[MIR] new build dependencies for ceilometer

libsmi
----------
Availability: Currently in universe
Rationale: Dependency for Openstack Ceilometer.
Security: CVE-2010-2891 (http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-2891); CVE entry created: 2010-07-27; Fixed in package: 2010-10-23 (changelog)
Quality Assurance: Package works out of the box with no prompting. There are no major bugs in Ubuntu or Debian.
Dependencies: All are in main.
Standards Compliance: FHS and Debian Policy compliant.
Maintenance: Simple package that the Ubuntu Server Team will take care of.

python-pysnmp4
-----------------------------
Availability: Currently in universe
Rationale: Dependency for Openstack Ceilometer.
Security: No CVE security history. Uses SNMP privileged ports 161/162.
Quality Assurance: Package works out of the box with no prompting. There are no major bugs in Ubuntu or Debian.
Dependencies: All are in main.
Standards Compliance: FHS and Debian Policy compliant.
Maintenance: Simple python package that the Ubuntu Server Team will take care of.

python-pysnmp4-apps
--------------------------------------
Availability: Currently in universe
Rationale: Dependency for Openstack Ceilometer.
Security: No CVE security history. Uses SNMP privileged ports 161/162.
Quality Assurance: Package works out of the box with no prompting. There are no major bugs in Ubuntu or Debian.
Dependencies: All are in main.
Standards Compliance: FHS and Debian Policy compliant.
Maintenance: Simple python package that the Ubuntu Server Team will take care of.

python-pysnmp4-mibs
--------------------------------------
Availability: Currently in universe
Rationale: Package woks out of the box with no prompting. Dependency for Openstack Ceilometer.
Security: No security history.
Quality Assurance: Package works out of the box with no prompting. There are no major bugs in Ubuntu or Debian.
Dependencies: All are in main.
Standards Compliance: FHS and Debian Policy compliant.
Maintenance: Simple python package that the Ubuntu Server Team will take care of.

Assigning this set to Jamie, since they seem security-sensitive.

python-pysnmp4-mibs doesn't have a testsuite, but otherwise packaging looks good. There is no Debian delta.

I reviewed libsmi version 0.4.8+dfsg2-9ubuntu2 as checked into utopic.
This should not be considered a full security audit but rather a quick
gauge of maintainability.

CVE history: CVE-2010-2891

- libsmi provides bindings to manipulate OIDs stored in MIB files
- Build-Depends: flex, bison, debhelper, dh-autoreconf
- No cryptography
- May call wget or similar via smicache mechanism; I believe this isn't
  enabled by default in our packages
- Does not daemonize
- No pre/post inst/rm scripts
- No initscripts
- No dbus
- No setuid
- No sudo fragments
- No cronjobs
- No udev rules
- Binaries smistrip, smicache, smidump, smilint, smiquery, smixlate,
  smidiff
- Test suite isn't run during build
- Build logs are fairly messy
- binaries not PIE

- Subprocesses only spawned for smicache
- Memory management is hectic
- The individual tools will write to files designated by the user
- The logging looked safe
- The environment variable uses looked sane
- No privileged operations
- No cryptography
- May call wget to download MIB files
- No temporary files
- No WebKit
- No PolicyKit
- A handful of errors from cppcheck, some common, some surprising

Here are some notes I've collected while reviewing the code in the hopes
someone finds them useful:

- getOidString() very complicated, no protection against overflowing 's'
  buffer. I suspect bugs live in this function.
- parseDH() very complicated, I suspect bugs live in this function. case
  '*' at least seems to hide memory leaks.
- printClass() no protection against overflowing 'string' buffer
- fprint() missing error return check on 'fputs()'
- getValueString() no protection against overflowing 's' buffer
- optString() may not nul-terminate the return string
- getStringIndexList() insufficient allocation for strIdxLst, uses +4 but
  should use +5, one-byte buffer overflow overwrites space for nul. This
  function may work by accident.
- getStringSubrange() memory leak minStr, maxStr
- getStringRange() memory leak str, subRange
- undefined behaviours (sprintf(dest, "%s", dest))
- many warnings
- smidiff.c:840:1: note: the ABI of passing union with long double has
  changed in GCC 4.4

This codebase is pretty messy; there's duplicated code in multiple files
rather than using shared utility files; there's awkward uses of C string
routines, there's extensive memory allocation and re-allocation when
manipulating strings, there's extensive use of fixed-length buffers
without visible bounds checking, etc.

There are doubtless many bugs left in this library; cppcheck has reported
some, gcc reports many warnings, and there is a lot of room for
improvement. It really needs something like a StringBuffer-style
datastructure to replace the extensive C-string operations.

However, despite my large misgivings about this library, by and large it
should process mostly-static data from trusted sources. In this role its
flaws may not be a big deal.

Please enable build-time tests. Please enable PIE for the binaries.

Please ensure that ceilometer does not need the smicache functionality;
this library should not be used on unauthenticated data.

Security team ACK for promoting libsmi to main.

I reviewed python-pysnmp4 version 4.2.5-1 as checked into utopic. This
should not be considered a full security audit, but rather a quick gauge
of code maintainability.

- python-pysnmp provides a pure-python implementation of snmp
- Build-Depends: debhelper (>= 5.0.37.2), cdbs, python-all, python3-all,
  python-setuptools, python3-setuptools, python-crypto, python3-crypto
- Depends: smitools
- Recommends: python-crypto, python-pysnmp4-mibs, python-pysnmp4-apps,
  python-twisted
- Does use encryption
- Does use networking
- Uses smitools, thus libsmi
- Can be added to other applications via twisted, asyncore
- Does not itself daemonize
- No pre/post inst/rm scripts
- No initscripts
- No dbus
- No setuid
- No sudo fragments
- No udev rules
- No cron jobs
- Adds libsmi2pysnmp and build-pysnmp-mib binaries
- Clean build logs

- No subprocesses spawned
- Python, no real memory management
- Only file operation is read-only
- Logging looked safe
- No use of environment variables
- No privileged operations
- Does use cryptography, SNMP-standards-specified use of MD5, DES, 3DES,
  AES, SHA-1, etc. I didn't investigate further, mechanisms all
  standardized
- Extensive networking, looked to be well-managed
- No privileged portions of code
- No temporary files
- No WebKit
- No JavaScript
- No PolicyKit

The code is complicated, though references to relevant RFC sections
abound in much of the code. It all seemed straight-forward enough,
considering the complexity of SNMP.

Security team ACK for promoting python-pysnmp4 to main.

I reviewed python-pysnmp4-apps version 0.3.2-1 as checked into utopic.
This should not be considered a full security audit, but rather a quick
gauge of code maintainability.

- This package provides snmp tools similar to the netsnmp tools.
- Build-Depends: debhelper, cdbs, python-all, python-setuptools
- Does not itself do cryptography
- Does not itself do networking
- Does not daemonize
- No pre/post inst/rm
- No initscripts
- No dbus
- No setuid
- No sudo fragments
- No udev rules
- No cronjobs
- No testsuite
- Clean build logs

- No spawned subprocesses
- No memory management (Python)
- No file manipulation
- Logging looks sane
- No environment variables
- No privileged operations
- No cryptography (user interface selects among authentication and privacy
  options to be used in snmp)
- No privileged portions of code
- No temporary files
- No WebKit
- No Javascript
- No PolicyKit

python-pysnmp4-apps is high-quality, high-density code -- while fixes
might be difficult, I suspect there aren't many bugs to be found.

Security team ACK for promoting python-pysnmp4-apps to main.

libsmi packaging looks fine and ticks all the boxes except for the issues Seth mentioned. Needs a bug subscriber and to enable the testsuite. Considering the time, I would find it acceptable to enable the test suite in an SRU.

python-pysnmp4-apps packaging looks fine. There is no testsuite. Conditional ACK provided there is a bug subscriber.

python-pysnmp4 packaging looks fine too. There is no testsuite. Conditional ACK provided there is a bug subscriber, pending security review.

PIE for libsmi enabled, and packages promoted.

keeping the bug reports open, until the remaining issues are addressed

All four of these are in main, FYI.

All of these were promoted to main. I opened LP: #1762049 for the remaining issue of the test suite not being enabled yet.