[MIR] Promote ruby-ffi to main a pcs indirect dependency

Review for Package: ruby-ffi

[Summary]
TODO: WRITE - TBD The essence of the review result from the MIR POV
MIR team ACK under the constraint to resolve the below listed
required TODOs and as much as possible having a look at the
recommended TODOs.
This does need a security review. Although, this package passes the
MIR security checklist, it is used to dynamically load other libraries
from inside ruby code and therefore I believe a security review is needed.
I don't assign the bug to security team until the required todos are addressed.
List of specific binary packages to be promoted to main: ruby-ffi

Notes:
TODO: - add todos, issues or special cases to discuss
Required TODOs:
1. Please make sure the latest version of ruby-ffi is packaged (1.15.5).
Current packaged version in both debian and ubuntu is 1.15.4 released
upstream in Sep 2021. The latest upstream release is 1.15.5 released in
Jan 2022.
Recommended TODOs:
- The package should get a team bug subscriber before being promoted

[Duplication]
There is no other package in main providing the same functionality.

[Dependencies]
OK:
- no other Dependencies to MIR due to this
  - ruby-ffi checked with `check-mir`
  - all dependencies can be found in `seeded-in-ubuntu` (already in main)
  - none of the (potentially auto-generated) dependencies (Depends
    and Recommends) that are present after build are not in main
- no -dev/-debug/-doc packages that need exclusion
- No dependencies in main that are only superficially tested requiring
  more tests now.

Problems: None

[Embedded sources and static linking]
OK:
- no embedded source present
- no static linking
- does not have unexpected Built-Using entries
- not a go package, no extra constraints to consider in that regard
- not a rust package, no extra constraints to consider in that regard
- Does not include vendored code

Problems: None

[Security]
OK:
- history of CVEs does not look concerning
- does not run a daemon as root
- does not use webkit1,2
- does not use lib*v8 directly
- does not parse data formats (files [images, video, audio,
  xml, json, asn.1], network packets, structures, ...) from
  an untrusted source.
- does not open a port/socket
- does not process arbitrary web content
- does not use centralized online accounts
- does not integrate arbitrary javascript into the desktop
- does not deal with system authentication (eg, pam), etc)
- does not deal with security attestation (secure boot, tpm, signatures)
- does not deal with cryptography (en-/decryption, certificates, signing, ...)

Problems: None

[Common blockers]
OK:
- does not FTBFS currently
- does have a test suite that runs at build time
  - test suite fails will fail the build upon error.
- does have a non-trivial test suite that runs as autopkgtest
- no new python2 dependency

Problems: None

[Packaging red flags]
OK:
- Ubuntu does not carry a delta (all 3 patches present, inherited from debian)
- symbols tracking not applicable for this kind of code.
- d/watch is present and looks ok (if needed, e.g. non-native)
- Upstream update history is (good/slow/sporadic)
- Debian/Ubuntu update history is slow
- promoting this does not seem to cause issues for MOTUs that s...

Thanks for the review Ioanna!

I uploaded version 1.15.5+dfsg-1 to Debian unstable, once the archive opens for "L" it will be synced since we have no delta. And for the other TODO, yes, the server team will be subscribed before promotion.

Subscription is added and latest version packages -> move this to the correct "ready" state.

I believe this was meant to be assigned to Ubuntu Security Team.

I reviewed ruby-ffi 1.15.4+dfsg-2 as checked into kinetic. This shouldn't be considered a full audit but rather a quick gauge of maintainability.

> Ruby-FFI is a gem for programmatically loading dynamically-linked native libraries, binding functions within them, and calling those functions from Ruby code.

- CVE History:
  - CVE-2018-1000201
    - windows specific - DLL hijacking
  - open security issues in GitHub bug tracker
  - some merged PRs not closed
- Build-Depends?
  - lunar main
     - debhelper-compat (debhelper)
     - rake
     - libffi-dev (libffi)
  - lunar universe
     - gem2deb
     - ruby-rspec
- pre/post inst/rm scripts?
  - none
- init scripts?
  - none
- systemd units?
  - none
- dbus services?
  - none
- setuid binaries?
  - none
- binaries in PATH?
  - none
- sudo fragments?
  - none
- polkit files?
  - none
- udev rules?
  - none
- unit tests / autopkgtests?
  - contains build tests from upstream
  - has autopkgtests
    - failing on focal/i386 due to dependency resolution
- cron jobs?
  - none
- Build logs:
  - W: ruby-ffi source: unknown-field Ruby-Versions
  - W: ruby-ffi source: unnecessary-testsuite-autopkgtest-field [debian/control:17]

- Processes spawned?
  - benchmark, example, and spec files are not a concern
  - FFI::FfiGemHelper is okay
  - ./lib/ffi/tools/*_generator.rb files contain sharp code, downstream code may not apply it safely
    - downstream projects using this library with untrusted input or environment variables likely allow executing arbitrary code
    - this library should only be used in a closed system
- Memory management?
  - "FFI::MemoryPointer - allows for Ruby code to allocate native memory and pass it to non-Ruby libraries."
  - ruby-ffi does not work if PAX_MPROTECT is enabled
    - generally PaX is not for us
- File IO?
  - see temp file section below
  - benchmark, rakelib, debian, and spec files are not a concern
  - File.open() and File.binread() calls appear okay
- Logging?
  - *_generator.rb files redirect standard error from compiling C code to standard output
- Environment variable usage?
  - if an attacker can set the env variable CC, they might be able to run arbitrary commands with *_generator.rb functions
    - setuid use in dowstream projects requires scrutiny
  - ./ext/ffi_c/extconf.rb checks if RUBY_CC_VERSION is set
  - Rakefile, benchmark, and spec files are not a concern
- Use of privileged functions?
  - no, only in benchmarks
- Use of cryptography / random number sources etc?
  - none
- Use of temp files?
  - sample files are not a concern
  - *_generator.rb use tempfile to create C compiled code
- Use of networking?
  - none
- Use of WebKit?
  - none
- Use of PolicyKit?
  - none

- Any significant cppcheck results?
  - spec file results not relevant to MIR
- Any significant Coverity results?
  - Coverity results for build dependencies are not relevant to MIR, but will receive separate Security followup
  - Other results are spec files
- Any significant shellcheck results?
  - ./nbproject/Package-x86_64-Linux.bash results not relevant to MIR
- Any significant bandit results?
  - none

Examples in ./samples/ call shell.

It is unsafe to use this library, and likel...

Showing up in component mismatch now as planned.

Promoted together with the full PCS stack, details see https://bugs.launchpad.net/ubuntu/+source/pcs/+bug/1953341/comments/13