[MIR] manila

Bug #1975493 reported by Corey Bryant
10
This bug affects 1 person
Affects Status Importance Assigned to Milestone
manila (Ubuntu)
Won't Fix
Undecided
Unassigned

Bug Description

[Availability]
Currently in universe

[Rationale]
Manila is an OpenStack project that we're ready to support in main.

[Security]
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-6519
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-27781
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-9543

[Quality Assurance]
Package works out of the box with no prompting. There are no major bugs in Ubuntu and there are no major bugs in Debian. Unit tests are run during build.

[Dependencies]
All are in main (see version 1:14.0.0-0ubuntu2 in kinetic)

[Standards Compliance]
FHS and Debian Policy compliant

[Maintenance]
Python package that the OpenStack Team will take care of

[Background]
Manila is an OpenStack project that provides Shared Filesystems as a service. It provides coordinated access to shared or distributed file systems. While the primary consumption of file shares would be across OpenStack Compute instances, the service is also intended to be accessible as an independent capability in line with the modular design established by other OpenStack services. Manila is extensible for multiple backends (to support vendor or file system specific nuances / capabilities) and accommodates any of a variety of shared or distributed file system types.

Tags: sec-1042
description: updated
James Page (james-page)
Changed in manila (Ubuntu):
assignee: nobody → James Page (james-page)
James Page (james-page)
Changed in manila (Ubuntu):
status: New → In Progress
Revision history for this message
James Page (james-page) wrote :
Download full text (3.3 KiB)

[Summary]
Generally this package and Manila itself are carbon copies
of the other OpenStack Services packaged for Ubuntu. There
are no red flags and the package uses all of the existing
in main oslo modules used for OpenStack services (WSGI,
serialization, root escalation++).

As this package provides a network service and processes
user provided data (JSON) this does need a security review,
so I'll assign ubuntu-security.

List of specific binary packages to be promoted to main:
  - manila-api
  - manila-share
  - manila-scheduler
  - manila-data

These should be added to the appropriate seed for Ubuntu.

Notes:
See below

Required TODOs:
None

Recommended TODOs:
- This package uses the complex set of tools that the Debian
  OpenStack team uses for managing maintainer scripts, systemd
  units etc. Not a block but it would be good to see where we
  can simplify this usage for the needs of Ubuntu users and to
  reduce the overhead of package maintenace.

[Duplication]
- There is no other package in main providing the same functionality.

[Dependencies]
OK:
- no other Dependencies to MIR due to this
- no -dev/-debug/-doc packages that need exclusion

[Embedded sources and static linking]
OK:
- no embedded source present
- no static linking

[Security]
OK:
- history of CVEs does not look concerning
- does not run a daemon as root
- does not use webkit1,2
- does not use lib*v8 directly
- does not process arbitrary web content
- does not use centralized online accounts
- does not integrate arbitrary javascript into the desktop
- does not deal with system authentication (eg, pam), etc)a

NOTE:
- does parse data formats
   Manila service use JSON serialization for processing
   of API requests and for RPC messaging - uses the
   oslo.seralization module already in main.
- does open a port
   Manila API service provides access via WSGI which
   uses the oslo.service module already in main.
   oslo.policy and kesytoneauth1 are use for authentication
   and authorization for specific endpoints.

[Common blockers]
OK:
- does not FTBFS currently
- does have a test suite that runs at build time
 - test suite fails will fail the build upon error.
- does have a test suite that runs as autopkgtest
- The package has a team bug subscriber
- no translation present, but none needed for this case (user visible)?
- no new python2 dependency
- Python package that is using dh_python

[Packaging red flags]
OK:
- Ubuntu does carry a delta, but it is reasonable and maintenance under control
- symbols tracking not applicable for this kind of code.
- d/watch is present and looks ok
- Upstream update history is good
- Debian/Ubuntu update history is good
- the current release is packaged
- promoting this does not seem to cause issues for MOTUs that so far
  maintained the package
- no massive Lintian warnings
- d/rules is rather clean
- Does not have Built-Using

[Upstream red flags]
OK:
- no Errors/warnings during the build
- no incautious use of malloc/sprintf (as far as I can check it)
- no use of gksu, pkexec, or LD_LIBRARY_PATH
- no use of user nobody
- no use of setuid
- no important open bugs (crashers, etc) in Debian or Ubuntu
- no dependency on webkit, qtwebkit,...

Read more...

Changed in manila (Ubuntu):
status: In Progress → New
Revision history for this message
James Page (james-page) wrote :

Assigning to ubuntu-security for further review.

Manila uses exactly the same modules as the majority of other OpenStack services for security related touchpoints as I've noted in my review which may determine the depth of security review needed for this package.

Changed in manila (Ubuntu):
assignee: James Page (james-page) → Ubuntu Security Team (ubuntu-security)
milestone: none → ubuntu-22.10
tags: added: sec-1042
Revision history for this message
Mark Esler (eslerm) wrote :

I reviewed manila 1:14.0.0+git2022071414.193784308-0ubuntu1 as checked into kinetic. This shouldn't be considered a full audit but rather a quick gauge of maintainability.

Highlighted issues:
- Dangerous use of eval(), exec(), and other shell commands
  - manila/cmd/manage.py ShellCommands.script() exec() is dangerous
  - manila/utils.py wite_remove_file() possible shell injection
- Uncontrolled exceptions
  - IpRouteCommand.pullup_route() try assignment to subnet, if fails except: continue, and _as_root delete Null subnet
  - manila/service.py Service.stop() try to stop rpcserver and except: pass
- Trust of unknown hosts
  - manila/network/linux/ip_lib.py SSHPool.create() accepts unknown host keys
  - TLS/SSL verfication disabled
- Inappropriate defaults
  - manila/data/manager.py data_opts if mounted directly /tmp/ is an inappropriate default
  - manila/service.py WSGIService.host 0.0.0.0 and WSGIService.port 0 are inappropriate WSGI defaults

Security Team recommends that pylint flags hiding problems are removed, open bugs are investigated (https://bugs.launchpad.net/manila), and a line by line review is made. Past Manila CVEs are high impact.

Security Team NACK for promoting Manila to main.

Changed in manila (Ubuntu):
assignee: Ubuntu Security Team (ubuntu-security) → nobody
status: New → Won't Fix
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.