Ubuntu
gcab package

[MIR] gcab

Bug #1475021 reported by Mario Limonciello
22
This bug affects 3 people
Affects Status Importance Assigned to Milestone
appstream-glib (Ubuntu)
Fix Released
Low
Unassigned
gcab (Ubuntu)
Fix Released
High
Unassigned

Bug Description

Availability: builds for all architectures

Rationale: This package is a new build dependency for Appstream-glib to support parsing cab files. Appstream-glib is a dependency for fwupd which provides an end user manager for Firmware updates distributed as UEFI capsules encapsulated in .CAB files. Linux friendly vendors will start shipping BIOS updates in UEFI capsules and this effort is to support being able to use them in Ubuntu.

QA:
* No extra work is needed to configure the package after installation
* No debconf questions are asked
* Has a debian/watch file
* All dependencies and build dependencies are in main

Open bugs:
Debian: none (as of 7/15)
https://bugs.debian.org/cgi-bin/pkgreport.cgi?package=gcab;dist=unstable
Ubuntu: none (as of 7/15)
https://bugs.launchpad.net/ubuntu/+source/gcab

Security:
* Has had 1 CVE in CVE tracker. It was resolved within 2 days in Debian. Upstream had no concerns with accepting the patch.
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=774580

Revision history for this message
Michael Terry (mterry) wrote :

Packaging wise, gcab is good. No delta, symbols file, no open bugs.

It does need a team bug subscriber in Ubuntu though, for the team that will look after it.

I'm also going to pass to the security team for a quick look, since this reads binary file formats and deals with firmware (and has had a recent CVE).

Changed in gcab (Ubuntu):
assignee: nobody → Ubuntu Security Team (ubuntu-security)
Revision history for this message
Mario Limonciello (superm1) wrote :

I just wanted to bump this for the security team. The current release of appstream-glib (0.5.2) isn't able to build without gcab.

Revision history for this message
Tyler Hicks (tyhicks) wrote :

Hi Mario - we are aware of this MIR and it is in our list to get to during the 16.04 cycle.

Revision history for this message
Launchpad Janitor (janitor) wrote :

Status changed to 'Confirmed' because the bug affects multiple users.

Changed in gcab (Ubuntu):
status: New → Confirmed
Robert Ancell (robert-ancell)
Changed in gcab (Ubuntu):
status: Confirmed → Triaged
importance: Undecided → High
Revision history for this message
Dimitri John Ledkov (xnox) wrote :

From bug subscriber point of view this makes sense for foundations and/or kernel team to own.

Changed in appstream-glib (Ubuntu):
status: New → Fix Committed
importance: Undecided → Low
tags: added: ftbfs
Revision history for this message
Dimitri John Ledkov (xnox) wrote :

Adding ftbfs tag, and appstream-glib as affected package, such that this bug report shows up in the FTBFS report for xenial. This way, next person looking at ftbfs page, will easily find this pending MIR.

Revision history for this message
Sebastien Bacher (seb128) wrote :

@Tyler, is there any chance somebody looks at it before the end of year? it would be good have things building early rather than mid-cycle

Revision history for this message
Robert Ancell (robert-ancell) wrote :

Required for fwupd MIR (bug 1536871)

Robert Ancell (robert-ancell)
tags: added: gnome-software-ubuntu
Revision history for this message
Robert Ancell (robert-ancell) wrote :

This is holding up a chain of updates - appstream-glib -> fwupd -> gnome-software.

Robert Ancell (robert-ancell)
Changed in gcab (Ubuntu):
importance: High → Critical
Revision history for this message
Tyler Hicks (tyhicks) wrote : Re: [Bug 1475021] Re: [MIR] gcab

On 2016-02-10 01:10:23, Robert Ancell wrote:
> This is holding up a chain of updates - appstream-glib -> fwupd ->
> gnome-software.

Hi Robert - It is on our security review list but that list has grown
large. It'll happen by 16.04 but we typically don't try to target
security reviews for feature freeze since packages can typically live in
Universe without much trouble until we're able to do a security review.
Can you explain how this is holding up updates (uploads?) so that we can
adjust priority accordingly.

Revision history for this message
Mario Limonciello (superm1) wrote :

Hopefully I capture this all correctly:

appstream-glib is in main. It has a dependency upon gcab sitting in
proposed.
fwupd is in universe. It has a dependency upon the newer appstream-glib to
build.
gnome-software is in universe. It has a dependency upon the newer fwupd
and appstream-glib to build.

So gcab is the first thing in the chain, promoting it to main will let
appstream-glib build. That should let fwupd build. Those two building
will let gnome-software build.

On Tue, Feb 9, 2016 at 9:25 PM Tyler Hicks <email address hidden> wrote:

> On 2016-02-10 01:10:23, Robert Ancell wrote:
> > This is holding up a chain of updates - appstream-glib -> fwupd ->
> > gnome-software.
>
> Hi Robert - It is on our security review list but that list has grown
> large. It'll happen by 16.04 but we typically don't try to target
> security reviews for feature freeze since packages can typically live in
> Universe without much trouble until we're able to do a security review.
> Can you explain how this is holding up updates (uploads?) so that we can
> adjust priority accordingly.
>
> --
> You received this bug notification because you are subscribed to the bug
> report.
> https://bugs.launchpad.net/bugs/1475021
>
> Title:
> [MIR] gcab
>
> To manage notifications about this bug go to:
>
> https://bugs.launchpad.net/ubuntu/+source/appstream-glib/+bug/1475021/+subscriptions
>

Revision history for this message
Robert Ancell (robert-ancell) wrote :

The plan is to use GNOME Software as the software store for Ubuntu 16.04 - so we need it in main before feature freeze.

Revision history for this message
Tyler Hicks (tyhicks) wrote :

On 2016-02-10 03:48:45, Robert Ancell wrote:
> The plan is to use GNOME Software as the software store for Ubuntu 16.04
> - so we need it in main before feature freeze.

I was aware of the plan but wasn't aware that the security review needed
to happen before feature freeze (as mentioned, that is an uncommon
deadline for MIR security reviews). I've bumped the priority up so that
it'll get reviewed after the current package undergoing security review
is completed.

Revision history for this message
Robert Ancell (robert-ancell) wrote :

Thanks Tyler!

Revision history for this message
Robert Ancell (robert-ancell) wrote :

I've temporarily dropped the firmware support from gnome-software / appstream-glib (bug 1544376) so that unblocks us getting gnome-software into Xenial. We'll enable firmware support as soon as this MIR is completed.

Changed in gcab (Ubuntu):
importance: Critical → High
Revision history for this message
Seth Arnold (seth-arnold) wrote :
Download full text (3.3 KiB)

I reviewed gcab version 0.6-1 as checked into xenial. This shouldn't be
considered a full security audit but rather a quick gauge of
maintainability.

- gcab provides a library and program to access Microsoft Cabinet files
- Build-Depends: debhelper, dh-autoreconf, gobject-introspection,
  gtk-doc-tools, libgirepository1.0-dev, libglib2.0-dev, valac
- Does not itself use networking or cryptography
- Does not itself daemonize
- No pre/post inst/rm
- No initscripts
- No dbus services
- No setuid files
- Provides /usr/bin/gcab executable
- No sudo
- No udev rules
- Runs a test suite at build, very small
- No cronjobs
- Build logs have warnings about bad function casts and signed integer
  overflows

- No subprocesses spawned
- Memory management mostly looked sane though zalloc() contains an integer
  overflow bug
- Files written to extensively, under control of cabinet files; it looks
  like this program is only prepared to pack and unpack files and
  directories. The program does try to keep files from referring to
  outside the unpack directory but the glib abstraction layer makes this
  code very difficult to reason about.
- Logging looked careful
- Environment variable GCAB_DEBUG turns on additional debugging levels
- No privileged operations; I didn't find any calls that could create
  non-file or non-directory outputs.
- No cryptography
- No networking
- No privileged portions of code
- No temp file handling
- No WebKit
- Clean cppcheck
- Clean shellcheck
- No PolicyKit

This codebase is complicated; it feels like half the program exists to
manage the glib abstractions layer, I think this program doesn't
sufficiently benefit from the abstractions to justify the extra
complications. That said, it otherwise appeared to programmed carefully,
and the file format is simple enough that it's possible to test simple
permutations of common archive format attacks by hand directly on an
archive. Some hand-testing and a few hours with AFL fuzzing didn't
discover anything CVE-worthy, though there are some caveats:

- Creating the archive assumes input is entirely trusted -- recursive
  symlinks are a quick way to consume a lot of disk space. Solving this
  would probably require significant work.
- Extracting the archive assumes the destination is entirely trusted.
  Symlinks will be followed. (This is usually desirable, but it felt worth
  documenting all the same.)

I found an integer overflow bug that may require a CVE depending upon
what parameters may be supplied to it in the zlib library. We should
distro-patch the g_malloc_n() fix until upstream has responded. (This
change is low-risk and shouldn't cause other issues.)

- ./libgcab/cabinet.c zalloc() integer overflow, should use g_malloc_n()

I found several memory leaks on error conditions; these are unlikely to
have security consequences except under the most contrived of situations:

- ./libgcab/cabinet.c cheader_read() memory leak ch->reserved if any RN()
  or RS() macros fail
- ./libgcab/cabinet.c cfolder_read() memory leak cf->reserved if RN()
  macro fails
- ./libgcab/cabinet.c cdata_read() memory leak cd->reserved if any of RN()
  macro, LZXfdi_init(), LZXfdi_decomp(), 'CK' check, inflat...

Read more...

Changed in gcab (Ubuntu):
assignee: Ubuntu Security Team (ubuntu-security) → nobody
Revision history for this message
Mario Limonciello (superm1) wrote :

Thanks Seth. I've made that change and am uploading right now. Have you submitted this upstream already?

MIR team, what status should this bug be set to so you can proceed?

Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package gcab - 0.6-1ubuntu1

---------------
gcab (0.6-1ubuntu1) xenial; urgency=medium

  * Add zalloc_integer_overflow.patch (LP: #1475021)

 -- Mario Limonciello <email address hidden> Wed, 17 Feb 2016 12:29:13 -0600

Changed in gcab (Ubuntu):
status: Triaged → Fix Released
Revision history for this message
Michael Terry (mterry) wrote :

Mario, I think just add a team bug subscriber for whomever is looking after this in Ubuntu and we're good.

Changed in gcab (Ubuntu):
status: Fix Released → Incomplete
Revision history for this message
Mario Limonciello (superm1) wrote :

I'd expect that to be foundations, that seem appropriate?

On Wed, Feb 17, 2016, 14:26 Michael Terry <email address hidden>
wrote:

> Mario, I think just add a team bug subscriber for whomever is looking
> after this in Ubuntu and we're good.
>
> ** Changed in: gcab (Ubuntu)
> Status: Fix Released => Incomplete
>
> --
> You received this bug notification because you are subscribed to the bug
> report.
> https://bugs.launchpad.net/bugs/1475021
>
> Title:
> [MIR] gcab
>
> To manage notifications about this bug go to:
>
> https://bugs.launchpad.net/ubuntu/+source/appstream-glib/+bug/1475021/+subscriptions
>

Revision history for this message
Michael Terry (mterry) wrote :

If they agree, I'm on board. :)

Revision history for this message
Mario Limonciello (superm1) wrote :

Well adding them as a subscriber to this bug. Can an admin from foundations team comment if this is in your potential purview?

Revision history for this message
Brian Murray (brian-murray) wrote :

I'll subscribe the foundations-bugs team to the package.

Revision history for this message
Matthias Klose (doko) wrote :
Download full text (3.5 KiB)

Override component to main
gcab 0.6-1ubuntu1 in xenial: universe/misc -> main
gcab 0.6-1ubuntu1 in xenial amd64: universe/utils/optional/100% -> main
gcab 0.6-1ubuntu1 in xenial arm64: universe/utils/optional/100% -> main
gcab 0.6-1ubuntu1 in xenial armhf: universe/utils/optional/100% -> main
gcab 0.6-1ubuntu1 in xenial i386: universe/utils/optional/100% -> main
gcab 0.6-1ubuntu1 in xenial powerpc: universe/utils/optional/100% -> main
gcab 0.6-1ubuntu1 in xenial ppc64el: universe/utils/optional/100% -> main
gcab 0.6-1ubuntu1 in xenial s390x: universe/utils/optional/100% -> main
gir1.2-libgcab-1.0 0.6-1ubuntu1 in xenial amd64: universe/introspection/optional/100% -> main
gir1.2-libgcab-1.0 0.6-1ubuntu1 in xenial arm64: universe/introspection/optional/100% -> main
gir1.2-libgcab-1.0 0.6-1ubuntu1 in xenial armhf: universe/introspection/optional/100% -> main
gir1.2-libgcab-1.0 0.6-1ubuntu1 in xenial i386: universe/introspection/optional/100% -> main
gir1.2-libgcab-1.0 0.6-1ubuntu1 in xenial powerpc: universe/introspection/optional/100% -> main
gir1.2-libgcab-1.0 0.6-1ubuntu1 in xenial ppc64el: universe/introspection/optional/100% -> main
gir1.2-libgcab-1.0 0.6-1ubuntu1 in xenial s390x: universe/introspection/optional/100% -> main
libgcab-1.0-0 0.6-1ubuntu1 in xenial amd64: universe/libs/optional/100% -> main
libgcab-1.0-0 0.6-1ubuntu1 in xenial arm64: universe/libs/optional/100% -> main
libgcab-1.0-0 0.6-1ubuntu1 in xenial armhf: universe/libs/optional/100% -> main
libgcab-1.0-0 0.6-1ubuntu1 in xenial i386: universe/libs/optional/100% -> main
libgcab-1.0-0 0.6-1ubuntu1 in xenial powerpc: universe/libs/optional/100% -> main
libgcab-1.0-0 0.6-1ubuntu1 in xenial ppc64el: universe/libs/optional/100% -> main
libgcab-1.0-0 0.6-1ubuntu1 in xenial s390x: universe/libs/optional/100% -> main
libgcab-1.0-0-dbg 0.6-1ubuntu1 in xenial amd64: universe/debug/extra/100% -> main
libgcab-1.0-0-dbg 0.6-1ubuntu1 in xenial arm64: universe/debug/extra/100% -> main
libgcab-1.0-0-dbg 0.6-1ubuntu1 in xenial armhf: universe/debug/extra/100% -> main
libgcab-1.0-0-dbg 0.6-1ubuntu1 in xenial i386: universe/debug/extra/100% -> main
libgcab-1.0-0-dbg 0.6-1ubuntu1 in xenial powerpc: universe/debug/extra/100% -> main
libgcab-1.0-0-dbg 0.6-1ubuntu1 in xenial ppc64el: universe/debug/extra/100% -> main
libgcab-1.0-0-dbg 0.6-1ubuntu1 in xenial s390x: universe/debug/extra/100% -> main
libgcab-dev 0.6-1ubuntu1 in xenial amd64: universe/libdevel/optional/100% -> main
libgcab-dev 0.6-1ubuntu1 in xenial arm64: universe/libdevel/optional/100% -> main
libgcab-dev 0.6-1ubuntu1 in xenial armhf: universe/libdevel/optional/100% -> main
libgcab-dev 0.6-1ubuntu1 in xenial i386: universe/libdevel/optional/100% -> main
libgcab-dev 0.6-1ubuntu1 in xenial powerpc: universe/libdevel/optional/100% -> main
libgcab-dev 0.6-1ubuntu1 in xenial ppc64el: universe/libdevel/optional/100% -> main
libgcab-dev 0.6-1ubuntu1 in xenial s390x: universe/libdevel/optional/100% -> main
libgcab-doc 0.6-1ubuntu1 in xenial amd64: universe/doc/optional/100% -> main
libgcab-doc 0.6-1ubuntu1 in xenial arm64: universe/doc/optional/100% -> main
libgcab-doc 0.6-1ubuntu1 in xenial armhf: un...

Read more...

Changed in gcab (Ubuntu):
status: Incomplete → Fix Released
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package appstream-glib - 0.5.8-1ubuntu6

---------------
appstream-glib (0.5.8-1ubuntu6) xenial; urgency=medium

  * Re-enable firmware support. (LP: #1544376)
    - debian/rules
    - debian/control
    - debian/libappstream-glib8.symbols
  * Add back dependency on gcab (LP: #1475021)
    - drop no-gcab.patch

 -- Mario Limonciello <email address hidden> Wed, 17 Feb 2016 16:49:13 -0600

Changed in appstream-glib (Ubuntu):
status: Fix Committed → Fix Released
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.