Ubuntu
beanstalkd package

[MIR] beanstalkd

Bug #1252374 reported by Andres Rodriguez
10
This bug affects 1 person
Affects Status Importance Assigned to Milestone
beanstalkd (Ubuntu)
Fix Released
Critical
Unassigned

Bug Description

1. Availability: any

2. Rationale:
beanstalkd is a dependency of beanstalkc, which is in turn a dependency of kombu.

3. Security:
No CVE's

4. QA:
0 Bug in Debian.
1 Bugs in Ubuntu.

5. UI standards:
None

6. Dependencies:
All in main

7. Standards:
No lintian errors.
Packaged with debhelper. Source format is 3.0 (quilt)

8. Maintenance:
Easy.

9. Background information:
This package is dependency required for python-beanstalkc, which is in turn dependecy of konmbu.

Revision history for this message
Matthias Klose (doko) wrote :

package lacking a subscriber, at least

Changed in beanstalkd (Ubuntu):
status: New → Incomplete
Revision history for this message
Andres Rodriguez (andreserl) wrote :

Done

Changed in beanstalkd (Ubuntu):
status: Incomplete → New
Revision history for this message
Michael Terry (mterry) wrote :

Runs a system daemon. Assigning for security review.

Changed in beanstalkd (Ubuntu):
assignee: nobody → Jamie Strandboge (jdstrand)
Jamie Strandboge (jdstrand)
Changed in beanstalkd (Ubuntu):
assignee: Jamie Strandboge (jdstrand) → Seth Arnold (seth-arnold)
Chuck Short (zulcss)
Changed in beanstalkd (Ubuntu):
importance: Undecided → High
Chuck Short (zulcss)
Changed in beanstalkd (Ubuntu):
importance: High → Critical
Revision history for this message
Matthias Klose (doko) wrote :

the package ftbfs

Changed in beanstalkd (Ubuntu):
assignee: Seth Arnold (seth-arnold) → Chuck Short (zulcss)
tags: added: ftbfs
Revision history for this message
Seth Arnold (seth-arnold) wrote :

I reviewed beanstalkd version 1.9-1 as checked into trusty. This should
not be considered a full security audit but rather a quick gauge of
maintainability.

- Beanstalk provides a simple, unauthenticated, work queue mechanism;
  producers add jobs to the queue, consumers remove jobs from the queue.
  The protocol is plain-ascii with application-agnostic data formats
  inspired by memcached's simple protocol.
- Build-depends libtool, net-tools, dh-systemd
- Depends adduser, netbase
- No cryptography
- Extensive networking
- No library dependencies
- Does not daemonize, relies upon start-stop-daemon or systemd
- Pre/post inst/rm scripts clean up after adding new user, adding
  initscript
- Initscript starts and stops the daemon, manages pid file, etc
- No dbus
- No setuid
- Provides /usr/sbin/beanstalkd executable
- No sudo
- No udev
- No cron
- Clean build logs
- Moderate test suite run at build time

- No process spawning outside test suite
- Memory management is clean, allocations are checked for errors
- A on-disk journal is maintained that can recover from unexpected
  restarts
- Logging functions looked safe
- Environment variable handling was mostly related to systemd, looked safe
- Privilege dropping forgot to clear supplementary groups, however the
  functionality isn't used in Debian and derived systems
- No cryptography
- Network input is carefully parsed
- No temporary file handling outside test suite
- No WebKit
- No PolicyKit

The code is high-quality; much of it is beautiful.

I found three very slight issues while reading the code:

- Doesn't drop supplementary groups
- listen(2) is called on the server socket twice
- A check for truncated tube names doesn't function
  https://github.com/kr/beanstalkd/issues/224

The privilege dropping code is not the usual use of beanstalkd in Debian
and derived distributions. Calling listen(2) twice on a socket is likely a
no-op on all major platforms.

When filing the issue for incorrectly determining if a tube name was
truncated, I did see several other issues were filed with inconsistencies
surrounding tube names around 190 characters and longer; an application
author would be wise to limit tube names to something shorter. I did not
see any security-relevant issues with long names.

One potential downside to beanstalkd is the complete lack of
authentication and authorization. This does somewhat limit the
applications where beanstalkd could be applied.

Security team ACK for promoting beanstalkd to main.

Thanks

Changed in beanstalkd (Ubuntu):
assignee: Chuck Short (zulcss) → nobody
tags: removed: ftbfs
Revision history for this message
Matthias Klose (doko) wrote :

Override component to main
beanstalkd 1.9-2ubuntu1 in trusty: universe/net -> main
beanstalkd 1.9-2ubuntu1 in trusty amd64: universe/net/extra/100% -> main
beanstalkd 1.9-2ubuntu1 in trusty arm64: universe/net/extra/100% -> main
beanstalkd 1.9-2ubuntu1 in trusty armhf: universe/net/extra/100% -> main
beanstalkd 1.9-2ubuntu1 in trusty i386: universe/net/extra/100% -> main
beanstalkd 1.9-2ubuntu1 in trusty powerpc: universe/net/extra/100% -> main
beanstalkd 1.9-2ubuntu1 in trusty ppc64el: universe/net/extra/100% -> main
7 publications overridden.

Changed in beanstalkd (Ubuntu):
status: New → Fix Released
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.