Comment 2 for bug 1976405

I reviewed libntlm 1.6-4 as checked into kinetic. This shouldn't be
considered a full audit but rather a quick gauge of maintainability.

- CVE History:
  - CVE-2019-17455
    - "It was discovered that Libntlm incorrectly handled specially crafted NTML requests. An attacker could possibly use this issue to cause a denial of service or another unspecified impact."
    - https://ubuntu.com/security/notices/USN-5108-1
- Open Bugs?
  - "Problem with cross domain authentication"
    - https://gitlab.com/gsasl/libntlm/-/issues/1
- Build-Depends?
  - gnulib built into package for DES
  - linux-vdso.so.1
  - libc.so.6
  - ld-linux-x86-64.so.2
- pre/post inst/rm scripts?
  - none
- init scripts?
  - none
- systemd units?
  - none
- dbus services?
  - none
- setuid binaries?
  - none
- binaries in PATH?
  - none
- sudo fragments?
  - none
- polkit files?
  - none
- udev rules?
  - none
- unit tests / autopkgtests?
  - yes
- cron jobs?
  - none
- Build logs:
  - handful of "warning: inlining failed in call to 'getUnicodeString.constprop'" on build

- Processes spawned?
  - not checked
- Memory management?
  - four memcpy calls in smbutil.c
  - first use is very obtuse
  - no size checking--might be fine
- File IO?
  - no, only test code
- Logging?
  - no, only example code
- Environment variable usage?
  - none
- Use of privileged functions?
  - none
- Use of cryptography / random number sources etc?
  - NTLMv1 is deprecated and highly unsafe (!)
  - implementation looks good
- Use of temp files?
  - none
- Use of networking?
  - no, only example code
- Use of WebKit?
  - none
- Use of PolicyKit?
  - none

- Any significant cppcheck results?
  - smbutil.c:317 assigns a pointer to Null
    - AddString appears to be purposely built this way
- Any significant Coverity results?
  - gnulib overwrites part of a buffer being copied in md4_process_bytes function
    - perhaps intentional if buffer is under 16? should use memmove otherwise
    - Libntlm calls md4_buffer which calls md4_process_bytes
    - ./gl/md4.c:269
  - test code reports ignored
- Any significant shellcheck results?
  - none
- Any significant bandit results?
  - none

This package encourages the use of NTLMv1. It implies that a NTLM server should use deprecated authentication. In many scenarios this means enabling SMBv1 as well! This is only acceptable in completely controlled environments.
 - https://support.microsoft.com/en-us/topic/security-guidance-for-ntlmv1-and-lm-network-authentication-da2168b6-4a31-0088-fb03-f081acde6e73

From Libntlm's README:
"""
I don't consider NTLM a secure authentication protocol -- it uses MD4
and single-DES. MD4 has been broken, and single-DES have a too small
key size to be considered secure against brute-force attacks. You
should only use libntlm for interoperability purposes, not to achieve
any kind of security.
"""

Security team ACK for promoting libntlm to main.