[MIR] fprintd

Bug #1745455 reported by Marco Trevisan (Treviño) on 2018-01-25
16
This bug affects 1 person
Affects Status Importance Assigned to Milestone
fprintd (Ubuntu)
Undecided
Unassigned

Bug Description

[Availability]

Already in universe, in sync with debian.

Built for all supported architectures.

[Rationale]

Ubuntu desktop team wants to enable fingerprint lockscreen unlock support by default in GNOME installations and this includes the daemon to which gnome-shell and gnome-control-center talk to (using DBus API) and the PAM library to enable that.

[Security]

No known security issues.

Bug 1532264 is the only security-related bug here, but this doesn't seem to be a real thing. Also it's all about distro management, nothing related to upstream project.

https://security-tracker.debian.org/tracker/source-package/fprintd
https://launchpad.net/fprintd/+cve

[Quality assurance]

- The Ubuntu Desktop bugs team is subscribed.

https://bugs.launchpad.net/ubuntu/+source/fprintd
https://bugs.debian.org/cgi-bin/pkgreport.cgi?src=fprintd
https://bugs.freedesktop.org/buglist.cgi?component=fprintd&product=libfprint

No upstream tests or autopkgtests.

[Dependencies]

libfprint. See MIR bug #1745454

[Standards compliance]

The package meets the FHS and Debian Policy standards (4.1.1)

[Maintenance]

- Actively developed upstream. Last release was 0.8.0 in September
https://cgit.freedesktop.org/libfprint/fprintd/log/

Didier Roche (didrocks) wrote :

Looks generally good, some small things I need to get some clarification on:

[ required ]
- There is some lintian warning on the policy file: dbus-policy-without-send-destination (fprintd binary package). Maybe worth either:
* Check for a fix with upstream
* Override it in lintian with rationale
- Any suggestion on https://bugs.launchpad.net/ubuntu/+source/fprintd/+bug/1619329, which seems to touch multiple people and doesn't seem dealt with?

[ optional ]
- the package is using dh_install --fail-missing, which is good! It's deprecated though nowdays and should use dh_missing --fail-missing for listing missing files.

Otherwise, it looks good packaging and after a quick code scanning. I would like a security review ofc, due to the sensitivness of it.

Changed in fprintd (Ubuntu):
assignee: nobody → Canonical Security Team (canonical-security)
Seth Arnold (seth-arnold) wrote :

Could someone go through https://bugs.launchpad.net/ubuntu/+source/fprintd/+bug/1532264 and decide if this package is intended for this use case? It's been ages but I think I had the impression this was a toy, not a tool.

Thanks

Seth, I've attached a debdiff to fix that, by changing the policykit setting.

Ah, and Seth... The tool has been the previous of the pam module, the one inside fprintd is not the newest, but still quite stable and does its job at my eyes (who have been through the code too)

Changed in fprintd (Ubuntu):
assignee: Canonical Security Team (canonical-security) → Ubuntu Security Team (ubuntu-security)
Seth Arnold (seth-arnold) wrote :

Are these lintian messages fatal?

Unpacking sbuild-build-depends-lintian-dummy (0.invalid.0) ...
Setting up sbuild-build-depends-lintian-dummy (0.invalid.0) ...
E: fprintd changes: bad-distribution-in-changes-file unstable
W: fprintd source: vcs-deprecated-in-debian-infrastructure vcs-git https://anonscm.debian.org/git/fingerforce/fprintd.git
W: fprintd source: vcs-deprecated-in-debian-infrastructure vcs-browser https://anonscm.debian.org/cgit/fingerforce/fprintd.git/
W: fprintd: dbus-policy-without-send-destination etc/dbus-1/system.d/net.reactivated.Fprint.conf <policy context="default"><allow send_interface="net.reactivated.Fprint"/>

E: Lintian run failed (policy violation)

The bad-distribution line may be a result of this being an 'unstable' package, rather than an ubuntu package; anonscm lines may be Someone Else's Problem for a similar reason.

Is the dbus-policy-without-send-destination warning a real issue?

Thanks

Mh, I think it'd the case to address this, to avoid allowing services just implementing the interface. I'll look into this.

sapotacoin (sapotacoin) on 2018-06-26
Changed in fprintd (Ubuntu):
status: New → Fix Released
Changed in fprintd (Ubuntu):
status: Fix Released → New
Seth Arnold (seth-arnold) wrote :

I reviewed fprintd version 0.8.0-2 as checked into cosmic. This isn't a
full security audit but rather a quick gauge of maintainability.

- fprintd is a dbus interface for libfprint
- No CVEs in our database

- Build-Depends: debhelper, libfprint-dev, libglib2.0-dev,
  libdbus-glib-1-dev, libpolkit-gobject-1-dev, gtk-doc-tools, intltool,
  libpam0g-dev, rename

- No cryptography
- No networking
- Does DBus communication
- Does not itself daemonize, uses systemd unit file to start
- pre/post inst/rm scripts manage systemd unit, pam-auth-update, dbus
  configuration
- No init scripts
- Systemd unit file has some hardening
- No setuid files
- fprintd-delete fprintd-enroll fprintd-list fprintd-verify binaries in
  PATH
- No sudo fragments
- No udev rules
- Some tests but they don't appear to be run during the build
- Some surprising errors in build logs that don't appear to fail the build
  -- including Lintian run failure, make check appears to have failed too
  -- I suspect this package still needs work
- No subprocesses spawned
- Memory management is typical for glib / dbus code with type punning,
  "classes", etc. I believe I found several memory leaks but it's
  difficult to know since control flow isn't obvious.
- Filenames constructed with usernames; safety of the system relies upon
  usernames including /../ being forbidden, etc.
- No logging errors spotted
- PAM module and root-powers daemon, somewhat privileged as a result
- No environment variable use
- No networking
- No cryptography
- No sql
- No temporary files
- No WebKit
- Polkit integration, no errors spotted
- Clean cppcheck

_fprint_device_check_for_username() appears to leak client_username if
execution continues beyond _fprint_device_check_polkit_for_action()

file_storage_print_data_save() appears to leak buf if
g_mkdir_with_parents() fails

fprint_device_finalize() appears to clean up after only one of nine
probably-owned pieces of data

This codebase is similar to most dbus / glib code -- no obvious flow
through the program, type punning, layers of abstraction, etc. Individual
methods look fine but it's harder to get a feel for the overall program
layout. The possible memory leaks may represent real problems if they can
be triggered on-demand by users.

It's important to note that security team considers fingerprints to be
akin to usernames and not passwords. Any potential issues with this tool
will be treated with this threat model in mind.

At last check the security team does not have supported hardware. We will
rely upon the Desktop team to provide testing when updates are needed.

Security team ACK for promoting fprintd to main.

Thanks

Changed in fprintd (Ubuntu):
assignee: Ubuntu Security Team (ubuntu-security) → nobody
Changed in fprintd (Ubuntu):
status: New → Fix Committed
Matthias Klose (doko) wrote :

Override component to main
fprintd 0.8.0-2 in cosmic: universe/misc -> main
fprintd 0.8.0-2 in cosmic amd64: universe/misc/extra/100% -> main
fprintd 0.8.0-2 in cosmic arm64: universe/misc/extra/100% -> main
fprintd 0.8.0-2 in cosmic armhf: universe/misc/extra/100% -> main
fprintd 0.8.0-2 in cosmic i386: universe/misc/extra/100% -> main
fprintd 0.8.0-2 in cosmic ppc64el: universe/misc/extra/100% -> main
fprintd 0.8.0-2 in cosmic s390x: universe/misc/extra/100% -> main
fprintd-doc 0.8.0-2 in cosmic amd64: universe/doc/extra/100% -> main
fprintd-doc 0.8.0-2 in cosmic arm64: universe/doc/extra/100% -> main
fprintd-doc 0.8.0-2 in cosmic armhf: universe/doc/extra/100% -> main
fprintd-doc 0.8.0-2 in cosmic i386: universe/doc/extra/100% -> main
fprintd-doc 0.8.0-2 in cosmic ppc64el: universe/doc/extra/100% -> main
fprintd-doc 0.8.0-2 in cosmic s390x: universe/doc/extra/100% -> main
libpam-fprintd 0.8.0-2 in cosmic amd64: universe/admin/extra/100% -> main
libpam-fprintd 0.8.0-2 in cosmic arm64: universe/admin/extra/100% -> main
libpam-fprintd 0.8.0-2 in cosmic armhf: universe/admin/extra/100% -> main
libpam-fprintd 0.8.0-2 in cosmic i386: universe/admin/extra/100% -> main
libpam-fprintd 0.8.0-2 in cosmic ppc64el: universe/admin/extra/100% -> main
libpam-fprintd 0.8.0-2 in cosmic s390x: universe/admin/extra/100% -> main
19 publications overridden.

Changed in fprintd (Ubuntu):
status: Fix Committed → Fix Released
To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers