Ubuntu
libcupsfilters package

  1. Bug #2003259
  2. Comment #50

Comment 50 for bug 2003259

Revision history for this message
Mark Esler (eslerm) wrote :

I reviewed libppd 2:2.0~b4-0ubuntu3 as checked into lunar. This shouldn't be considered a full audit but rather a quick gauge of maintainability.

> libppd, the legacy support library for PPD files

- CVE History:
  - past cups-filters CVEs likely do not affect libppd code
    - most CVEs are reported to affect cups-filter's footmatic-rip
  - past cups-filters CVEs are mostly for "allows remote attackers to executing arbitrary commands"
- Build-Depends?
  - autoconf, debhelper-compat, dh-sequence-pkgkde-symbolshelper, ghostscript, libcups2-dev, libcupsfilters-dev, pkg-config, poppler-utils, and zlib1g-dev
- pre/post inst/rm scripts?
  - none
- init scripts?
  - none
- systemd units?
  - none
- dbus services?
  - none
- setuid binaries?
  - none
- binaries in PATH?
  - ./usr/bin/testppd
  - ./usr/bin/ppdc
  - ./usr/bin/ppdhtml
  - ./usr/bin/ppdi
  - ./usr/bin/ppdmerge
  - ./usr/bin/ppdpo
  - ./usr/bin/testppdfile
- sudo fragments?
  - none
- polkit files?
  - none
- udev rules?
  - none
- unit tests / autopkgtests?
  - has build and autopkgtests
  - see bug comments
- cron jobs?
  - none
- Build logs:
  - looks alright

- Processes spawned?
  - ppdCollectionGetPPD() -> PipeCommand() -> ExecCommand runs arbitrary execv(command, argv)
  - many functions lead to reading PPD files
  - several renders (e.g., poppler) can be executed
  - documentation is being added to warn downstream users to sanitize untrusted input
- Memory management?
  - heavy memory use
  - issues reported upstream
- File IO?
  - some cloexec
  - file IO appears okay and restrict mode
- Logging?
  - has logging and debugging
- Environment variable usage?
  - used for setting renderer executable paths at compile time
  - ./ppd/ppd-filter.c uses many env variables
    - $PPD loads a non-executable file
- Use of privileged functions?
  - used to prevent using file if setuid
  - elsewhere drops privilege
- Use of cryptography / random number sources etc?
  - none
- Use of temp files?
  - none
- Use of networking?
  - none
- Use of WebKit?
  - none
- Use of PolicyKit?
  - none

- Any significant Coverity results?
  - issues reported upstream
- Any significant cppcheck results?
  - see coverity
- Any significant shellcheck results?
  - okay - for compiling

Upstream added the ability to report security bugs privately and is adding security documentation \o/

Upstream and Desktop have agreed to own reported issue maintenance. Security team ACK for promoting libppd to main.