MIR: libssh2

Review for Package: libssh2

[Summary]
MIR team ACK
This does need a security review, so I'll assign ubuntu-security
List of specific binary packages to be promoted to main: libssh2-1, libssh2-1-dev

Notes:
- The package should get a team bug subscriber before being promoted

[Duplication]
There is libssh already in main. libssh and libssh2 provide more or less the same
functionality. However, the argument presented by the bug reporter that libssh2
is better maintained and substantially more used versus libssh is satisfying and
therefore promoting libssh2 to main is justified.

[Dependencies]
OK:
- no other Dependencies to MIR due to this
   - libssh2 checked with `check-mir`
   - all dependencies can be found in `seeded-in-ubuntu` (already in main)
   - none of the (potentially auto-generated) dependencies (Depends
     and Recommends) that are present after build are not in main
- no -dev/-debug/-doc packages that need exclusion
- No dependencies in main that are only superficially tested requiring
  more tests now.

Problems: None

[Embedded sources and static linking]
OK:
- no embedded source present
- no static linking
- does not have unexpected Built-Using entries
OK:
- not a go package, no extra constraints to consider in that regard
- not a rust package, no extra constraints to consider in that regard
- Does not include vendored code

Problems: None

[Security]
OK:
- history of CVEs does not look concerning
- does not run a daemon as root
- does not use webkit1,2
- does not use lib*v8 directly
- does not process arbitrary web content
- does not use centralized online accounts
- does not integrate arbitrary javascript into the desktop
- does not deal with system authentication (eg, pam), etc)
- does not deal with security attestation (secure boot, tpm, signatures)

Problems:
- does deal with cryptography (en-/decryption, certificates, signing, ...)
- does open a port/socket
- does parse data formats (files [images, video, audio,
  xml, json, asn.1], network packets, structures, ...) from
  an untrusted source.

[Common blockers]
OK:
- does not FTBFS currently
- does have a test suite that runs at build time
  - test suite fails will fail the build upon error.
- does have a non-trivial test suite that runs as autopkgtest
- no new python2 dependency

Problems: None

[Packaging red flags]
OK:
- Ubuntu does not carry a delta (existing patches come from debian)
- symbols tracking is in place
- d/watch is present and looks ok (if needed, e.g. non-native)
- Upstream update history is good
- Debian/Ubuntu update history is good
- the current release is packaged
- promoting this does not seem to cause issues for MOTUs that so far
  maintained the package
- no massive Lintian warnings
- d/rules is rather clean
- It is not on the lto-disabled list

Problems: None

[Upstream red flags]
OK:
- no incautious use of malloc/sprintf (as far as we can check it)
- no use of sudo, gksu, pkexec, or LD_LIBRARY_PATH (usage is OK inside
  tests)
- no use of user nobody
- no use of setuid
- no important open bugs (crashers, etc) in Debian or Ubuntu
- no dependency on webkit, qtwebkit, seed or libgoa-*
- not part of the UI for extra checks
- no translation pre...

The prior MIR attempt(s) for libssh2 was in https://bugs.launchpad.net/ubuntu/+source/libssh2/+bug/681423 and the security team was strongly opposed to including it in main because of the easily found security issues and generally low code quality. I'm not sure if upstream has improved in the three years since.

cargo is no longer being promoted to main: https://bugs.launchpad.net/ubuntu/+source/rustc/+bug/1957932

Unassigning Security Team as rationale is no longer valid.

Reassigning Security for cargo's https://bugs.launchpad.net/ubuntu/+source/cargo/+bug/1993819

I reviewed libssh2 1.10.0-3 as checked into kinetic. This shouldn't be
considered a full audit but rather a quick gauge of maintainability.

libssh2 is a client-side C library implementing the SSH2 protocol

- CVE History:
  - CVE-2015-1782
  - CVE-2016-0787
  - CVE-2019-13115
  - CVE-2019-17498
  - CVE-2019-3855
  - CVE-2019-3856
  - CVE-2019-3857
  - CVE-2019-3858
  - CVE-2019-3859
  - CVE-2019-3860
  - CVE-2019-3861
  - CVE-2019-3862
  - CVE-2019-3863
- Build-Depends?
  - Optional dependency on GnuPG, libgcrypt and OpenSSH
  - Build produces many deprecation warnings because of openssl, but upstream
    hasn't decided how to deal with it.
- pre/post inst/rm scripts?
  - none
- init scripts?
  - none
- systemd units?
  - none
- dbus services?
  - none
- setuid binaries?
  - none
- binaries in PATH?
  - none
- sudo fragments?
  - none
- polkit files?
  - none
- udev rules?
  - none
- unit tests / autopkgtests?
  - yes
- cron jobs?
  - none
- Build logs:
  - Many compailer warnings mentioned in log.txt
  - Lintian failed
- Processes spawned?
  - Yes, libssh2 client is using libssh2_channel_exec() and
    libssh2_channel_subsystem() calls in libssh2.h file
- Memory management?
  - Yes, libssh2 is mainly using [c/m/re]alloc(), memcpy(), memmove() and
    memory functions of mbedtls_. Use of these functions looks safe
- File IO?
  - Few file IO calls to readand write contect in channel.c, sftp.c, packet.c,
    openssl.c, libcrypt.c, userauth.c and scp.c
- Logging?
  - logging looks fine and logs are informative
- Environment variable usage?
  - Just one at /include/libssh2.h:762
- Use of privileged functions?
  - ioctl function used in src/session.c, looks fine
- Use of cryptography / random number sources etc?
  - Majority of the use in openssl.c
- Use of temp files?
  - none, just in examples
- Use of networking?
  - Use multiple places to start/stop socket connections.
- Use of WebKit?
  - none
- Use of PolicyKit?
  - none
- Any significant cppcheck results?
  - none
- Any significant Coverity results?
  - Few deadcode issues, few buffer overrun issues in userauth.c,
    bcrypt_pbkdf.c, knownhost.c and transport.c
- Any significant shellcheck results?
  - none
- Any significant bandit results?
  - none

Found NULL pointer dereference issue in openssl.c when session object is NULL
and calling \_libssh2_error() method will cause the null pointer dereference
resulting crash of the client application.
They fixed the issue in no time: https://github.com/libssh2/libssh2/pull/796

There are 50+ open bugs and 25 PRs pending on upstream to fix the code.

Security team ACK for promoting libssh2 to main conditional upon improving code
quality(remove dead codes and improve code comments) reported by coverity and fix this possible issue

1. NULL pointer derefernce issue in openssl.c of `decrypted` pointer
src/openssl.c:3082:29:
  deref_ptr_in_call: Dereferencing pointer "decrypted".
src/misc.c:772:5:
  deref_parm_in_call: Function "_libssh2_get_u32" dereferences "buf".
src/misc.c:737:5:
  deref_parm_in_call: Function "_libssh2_check_length" dereferences "buf".
src/misc.c:849:5:
  deref_parm: Directly dereferencing parameter "buf".
src/openssl.c:3148:...

The bug has been filed upstream for NULL pointer dereference issue here: https://github.com/libssh2/libssh2/issues/802

I am altering Security's conditional ACK.

Security team propose a conditional ACK for promoting libssh2 to main
upon Foundations team's acknowledgment of their commitment in assisting with
the development of security fixes, in the absence of upstream support, as
well as their responsibility to ask for demoting the package in the future
once a suitable alternative is identified and deemed feasible.

Please see https://bugs.launchpad.net/ubuntu/+source/http-parser/+bug/1990655
for discussion of this conditional ACK.

Hi, Mark (@eslerm),

The Foundations Team is committed to assisting with the development of security fixes in the absence of upstream support or demoting the package if an alternative is identified in the future.

thanks for confirming Zixing

since rustc (containing cargo) has already been promoted in LP#1993819, please promote this ack'd dependency

Based on the above discussion, and both MIR team and Security team ACK, changing the status.

foundations-bugs subscribed.

Override component to main
libssh2 1.11.0-2 in mantic: universe/libs -> main
libssh2-1 1.11.0-2 in mantic amd64: universe/libs/optional/100% -> main
libssh2-1 1.11.0-2 in mantic arm64: universe/libs/optional/100% -> main
libssh2-1 1.11.0-2 in mantic armhf: universe/libs/optional/100% -> main
libssh2-1 1.11.0-2 in mantic i386: universe/libs/optional/100% -> main
libssh2-1 1.11.0-2 in mantic ppc64el: universe/libs/optional/100% -> main
libssh2-1 1.11.0-2 in mantic riscv64: universe/libs/optional/100% -> main
libssh2-1 1.11.0-2 in mantic s390x: universe/libs/optional/100% -> main
libssh2-1-dev 1.11.0-2 in mantic amd64: universe/libdevel/optional/100% -> main
libssh2-1-dev 1.11.0-2 in mantic arm64: universe/libdevel/optional/100% -> main
libssh2-1-dev 1.11.0-2 in mantic armhf: universe/libdevel/optional/100% -> main
libssh2-1-dev 1.11.0-2 in mantic i386: universe/libdevel/optional/100% -> main
libssh2-1-dev 1.11.0-2 in mantic ppc64el: universe/libdevel/optional/100% -> main
libssh2-1-dev 1.11.0-2 in mantic riscv64: universe/libdevel/optional/100% -> main
libssh2-1-dev 1.11.0-2 in mantic s390x: universe/libdevel/optional/100% -> main
15 publications overridden.