Ubuntu
bolt package

[MIR] bolt

Bug #1752056 reported by Sebastien Bacher
22
This bug affects 2 people
Affects Status Importance Assigned to Milestone
bolt (Ubuntu)
Fix Released
Undecided
Unassigned

Bug Description

* Availability

Builds on all supported architectures in Ubuntu.
Not in Debian yet.

* Rationale

Required to authorize thunderbolt 3 devices

* Security

The project is recent and has no known security issue, it should probably get a security team review though since it's a system service dealing with a security feature

* Quality assurance

- the desktop-packages team is going to be subscribed once the package is NEWed
- the package is using current packaging standards
- tests are enabled in the package build and successful

* Dependendies

They are already in main (glib, polkit, libudev)

* Standards compliance

Using current standard and dh packaging

* Maintainance

Upstream is active and the desktop team is going to look after the package in ubuntu

See original description
Tags: bot-comment
Revision history for this message
Ubuntu Foundations Team Bug Bot (crichton) wrote :

Thank you for taking the time to report this bug and helping to make Ubuntu better. It seems that your bug report is not filed about a specific source package though, rather it is just filed against Ubuntu in general. It is important that bug reports be filed about source packages so that people interested in the package can find the bugs about it. You can find some hints about determining what package your bug might be about at https://wiki.ubuntu.com/Bugs/FindRightPackage. You might also ask for help in the #ubuntu-bugs irc channel on Freenode.

To change the source package that this bug is filed about visit https://bugs.launchpad.net/ubuntu/+bug/1752056/+editstatus and add the package name in the text box next to the word Package.

[This is an automated message. I apologize if it reached you inappropriately; please just reply to this message indicating so.]

tags: added: bot-comment
Revision history for this message
Launchpad Janitor (janitor) wrote :

Status changed to 'Confirmed' because the bug affects multiple users.

Changed in ubuntu:
status: New → Confirmed
Jeremy Bícha (jbicha)
affects: ubuntu → bolt (Ubuntu)
description: updated
Sebastien Bacher (seb128)
Changed in bolt (Ubuntu):
status: Confirmed → New
Revision history for this message
Mathieu Trudel-Lapierre (cyphermox) wrote :

bolt does authentication of the devices it should interact with; this code should be checked. It's straightforward, but I'm not sufficiently knowledgeable about the protocol to assess it. Reassigning to the Security Team.

Changed in bolt (Ubuntu):
assignee: nobody → Ubuntu Security Team (ubuntu-security)
Revision history for this message
Seth Arnold (seth-arnold) wrote :

Does anyone recognize why hardening-check reports that the binary isn't using the Fortify Source hardening on my local build? The build logs have -D_FORTIFY_SOURCE=2 used extensively.

Thanks

/usr/lib/x86_64-linux-gnu/boltd:
 Position Independent Executable: yes
 Stack protected: yes
 Fortify Source functions: no, only unprotected functions found!
 Read-only relocations: yes
 Immediate binding: yes

/usr/bin/boltctl:
 Position Independent Executable: yes
 Stack protected: yes
 Fortify Source functions: unknown, no protectable libc functions used
 Read-only relocations: yes
 Immediate binding: yes

Revision history for this message
Seth Arnold (seth-arnold) wrote :

Hello, I reviewed bolt version 0.1-0ubuntu1 as packaged in bionic. This
should not be considered a full security review but rather a quick gauge
of maintainability.

- There are no CVEs in our database
- Bolt provides an interface to authorize Thunderbolt devices on a
  computer; Thunderbolt devices have immense power over the safety of the
  computer.
- Build-Depends: debhelper, meson, libglib2.0-dev, libudev-dev,
  libumockdev-dev, libpolkit-gobject-1-dev, systemd, udev
- boltd runs as a daemon (but does not daemonize)
- boltd owns the org.freedesktop.bolt name and similar path, interface,
  and device interface names, on dbus
- boltctl connects to the daemon via dbus and provides subcommands:
  authorize, enroll, forget, info, list, and monitor
- pre/post init/rm scripts automatically generated
- bolt.service file is Type=dbus and uses systemd Protect* and Restrict*
  fields
- dbus activation file
- no setuid files
- only boltctl in PATH -- boltd is in /usr/lib/x86_64-linux-gnu/boltd
- no sudo fragments
- udev configuration, starts bolt service via systemd on
  subsystem==thunderbolt

- No subprocesses spawned
- sysfs files are opened and written to for authorizing and providing keys
- logging looked careful
- Three environment variables used, TERM, BOLT_DBPATH, GIO_USE_VFS,
  appeared to be used safely
- No cryptography
- No networking
- No privileged portions of code
- No temporary files
- No WebKit
- No JavaScript
- Clean cppcheck
- Uses polkit polkit_authority_check_authorization_sync()

bolt is perhaps more complex than it needs to be due to using GObject and
glib extensively; it can be difficult to track the flow of execution
through the layers of indirection. That said, error returns are checked
extensively, and code quality is high.

I'm concerned that using polkit's auth_admin_keep rule may allow a
malicious device to add new, unexpected, capabilities after an initial
authorization: https://github.com/gicmo/bolt/issues/73

There's a warning during the build:
https://github.com/gicmo/bolt/issues/74

meson.build:355: WARNING: Trying to compare values of different types
(str, bool) using !=.

Security team ACK for promoting bolt to main.

Thanks

Changed in bolt (Ubuntu):
assignee: Ubuntu Security Team (ubuntu-security) → nobody
Revision history for this message
Mathieu Trudel-Lapierre (cyphermox) wrote :

bolt is still missing a team subscriber.

Changed in bolt (Ubuntu):
status: New → Incomplete
Revision history for this message
Sebastien Bacher (seb128) wrote :

desktop-packages is subscribed now

Changed in bolt (Ubuntu):
status: Incomplete → Fix Committed
Revision history for this message
Matthias Klose (doko) wrote :

Override component to main
bolt 0.2-0ubuntu1 in bionic: universe/admin -> main
bolt 0.2-0ubuntu1 in bionic amd64: universe/admin/optional/100% -> main
bolt 0.2-0ubuntu1 in bionic arm64: universe/admin/optional/100% -> main
bolt 0.2-0ubuntu1 in bionic armhf: universe/admin/optional/100% -> main
bolt 0.2-0ubuntu1 in bionic i386: universe/admin/optional/100% -> main
bolt 0.2-0ubuntu1 in bionic ppc64el: universe/admin/optional/100% -> main
bolt 0.2-0ubuntu1 in bionic s390x: universe/admin/optional/100% -> main
7 publications overridden.

Changed in bolt (Ubuntu):
status: Fix Committed → Fix Released
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.