelper, asciidoc-base, xsltproc, docbook-xsl,
    docbook-xml, quilt, libkmod-dev, pkg-config, cpio, kmod, udev, kpartx,
    libkmod2, e2fsprogs
- pre/post inst/rm scripts
  - There are two scripts found
  a) postinst script: This script is designed to regenerate initramfs for
     all installed Linux kernel versions on a Debian-based system. It uses
     trigger mechanisms to do so, and it can be manually invoked as well.
     This kind of script is typically used to ensure that the initramfs is
     updated when new kernels are installed or updated on the system,
     ensuring a smooth boot process.
  b) postrm script: This script is designed to clean up log files
     associated with the "dracut" process when invoked with the "purge"
     argument. It removes log files matching the pattern /var/log/dracut.log
     and then exits with a success status. This type of script can be useful
     for maintenance tasks related to package management or log file
     management.
- init scripts
  - NA
- systemd units
  - dracut-core and dracut-network
    - `/usr/lib/dracut/modules.d/` dir contains various modules used by
      dracut during the initramfs generation process. Each subdirectory
      represents a module, and these modules can add specific functionality
      or configurations to the initramfs.
    - `/lib/systemd/system/` dir contains systemd service unit files. These
      service unit files are symlinked to specific services and targets
      related to dracut. They define how systemd manages dracut related
      services during the system boot process.
    - `/usr/lib/dracut/modules.d/*` directory appears to be a dracut module
      related to systemd integration
    - `module-setup.sh` files are shell scripts used by the dracut modules
      to configure and set up specific functionalities in the initramfs.
      The scripts likely define how the modules should behave during the
      initramfs generation process.
    - Overall, these files and directories are part of the integration of
      dracut and systemd, and they contribute to the generation and
      management of the initramfs during the system boot process. Each
      module and service has a specific role in ensuring that the initramfs
      is correctly configured and functions as needed during the boot
      sequence.
- dbus services
  - NA
- setuid binaries
  - NA
- binaries in PATH
  - -rwxr-xr-x root/root     98202 2023-08-22 20:04 ./usr/bin/dracut
    -rwxr-xr-x root/root      3693 2023-08-22 20:04 ./usr/bin/dracut-catimages
    -rwxr-xr-x root/root     12127 2023-08-22 20:04 ./usr/bin/lsinitrd
- sudo fragments
  - NA
- polkit files
  - NA
- udev rules
  - NA
- unit tests / autopkgtests
  - All good
- cron jobs
  - NA
- Build logs
  - Few warnings
W: dracut-core: groff-message troff:<standard input>:193: warning: macro 'an-trap' not defined [usr/share/man/man5/dracut.conf.5.gz:1]
W: dracut-core: groff-message troff:<standard input>:216: warning: macro 'an-trap' not defined [usr/share/man/man8/dracut.8.gz:1]
W: dracut-core: groff-message troff:<standard input>:532: warning: macro 'an-trap' not defined [usr/share/man/man7/dracut.cmdline.7.gz:1]
W: dracut-core: groff-message troff:<standard input>:532: warning: macro 'an-trap' not defined [usr/share/man/man7/dracut.kernel.7.gz:1]
W: dracut-core: groff-message troff:<standard input>:68: warning: macro 'an-trap' not defined [usr/share/man/man7/dracut.modules.7.gz:1]

- Processes spawned
  - looks good
- Memory management
  - nothing suspicious, looks fine
- File IO
  - not much, happens for logging in util.c
- Logging
  - ferror() and log_error() majorly used
- Environment variable usage
  - looks good
- Use of privileged functions
  - looks good
- Use of cryptography / random number sources etc
  - NA
- Use of temp files
  - NA
- Use of networking
  - fine
- Use of WebKit
  - NA
- Use of PolicyKit
  - NA

- Any significant cppcheck results
  - nothing
- Any significant Coverity results
  - nothing, all issues are from tests/ folder
- Any significant shellcheck results
  - looks good
- Any significant bandit results
  - nothing
- Any significant govulncheck results
  - nothing
- Any significant Semgrep results
  - looks good


Security team ACK for promoting dracut to main


** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2010-4176

** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2012-4453

** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2015-0794

** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2016-8637

** Changed in: dracut (Ubuntu)
     Assignee: Ubuntu Security Team (ubuntu-security) => (unassigned)

-- 
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to dracut in Ubuntu.
Matching subscriptions: dracut
https://bugs.launchpad.net/bugs/2031304

Title:
  [MIR] dracut

Status in dracut package in Ubuntu:
  Fix Committed

Bug description:
  [Availability]
  The package dracut is already in Ubuntu universe.
  The package dracut build for the architectures it is designed to work on.
  It currently builds and works for architectures: amd64, arm64, armhf, ppc64el, riscv64, s390x
  Link to package https://launchpad.net/ubuntu/+source/dracut

  [Rationale]
  The package dracut is required in Ubuntu main for dracut-install being used by initramfs-tools (bug #2031185).
  The C binary dracut-install covers the same use case as the shell code in initramfs-tools to install kernel modules and files, but is much faster and allows finer filtering the kernel modules.

  To my knowledge there are only initramfs-tools (main) and dracut
  (universe) in the archive that cover the use case. initramfs-tools is
  Debian-specific and dracut tries to be a distro-agnostic solution.

  dracut-core is already used by Ubuntu Core:
  https://github.com/snapcore/core-initrd/

  The package dracut is required in Ubuntu main the feature freezy next
  Thursday to land the change in bug #2031185.

  [Security]
  - Had 5 security issues in the past
    - https://ubuntu.com/security/CVE-2016-8637 can disclose local information
    - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-4484 (issue in cryptsetup package, not dracut)
    - https://ubuntu.com/security/CVE-2015-0794 seems to be a SuSE specific issue
    - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-0267 allows local users to write to arbitrary files via a symlink attack (probably Red Hat specific)
    - https://ubuntu.com/security/CVE-2012-4453 creates initramfs images with world-readable permissions
    - https://ubuntu.com/security/CVE-2010-4176 allows remote authenticated users to read terminal data from tty0 for local users (but vulnerable script not shipped)
  - no `suid` or `sgid` binaries
  - Package does install services, timers or recurring jobs (used by initrd.target.wants or sysinit.target.wants):
    - /lib/systemd/system/dracut-cmdline.service
    - /lib/systemd/system/dracut-initqueue.service
    - /lib/systemd/system/dracut-mount.service
    - /lib/systemd/system/dracut-pre-mount.service
    - /lib/systemd/system/dracut-pre-pivot.service
    - /lib/systemd/system/dracut-pre-trigger.service
    - /lib/systemd/system/dracut-pre-udev.service
    - /lib/systemd/system/dracut-shutdown-onfailure.service
    - /lib/systemd/system/dracut-shutdown.service
  - Packages does not open privileged ports (ports < 1024).
  - Package does not expose any external endpoints
  - Packages does not contain extensions to security-sensitive software
    (filters, scanners, plugins, UI skins, ...)

  [Quality assurance - function/usage]
  - The package works well right after install

  [Quality assurance - maintenance]
  - The package is maintained well in Debian/Ubuntu/Upstream and does
    not have too many, long-term & critical, open bugs
    - Ubuntu https://bugs.launchpad.net/ubuntu/+source/dracut/+bug
    - Debian https://bugs.debian.org/cgi-bin/pkgreport.cgi?src=dracut
    - Upstream's bug tracker: https://github.com/dracutdevs/dracut/issues
  - The package does not deal with exotic hardware we cannot support

  [Quality assurance - testing]
  - The package does not run a test at build time because the upstream test suite starts several virtual machines (needing time and memory). The test suite need a kernel, but the linux kernel is only readable by root (see bug #759725)
  - The package runs an autopkgtest, and is currently passing on
    amd64: https://autopkgtest.ubuntu.com/results/autopkgtest-mantic/mantic/amd64/d/dracut/20230816_015908_d6cb2@/log.gz
  - I am working on fixing the new autopkgtests on the other architectures (see bug #2031417).

  [Quality assurance - packaging]
  - debian/watch is present and works
  - debian/control defines a correct Maintainer field
  - Lintian overrides are not present
  - This package does not rely on obsolete or about to be demoted packages.
  - This package has no python2 or GTK2 dependencies
  - The package will be installed by default, but does not ask debconf
    questions higher than medium
  - Packaging and build is easy, link to debian/rules: https://salsa.debian.org/debian/dracut/-/blob/master/debian/rules

  [UI standards]
  - Application is not end-user facing (does not need translation)

  [Dependencies]
  - No further depends or recommends dependencies that are not yet in main except for pigz that we should drop/demote

  [Standards compliance]
  - This package violates FHS or Debian Policy:
    - Installs into /usr/lib instead of /usr/libexec but that is what upstream and other distribution (e.g. Fedora) do

  [Maintenance/Owner]
  - Owning Team will be Foundations team
  - Foundations Team is not yet, but will subscribe to the package before promotion
  - This does not use static builds
  - This does not use vendored code
  - This does not use vendored code
  - This package is not rust based (but that might change in the future)
  - The package has been built in the archive more recently than the last
    test rebuild

  [Background information]
  The Package description explains the package well
  Upstream Name is dracut
  Link to upstream project: https://github.com/dracutdevs/dracut/wiki/

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/dracut/+bug/2031304/+subscriptions