[MIR] conntrack, libnetfilter-queue, libnetfilter-cttimeout, libnetfilter-cthelper

All packages are pretty much up-to-date with upstream aside from conntrack itself which is a patch release older than that in Debian/upstream.

ubuntu-server subscribed to bug mail for all packages.

Holding off adding this as a package dependency until the MIR team ack that can accommodate this so late in cycle (apologies for that). This is to support a new feature in neutron which is important from an HA perspective; users can obviously still just install conntrack manually but it would be nice to have this added to main to get security support etc...

I've bumped in the 1.4.2 release of conntrack into utopic.

libnetfilter-queue: is fine. Would be nice to see tests, but upstream doesn't provide them. It also should use ${misc:Pre-Depends} instead of hardcoding its pre-depends, since it is missing "Pre-Depends: multiarch-support" for the library package. But not a blocker, just a bit of sloppiness.

libnetfilter-cttimeout is fine too. Again, small package that could easily have a few tests, but upstream doesn't provide them, so ah well.

Oh also, for all three of these libraries, it would be great if they provided symbols files. Could you maybe suggest that to the Debian maintainers / file bugs?

cthelper is also fine.

conntrack seems like it'll need a security team look. Passing to Jamie.

@Jamie

Please can conntrack be reviewed; I'd like to enable this feature for Vivid/Kilo asap.

Thanks!

Status changed to 'Confirmed' because the bug affects multiple users.

I reviewed conntrack version 1:1.4.2-2ubuntu1 sa checked into ubuntu
vivid. This should not be considered a full security audit but rather a
quick gauge of maintainability.

- conntrack provides both a connection tracking daemon that can interface
  with the Linux kernel's netfilter interfaces as well as an
  information-publishing tool that can provide better filtering of flow
  information than the /proc/ interfaces. The connection tracking daemon
  can be used to support HA stateful firewalls.
- Build-Depends: autotools-dev, bison, debhelper, dh-systemd, flex,
  libmnl-dev, libnetfilter-conntrack-dev, libnetfilter-cthelper0-dev,
  libnetfilter-cttimeout-dev, libnetfilter-queue-dev, libnfnetlink-dev
- pre/post inst/rm scripts have complicated mechanisms to handle previous
  configuration file locations and init.d vs systemd handling. Review by
  domain expert would be welcome.
- initscript and systemd service file look reasonable enough
- No dbus services
- No setuid binaries
- Provides conntrack, conntrackd, nfct binaries
- No sudo fragments
- No udev rules
- No cronjobs
- No test suite run during build

- No subprocesses spawned
- Memory management looks careful
- Few files opened; log files, configuration file,
  /proc/sys/net/netfilter/nf_conntrack_count
- Logging looked careful
- No environment variable use
- A handful of privileged operations are used, but the entirety of the
  package does privileged operations
- No cryptography
- Extensive netlink use; conntrackd can communicate with other conntrackd
  instances on other hosts, requires a private privileged network. Can
  spawn helpers to inspect and modify packets -- helpers are provided for
  ftp, rpc, and tns. (Helpers looked careful, though this kind of code is
  prone to mistakes. I'd love to see privilege separation / seccomp kinds
  of things for userspace helpers.)
- No tempory file handling
- No webkit
- No javascript
- No policykit
- Clean cppcheck

Here's a few issues I found while reviewing this package, in the hopes
these findings are useful:

- nfct_helper_free() in libnetfilter-cthelper has a use-after-free bug
  that may result in sigsegv:
  http://www.openwall.com/lists/oss-security/2015/04/22/5
  A fix has already been pushed to upstream git, this may be worth an SRU

- nfq_queue_cb() leaks myct if pktb_alloc(), helper_run(), or
  pkt_verdict_issue() return failures

- fork_process_new() will leak struct child_process c if the fork() fails

- I'm concerned that the daemon closes stderr and stdout before starting
  its main loop; there are many printf() and printf(stderr) calls in
  the codebase. Making sure that stdout and stderr refer to something
  useful at any given point is difficult. I suggest duping /dev/null to
  those descriptors if they are truly not going to used in the life of
  the daemon.

There's also an issue in the packaging, the binaries are not built PIE. I
realize it is too late to make them PIE before the release of vivid, so
please ensure this is handled shortly after the U series is opened, so
that it is not forgotten.

Security team ACK for promoting conntrack to main.

Thanks

Conntrack is fine from my POV too. Approved.

Thanks guys

I'll see if the SRU team will let me squeeze this in as part of the stable release update for OpenStack Kilo next week.

Hello James, or anyone else affected,

Accepted neutron into vivid-proposed. The package will build now and be available at http://launchpad.net/ubuntu/+source/neutron/1:2015.1.0-0ubuntu1 in a few hours, and then in the -proposed repository.

Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation how to enable and use -proposed. Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested, and change the tag from verification-needed to verification-done. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed. In either case, details of your testing will help us make a better decision.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance!

The verification of the Stable Release Update for neutron has completed successfully and the package has now been released to -updates. Subsequently, the Ubuntu Stable Release Updates Team is being unsubscribed and will not receive messages about this bug report. In the event that you encounter a regression using the package from -updates please report a new bug using ubuntu-bug and tag the bug report regression-update so we can easily find any regressions.

Note that this shouldn't have been released to -updates: conntrack is in universe in vivid, making neutron uninstallable within main.

I promoted conntrack in wily now.