[Bug 1543754] Re: [MIR] barbican, python-pykmip

Seth Arnold 1543754 at bugs.launchpad.net
Thu Aug 18 05:15:14 UTC 2016 

I reviewed python-pykmip version 0.5.0-1 as checked into Ubuntu yakkety;
this shouldn't be considered a full security audit but rather a quick
gauge of maintainability.

- I did not notice python-pykmip CVEs in our tracking database

- python-pykmip provides a standardized user interface to hardware
  security modules, and provides a software "hardware" security module;
  this is marked deprecated, but might yet prove useful with proper access
  control mechanisms in place.
- Build-depends: debhelper, dh-python, python-all, python-setuptools,
  python-sphinx, python3-all, python3-setuptools, python-coverage,
  python-cryptography, python-enum34, python-fixtures, python-mock,
  python-pytest, python-six, python-sqlalchemy, python-testresources,
  python-testscenarios, python-testtools, python3-coverage,
  python3-cryptography, python3-fixtures, python3-mock, python3-pytest,
  python3-six, python3-sqlalchemy, python3-subunit, python3-testresources,
  python3-testscenarios, python3-testtools, subunit, testrepository,

- Does not daemonize as usual, hopefully whatever uses pykmip is prepared to
  handle the usual daemonizing
- pre/post inst/rm are automatically generated dh_python* and update-alternatives
- No initscript
- No dbus services
- No setuid
- python3-pykmip-server and python2-pykmip-server executables in PATH
- No sudo fragments
- No udev rules
- Relatively clean build logs
- No cronjobs
- Many tests in test suite run during build

- No subprocesses spawned
- Logging file opened via usual logging mechanisms
- Logging mechanisms looked safe
- Does not itself use environment variables
- No privileged operations
- Uses python's TLS facilities
- Listens on sockets
- I didn't review closely enough to discover if there are privileged areas
  of code
- /tmp use that looks sketchy:
  sqlite:////tmp/pykmip.database  in  KmipEngine()
  This may justify further exploration, fixes.
- Does not use WebKit
- Does not use PolicyKit
- Does not use JS

The parts of this that I read looked professionally programmed; that said,
the sqlite:////tmp/pykmip.database is awkward and out of place.

Where does this get stored?

Before we can promote this package to main we need to be sure that this
database isn't stored in /tmp with a predictable name.

Thanks


** Changed in: python-pykmip (Ubuntu)
     Assignee: Ubuntu Security Team (ubuntu-security) => (unassigned)

-- 
You received this bug notification because you are a member of Ubuntu
OpenStack, which is subscribed to barbican in Ubuntu.
https://bugs.launchpad.net/bugs/1543754

Title:
  [MIR] barbican, python-pykmip

Status in barbican package in Ubuntu:
  In Progress
Status in python-pykmip package in Ubuntu:
  Incomplete

Bug description:
  [barbican]

  [Availability]
  Currently in universe

  [Rationale]
  OpenStack Mitaka requires the barbican package.

  [Security]
  No security history, however a security review is required.

  [Quality Assurance]
  No prompting during install, all unit tests ran successfully. All current bugs are triaged or in progress.

  [Dependencies]
  python-pykmip currently in universe, MIR below.

  [Standards Compliance]
  FHS and Debian Policy compliant.

  [Maintenance]
  Simple python package that the Ubuntu Server Team will take care of.

  [Background]
  Barbican provides a secure REST key store for authentication.

  //----------------------------------------------------------------------//

  [python-pykmip]

  [Availability]
  Currently in universe

  [Rationale]
  OpenStack Mitaka barbican requires this dependency.

  [Security]
  No security history.

  [Quality Assurance]
  No prompting during install, all unit tests ran successfully. All current bugs are triaged or in progress.

  [Dependencies]
  All in main.

  [Standards Compliance]
  FHS and Debian Policy compliant.

  [Maintenance]
  Simple python package that the Ubuntu Server Team will take care of.

  [Background]
  python-pykmip is an implementation of the Key Management Interoperability Protocol.

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/barbican/+bug/1543754/+subscriptions

More information about the Ubuntu-openstack-bugs mailing list