[MIR] conntrack, libnetfilter-queue, libnetfilter-cttimeout, libnetfilter-cthelper

Bug #1381450 reported by James Page on 2014-10-15
18
This bug affects 2 people
Affects Status Importance Assigned to Milestone
conntrack (Ubuntu)
Medium
Unassigned
libnetfilter-cthelper (Ubuntu)
Medium
Unassigned
libnetfilter-cttimeout (Ubuntu)
Medium
Unassigned
libnetfilter-queue (Ubuntu)
Medium
Unassigned

Bug Description

conntrack:

Availability: in universe
Rationale: new dependency for openstack neutron to support HA routers with connection state tracking
Security: Looks OK - http://cve.mitre.org/cgi-bin/cvekey.cgi?keyword=conntrack
Quality assurance: No upstream test suite, packaging generally looks OK
Dependencies: all in main aside from those on this bug report.
Standards compliance: OK
Maintenance: Server Team

libnetfilter-cttimeout:

Availability: in universe
Rationale: dependency for conntrack
Security: Looks OK - http://cve.mitre.org/cgi-bin/cvekey.cgi?keyword=netfilter-cttimeout
Quality assurance: No upstream test suite, packaging generally looks OK
Dependencies: all in main aside from those on this bug report.
Standards compliance: OK
Maintenance: Server Team

libnetfilter-cthelper:

Availability: in universe
Rationale: dependency for conntrack
Security: Looks OK - http://cve.mitre.org/cgi-bin/cvekey.cgi?keyword=netfilter-cthelper
Quality assurance: No upstream test suite, packaging generally looks OK
Dependencies: all in main aside from those on this bug report.
Standards compliance: OK
Maintenance: Server Team

libnetfilter-queue:

Availability: in universe
Rationale: dependency for conntrack
Security: Looks OK - http://cve.mitre.org/cgi-bin/cvekey.cgi?keyword=netfilter-queue
Quality assurance: No upstream test suite, packaging generally looks OK
Dependencies: all in main aside from those on this bug report.
Standards compliance: OK
Maintenance: Server Team

James Page (james-page) on 2014-10-15
description: updated
description: updated
James Page (james-page) wrote :

All packages are pretty much up-to-date with upstream aside from conntrack itself which is a patch release older than that in Debian/upstream.

description: updated
James Page (james-page) wrote :

ubuntu-server subscribed to bug mail for all packages.

description: updated
Changed in conntrack (Ubuntu):
importance: Undecided → Medium
Changed in libnetfilter-cthelper (Ubuntu):
importance: Undecided → Medium
Changed in libnetfilter-cttimeout (Ubuntu):
importance: Undecided → Medium
Changed in libnetfilter-queue (Ubuntu):
importance: Undecided → Medium
James Page (james-page) wrote :

Holding off adding this as a package dependency until the MIR team ack that can accommodate this so late in cycle (apologies for that). This is to support a new feature in neutron which is important from an HA perspective; users can obviously still just install conntrack manually but it would be nice to have this added to main to get security support etc...

James Page (james-page) wrote :

I've bumped in the 1.4.2 release of conntrack into utopic.

Michael Terry (mterry) wrote :

libnetfilter-queue: is fine. Would be nice to see tests, but upstream doesn't provide them. It also should use ${misc:Pre-Depends} instead of hardcoding its pre-depends, since it is missing "Pre-Depends: multiarch-support" for the library package. But not a blocker, just a bit of sloppiness.

Changed in libnetfilter-queue (Ubuntu):
status: New → Fix Committed
Michael Terry (mterry) wrote :

libnetfilter-cttimeout is fine too. Again, small package that could easily have a few tests, but upstream doesn't provide them, so ah well.

Changed in libnetfilter-cttimeout (Ubuntu):
status: New → Fix Committed
Michael Terry (mterry) wrote :

Oh also, for all three of these libraries, it would be great if they provided symbols files. Could you maybe suggest that to the Debian maintainers / file bugs?

Michael Terry (mterry) wrote :

cthelper is also fine.

Changed in libnetfilter-cthelper (Ubuntu):
status: New → Fix Committed
Michael Terry (mterry) wrote :

conntrack seems like it'll need a security team look. Passing to Jamie.

Changed in conntrack (Ubuntu):
assignee: nobody → Jamie Strandboge (jdstrand)
James Page (james-page) on 2014-12-01
Changed in conntrack (Ubuntu):
milestone: none → ubuntu-15.02
James Page (james-page) wrote :

@Jamie

Please can conntrack be reviewed; I'd like to enable this feature for Vivid/Kilo asap.

Thanks!

Changed in conntrack (Ubuntu):
milestone: ubuntu-15.02 → ubuntu-15.01
Changed in conntrack (Ubuntu):
assignee: Jamie Strandboge (jdstrand) → Seth Arnold (seth-arnold)
Launchpad Janitor (janitor) wrote :

Status changed to 'Confirmed' because the bug affects multiple users.

Changed in conntrack (Ubuntu):
status: New → Confirmed
Seth Arnold (seth-arnold) wrote :

I reviewed conntrack version 1:1.4.2-2ubuntu1 sa checked into ubuntu
vivid. This should not be considered a full security audit but rather a
quick gauge of maintainability.

- conntrack provides both a connection tracking daemon that can interface
  with the Linux kernel's netfilter interfaces as well as an
  information-publishing tool that can provide better filtering of flow
  information than the /proc/ interfaces. The connection tracking daemon
  can be used to support HA stateful firewalls.
- Build-Depends: autotools-dev, bison, debhelper, dh-systemd, flex,
  libmnl-dev, libnetfilter-conntrack-dev, libnetfilter-cthelper0-dev,
  libnetfilter-cttimeout-dev, libnetfilter-queue-dev, libnfnetlink-dev
- pre/post inst/rm scripts have complicated mechanisms to handle previous
  configuration file locations and init.d vs systemd handling. Review by
  domain expert would be welcome.
- initscript and systemd service file look reasonable enough
- No dbus services
- No setuid binaries
- Provides conntrack, conntrackd, nfct binaries
- No sudo fragments
- No udev rules
- No cronjobs
- No test suite run during build

- No subprocesses spawned
- Memory management looks careful
- Few files opened; log files, configuration file,
  /proc/sys/net/netfilter/nf_conntrack_count
- Logging looked careful
- No environment variable use
- A handful of privileged operations are used, but the entirety of the
  package does privileged operations
- No cryptography
- Extensive netlink use; conntrackd can communicate with other conntrackd
  instances on other hosts, requires a private privileged network. Can
  spawn helpers to inspect and modify packets -- helpers are provided for
  ftp, rpc, and tns. (Helpers looked careful, though this kind of code is
  prone to mistakes. I'd love to see privilege separation / seccomp kinds
  of things for userspace helpers.)
- No tempory file handling
- No webkit
- No javascript
- No policykit
- Clean cppcheck

Here's a few issues I found while reviewing this package, in the hopes
these findings are useful:

- nfct_helper_free() in libnetfilter-cthelper has a use-after-free bug
  that may result in sigsegv:
  http://www.openwall.com/lists/oss-security/2015/04/22/5
  A fix has already been pushed to upstream git, this may be worth an SRU

- nfq_queue_cb() leaks myct if pktb_alloc(), helper_run(), or
  pkt_verdict_issue() return failures

- fork_process_new() will leak struct child_process c if the fork() fails

- I'm concerned that the daemon closes stderr and stdout before starting
  its main loop; there are many printf() and printf(stderr) calls in
  the codebase. Making sure that stdout and stderr refer to something
  useful at any given point is difficult. I suggest duping /dev/null to
  those descriptors if they are truly not going to used in the life of
  the daemon.

There's also an issue in the packaging, the binaries are not built PIE. I
realize it is too late to make them PIE before the release of vivid, so
please ensure this is handled shortly after the U series is opened, so
that it is not forgotten.

Security team ACK for promoting conntrack to main.

Thanks

Changed in conntrack (Ubuntu):
assignee: Seth Arnold (seth-arnold) → nobody
Michael Terry (mterry) wrote :

Conntrack is fine from my POV too. Approved.

Changed in conntrack (Ubuntu):
status: Confirmed → Fix Committed
James Page (james-page) wrote :

Thanks guys

I'll see if the SRU team will let me squeeze this in as part of the stable release update for OpenStack Kilo next week.

Hello James, or anyone else affected,

Accepted neutron into vivid-proposed. The package will build now and be available at http://launchpad.net/ubuntu/+source/neutron/1:2015.1.0-0ubuntu1 in a few hours, and then in the -proposed repository.

Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation how to enable and use -proposed. Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested, and change the tag from verification-needed to verification-done. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed. In either case, details of your testing will help us make a better decision.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance!

tags: added: verification-needed
James Page (james-page) on 2015-05-12
tags: added: verification-done
removed: verification-needed

The verification of the Stable Release Update for neutron has completed successfully and the package has now been released to -updates. Subsequently, the Ubuntu Stable Release Updates Team is being unsubscribed and will not receive messages about this bug report. In the event that you encounter a regression using the package from -updates please report a new bug using ubuntu-bug and tag the bug report regression-update so we can easily find any regressions.

Martin Pitt (pitti) wrote :

Note that this shouldn't have been released to -updates: conntrack is in universe in vivid, making neutron uninstallable within main.

I promoted conntrack in wily now.

tags: added: regression-release
Changed in conntrack (Ubuntu):
status: Fix Committed → Fix Released
Changed in libnetfilter-cthelper (Ubuntu):
status: Fix Committed → Fix Released
Changed in libnetfilter-cttimeout (Ubuntu):
status: Fix Committed → Fix Released
Changed in libnetfilter-queue (Ubuntu):
status: Fix Committed → Fix Released
To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers

Related blueprints