Bug #1203207 “[MIR] mir” : Bugs : mir package : Ubuntu

kevin gunn (kgunn72) on 2013-07-19

Changed in mir:
assignee:	nobody → MIR approval team (ubuntu-mir)
Changed in unity-system-compositor:
assignee:	nobody → MIR approval team (ubuntu-mir)

kevin gunn (kgunn72) on 2013-07-19

description:

updated

Revision history for this message

Robert Ancell (robert-ancell) wrote on 2013-07-21:

#1

Opened bug 1203588 to track MIR for unity-system-compositor

Changed in mir:
assignee:	MIR approval team (ubuntu-mir) → nobody
Changed in unity-system-compositor:
assignee:	MIR approval team (ubuntu-mir) → nobody
status:	New → Invalid

Robert Ancell (robert-ancell) on 2013-07-21

description:	updated
description:	updated
summary:	- [MIR] mir, unity-system-compositor + [MIR] mir
description:	updated

Robert Ancell (robert-ancell) on 2013-07-21

description:	updated
description:	updated
description:	updated

Revision history for this message

Daniel van Vugt (vanvugt) wrote on 2013-07-22:

#2

What is this bug?

Is it a request for packaging? If so it should have tag "needs-packaging", and of course a better description.

Revision history for this message

Daniel van Vugt (vanvugt) wrote on 2013-07-22:

#3

Oh... (M)ain (I)nclusion (R)equest

:)

Michael Terry (mterry) on 2013-07-22

no longer affects:

unity-system-compositor

Revision history for this message

Michael Terry (mterry) wrote on 2013-07-22:

#4

This should probably be a security-approved MIR. (assigning to upstream part of this bug, since LP won't let me assign to the Ubuntu task, as it isn't in Ubuntu yet)

Changed in mir:
assignee:	nobody → Jamie Strandboge (jdstrand)

Jamie Strandboge (jdstrand) on 2013-07-22

Changed in mir:
assignee:	Jamie Strandboge (jdstrand) → nobody
Changed in mir (Ubuntu):
assignee:	nobody → Ubuntu Security Team (ubuntu-security)

Revision history for this message

Michael Terry (mterry) wrote on 2013-07-23:

#5

Some comments from a packaging/maintainability perspective:
* You'll need a team bug subscriber in Ubuntu
* Why does libmirprotobuf-dev not ship a pc file? Seems like it should.
* Why is (the unversioned) libmirplatformgraphics.so thrown into the libmirserver0 package?
* I'm uncomfortable with debian/rule's assumption that armhf == android. Is there not a way to make that a run time detection? I assume that's also why tests are disabled for armhf. It would be really nice if we could enable them (which is all the more reason to decouple the android assumption).
* The debian/source_mir.py file does not seem to be installed.
* Nice that you use a tight -V for dh_makeshlibs
* Also nice that tests are run during build

Revision history for this message

Robert Ancell (robert-ancell) wrote on 2013-07-23:

#6

* You'll need a team bug subscriber in Ubuntu

Set to ~mir-team:
https://bugs.launchpad.net/~mir-team/+packagebugs

* Why does libmirprotobuf-dev not ship a pc file? Seems like it should.

Because it doesn't contain any headers, just the .proto files. In fact, it probably shouldn't even exist as nothing should need to build against it (it's just a library shared between libmirclient and libmirserver)

* Why is (the unversioned) libmirplatformgraphics.so thrown into the libmirserver0 package?
* I'm uncomfortable with debian/rule's assumption that armhf == android. Is there not a way to make that a run time detection? I assume that's also why tests are disabled for armhf. It would be really nice if we could enable them (which is all the more reason to decouple the android assumption).
* The debian/source_mir.py file does not seem to be installed.
* Nice that you use a tight -V for dh_makeshlibs
* Also nice that tests are run during build

Revision history for this message

Robert Ancell (robert-ancell) wrote on 2013-07-23:

#7

Whoops, pressed post too early.

* Why is (the unversioned) libmirplatformgraphics.so thrown into the libmirserver0 package?

It's a module. It should probably go into a module directory.

* I'm uncomfortable with debian/rule's assumption that armhf == android. Is there not a way to make that a run time detection? I assume that's also why tests are disabled for armhf. It would be really nice if we could enable them (which is all the more reason to decouple the android assumption).

See bug 1203004

Revision history for this message

Robert Ancell (robert-ancell) wrote on 2013-07-23:

#8

* The debian/source_mir.py file does not seem to be installed.

Bug 1204284

Revision history for this message

Michael Terry (mterry) wrote on 2013-07-24:

#9

> Because it doesn't contain any headers, just the .proto files. In fact, it probably shouldn't even exist as nothing
> should need to build against it (it's just a library shared between libmirclient and libmirserver)

I get that without headers and without a pc file, it's intentionally hard for other packages to use this private library. Maybe it should live in pkglibdir instead of libdir.

> See bug 1203004

This bug deals with the armhf tests, which is good. But could you separately comment on the armhf==android assumption?

Revision history for this message

Jamie Strandboge (jdstrand) wrote on 2013-07-25:

#10

The security review is going to take some time and we shouldn't block on it. Assuming everything else is ok, please prepromote and anything the security team finds we'll file as bugs to fix.

Revision history for this message

Michael Terry (mterry) wrote on 2013-07-25:

#11

OK, so only things still blocking this are:
* armhf==android shouldn't be assumed
* Tests should run on armhf

(Plus, it should actually enter the archive)

no longer affects:

mir

Revision history for this message

Stephen M. Webb (bregma) wrote on 2013-07-26:

#12

* armhf==android shouldn't be assumed

This is now bug #1205389.

* Tests should run on armhf

This is now bug #1203004.

Revision history for this message

Robert Ancell (robert-ancell) wrote on 2013-07-31:

#13

Also found by xnox that the binary packages libboost-regex-dev and libboost-chrono-dev need to be promoted to main.

Revision history for this message

Robert Ancell (robert-ancell) wrote on 2013-07-31:

#14

Actually, we use asio but there's not a libboost-asio-dev, so we do need to depend on libboost-dev

Revision history for this message

Michael Terry (mterry) wrote on 2013-07-31:

#15

OK, this is approved from a MIR side. The security review can happen later. And the android/armhf issues will be part of the acceptance criteria for u-s-c being enabled. So either we fix them or we don't end up using Mir.

Changed in mir (Ubuntu):
status:	New → Triaged

Revision history for this message

Didier Roche-Tolomelli (didrocks) wrote on 2013-08-05:

#16

Download full text (3.2 KiB)

as discussed with Jamie, promoting without blocking on the security review. Not changing the bug status on purpose though.

$ ./change-override -c main -S mir
Override component to main
mir 0.0.8+13.10.20130803-0ubuntu1 in saucy: universe/x11 -> main
libmirclient-dev 0.0.8+13.10.20130803-0ubuntu1 in saucy amd64: universe/libdevel/optional/100% -> main
libmirclient-dev 0.0.8+13.10.20130803-0ubuntu1 in saucy armhf: universe/libdevel/optional/100% -> main
libmirclient-dev 0.0.8+13.10.20130803-0ubuntu1 in saucy i386: universe/libdevel/optional/100% -> main
libmirclient1 0.0.8+13.10.20130803-0ubuntu1 in saucy amd64: universe/libs/optional/100% -> main
libmirclient1 0.0.8+13.10.20130803-0ubuntu1 in saucy armhf: universe/libs/optional/100% -> main
libmirclient1 0.0.8+13.10.20130803-0ubuntu1 in saucy i386: universe/libs/optional/100% -> main
libmirprotobuf-dev 0.0.8+13.10.20130803-0ubuntu1 in saucy amd64: universe/libdevel/optional/100% -> main
libmirprotobuf-dev 0.0.8+13.10.20130803-0ubuntu1 in saucy armhf: universe/libdevel/optional/100% -> main
libmirprotobuf-dev 0.0.8+13.10.20130803-0ubuntu1 in saucy i386: universe/libdevel/optional/100% -> main
libmirprotobuf0 0.0.8+13.10.20130803-0ubuntu1 in saucy amd64: universe/libs/optional/100% -> main
libmirprotobuf0 0.0.8+13.10.20130803-0ubuntu1 in saucy armhf: universe/libs/optional/100% -> main
libmirprotobuf0 0.0.8+13.10.20130803-0ubuntu1 in saucy i386: universe/libs/optional/100% -> main
libmirserver-dev 0.0.8+13.10.20130803-0ubuntu1 in saucy amd64: universe/libdevel/optional/100% -> main
libmirserver-dev 0.0.8+13.10.20130803-0ubuntu1 in saucy armhf: universe/libdevel/optional/100% -> main
libmirserver-dev 0.0.8+13.10.20130803-0ubuntu1 in saucy i386: universe/libdevel/optional/100% -> main
libmirserver0 0.0.8+13.10.20130803-0ubuntu1 in saucy amd64: universe/libs/optional/100% -> main
libmirserver0 0.0.8+13.10.20130803-0ubuntu1 in saucy armhf: universe/libs/optional/100% -> main
libmirserver0 0.0.8+13.10.20130803-0ubuntu1 in saucy i386: universe/libs/optional/100% -> main
mir-demos 0.0.8+13.10.20130803-0ubuntu1 in saucy amd64: universe/x11/optional/100% -> main
mir-demos 0.0.8+13.10.20130803-0ubuntu1 in saucy armhf: universe/x11/optional/100% -> main
mir-demos 0.0.8+13.10.20130803-0ubuntu1 in saucy i386: universe/x11/optional/100% -> main
mir-doc 0.0.8+13.10.20130803-0ubuntu1 in saucy amd64: universe/doc/optional/100% -> main
mir-doc 0.0.8+13.10.20130803-0ubuntu1 in saucy armhf: universe/doc/optional/100% -> main
mir-doc 0.0.8+13.10.20130803-0ubuntu1 in saucy i386: universe/doc/optional/100% -> main
mir-doc 0.0.8+13.10.20130803-0ubuntu1 in saucy powerpc: universe/doc/optional/100% -> main
mir-test-tools 0.0.8+13.10.20130803-0ubuntu1 in saucy amd64: universe/x11/optional/100% -> main
mir-test-tools 0.0.8+13.10.20130803-0ubuntu1 in saucy armhf: universe/x11/optional/100% -> main
mir-test-tools 0.0.8+13.10.20130803-0ubuntu1 in saucy i386: universe/x11/optional/100% -> main
mircommon-dev 0.0.8+13.10.20130803-0ubuntu1 in saucy amd64: universe/libdevel/optional/100% -> main
mircommon-dev 0.0.8+13.10.20130803-0ubuntu1 in saucy armhf: universe/libdevel/optional/100% -> main
mircommon-dev 0.0.8+13.10.20130803...

as discussed with Jamie, promoting without blocking on the security review. Not changing the bug status on purpose though.

$ ./change-override -c main -S mir
Override component to main
mir 0.0.8+13.10.20130803-0ubuntu1 in saucy: universe/x11 -> main
libmirclient-dev 0.0.8+13.10.20130803-0ubuntu1 in saucy amd64: universe/libdevel/optional/100% -> main
libmirclient-dev 0.0.8+13.10.20130803-0ubuntu1 in saucy armhf: universe/libdevel/optional/100% -> main
libmirclient-dev 0.0.8+13.10.20130803-0ubuntu1 in saucy i386: universe/libdevel/optional/100% -> main
libmirclient1 0.0.8+13.10.20130803-0ubuntu1 in saucy amd64: universe/libs/optional/100% -> main
libmirclient1 0.0.8+13.10.20130803-0ubuntu1 in saucy armhf: universe/libs/optional/100% -> main
libmirclient1 0.0.8+13.10.20130803-0ubuntu1 in saucy i386: universe/libs/optional/100% -> main
libmirprotobuf-dev 0.0.8+13.10.20130803-0ubuntu1 in saucy amd64: universe/libdevel/optional/100% -> main
libmirprotobuf-dev 0.0.8+13.10.20130803-0ubuntu1 in saucy armhf: universe/libdevel/optional/100% -> main
libmirprotobuf-dev 0.0.8+13.10.20130803-0ubuntu1 in saucy i386: universe/libdevel/optional/100% -> main
libmirprotobuf0 0.0.8+13.10.20130803-0ubuntu1 in saucy amd64: universe/libs/optional/100% -> main
libmirprotobuf0 0.0.8+13.10.20130803-0ubuntu1 in saucy armhf: universe/libs/optional/100% -> main
libmirprotobuf0 0.0.8+13.10.20130803-0ubuntu1 in saucy i386: universe/libs/optional/100% -> main
libmirserver-dev 0.0.8+13.10.20130803-0ubuntu1 in saucy amd64: universe/libdevel/optional/100% -> main
libmirserver-dev 0.0.8+13.10.20130803-0ubuntu1 in saucy armhf: universe/libdevel/optional/100% -> main
libmirserver-dev 0.0.8+13.10.20130803-0ubuntu1 in saucy i386: universe/libdevel/optional/100% -> main
libmirserver0 0.0.8+13.10.20130803-0ubuntu1 in saucy amd64: universe/libs/optional/100% -> main
libmirserver0 0.0.8+13.10.20130803-0ubuntu1 in saucy armhf: universe/libs/optional/100% -> main
libmirserver0 0.0.8+13.10.20130803-0ubuntu1 in saucy i386: universe/libs/optional/100% -> main
mir-demos 0.0.8+13.10.20130803-0ubuntu1 in saucy amd64: universe/x11/optional/100% -> main
mir-demos 0.0.8+13.10.20130803-0ubuntu1 in saucy armhf: universe/x11/optional/100% -> main
mir-demos 0.0.8+13.10.20130803-0ubuntu1 in saucy i386: universe/x11/optional/100% -> main
mir-doc 0.0.8+13.10.20130803-0ubuntu1 in saucy amd64: universe/doc/optional/100% -> main
mir-doc 0.0.8+13.10.20130803-0ubuntu1 in saucy armhf: universe/doc/optional/100% -> main
mir-doc 0.0.8+13.10.20130803-0ubuntu1 in saucy i386: universe/doc/optional/100% -> main
mir-doc 0.0.8+13.10.20130803-0ubuntu1 in saucy powerpc: universe/doc/optional/100% -> main
mir-test-tools 0.0.8+13.10.20130803-0ubuntu1 in saucy amd64: universe/x11/optional/100% -> main
mir-test-tools 0.0.8+13.10.20130803-0ubuntu1 in saucy armhf: universe/x11/optional/100% -> main
mir-test-tools 0.0.8+13.10.20130803-0ubuntu1 in saucy i386: universe/x11/optional/100% -> main
mircommon-dev 0.0.8+13.10.20130803-0ubuntu1 in saucy amd64: universe/libdevel/optional/100% -> main
mircommon-dev 0.0.8+13.10.20130803-0ubuntu1 in saucy armhf: universe/libdevel/optional/100% -> main
mircommon-dev 0.0.8+13.10.20130803-0ubuntu1 in saucy i386: universe/libdevel/optional/100% -> main

Jamie Strandboge (jdstrand) on 2013-08-13

Changed in mir (Ubuntu):
assignee:	Ubuntu Security Team (ubuntu-security) → Seth Arnold (seth-arnold)

Revision history for this message

Seth Arnold (seth-arnold) wrote on 2013-10-08:

#17

Download full text (8.7 KiB)

I reviewed Mir version 0.0.12+13.10.20130926.1-0ubuntu1 as checked into
Saucy. This should not be considered a full security audit, but rather a
quick gauge of code quality.

- Mir is a new display server, intending to replace X11, to rely upon the
  features of high-powered modern graphics hardware available in both
  traditional computers and newfangled handheld devices. By starting over
  with higher demands on hardware and reduced demands on legacy features,
  the intention is to provide a display server that is faster and more
  secure (e.g., preventing mouse grabs and keyboard grabs from preventing
  screen saver lock, or client keypress sniffing, or other annoyances from
  the X11 legacy codebase).
- Build-Depends upon cmake, doxygen, xsltproc, graphviz, boost, protobuf,
  libdrm, libegl1-mesa, libgles2-mesa, libgdm, libglm, libhardware,
  libgoogle-glog, liblttns-ust, libxkbcommon, umockdev, libudev,
  google-mock, valgrind
- No cryptography
- Extensive local networking, no off-machine networking
- Not exactly the usual daemon; does not double-fork(2), setpgid(2) and
  setsid(2) happen via mgg::LinuxVirtualTerminal::open_vt() rather than at
  startup.
- No initscripts
- No dbus
- No setuid
- No sudo
- No cron
- Binaries in /usr/bin/:
  mir_demo_client_flicker
  mir_demo_server_basic
  mir_demo_standalone_input_filter
  mir_stress
  mir_demo_server_shell
  mir_demo_client_multiwin
  mir_demo_client_scroll
  mir_demo_client_fingerpaint
  mir_demo_client_eglplasma
  mir_demo_client_basic
  mir_demo_client_eglflash
  mir_demo_client_egltriangle
- Good test suite
- Fairly messy build logs, several instances of:
  - warning: format '%d' expects argument of type 'int', but argument 4
    has type 'size_t {aka long unsigned int}'
- Many instances of:
  - Warning: no uniquely matching class member found for ...
  - Warning: no matching class member found for
- Lintian errors:
  - E: libmirplatform: postinst-must-call-ldconfig
    usr/lib/x86_64-linux-gnu/libmirplatformgraphics.so
  - E: mir-test-tools: arch-dependent-file-not-in-arch-specific-directory
    usr/bin/mir_stress
- Lintian warnings:
  - (two) W: libmirplatform: shlib-without-versioned-soname
    usr/lib/x86_64-linux-gnu/libmirplatformgraphics.so
    libmirplatformgraphics.so
  - (twelve) W: mir-demos: binary-without-manpage
    usr/bin/mir_demo_client_basic
  - (one) W: mir-doc: embedded-javascript-library
    usr/share/doc/mir-doc/html/jquery.js

- One instance of spawning a subprocess, examples/basic_server.cpp, just
  passes along a command-line argument to system(3); not itself unsafe,
  but might be unsafe in some potential uses of this example.
- Most memory management is handled via C++ safe pointers
- File IO is largely two types: socket parsing and device ioctls, looked safe
- Logging looked safe, lttng toolkit provides nice tracing tools
- Environment variables used: MIR_CLIENT_RPC_REPORT, MIR_SOCKET,
  XDG_CONFIG_HOME, HOME, XDG_CONFIG_DIRS, MIR_BYPASS,
  MIR_SERVER_HOST_SOCKET, ANDROID_ROOT, ANDROID_DATA
- Environment variable use looked safe
- Extensive ioctl use, possible mistake detailed below
- Expects to run with sufficient privileges to manipulate hardware
  devi...

I reviewed Mir version 0.0.12+13.10.20130926.1-0ubuntu1 as checked into
Saucy. This should not be considered a full security audit, but rather a
quick gauge of code quality.

- Mir is a new display server, intending to replace X11, to rely upon the
  features of high-powered modern graphics hardware available in both
  traditional computers and newfangled handheld devices. By starting over
  with higher demands on hardware and reduced demands on legacy features,
  the intention is to provide a display server that is faster and more
  secure (e.g., preventing mouse grabs and keyboard grabs from preventing
  screen saver lock, or client keypress sniffing, or other annoyances from
  the X11 legacy codebase).
- Build-Depends upon cmake, doxygen, xsltproc, graphviz, boost, protobuf,
  libdrm, libegl1-mesa, libgles2-mesa, libgdm, libglm, libhardware,
  libgoogle-glog, liblttns-ust, libxkbcommon, umockdev, libudev,
  google-mock, valgrind
- No cryptography
- Extensive local networking, no off-machine networking
- Not exactly the usual daemon; does not double-fork(2), setpgid(2) and
  setsid(2) happen via mgg::LinuxVirtualTerminal::open_vt() rather than at
  startup.
- No initscripts
- No dbus
- No setuid
- No sudo
- No cron
- Binaries in /usr/bin/:
  mir_demo_client_flicker
  mir_demo_server_basic
  mir_demo_standalone_input_filter
  mir_stress
  mir_demo_server_shell
  mir_demo_client_multiwin
  mir_demo_client_scroll
  mir_demo_client_fingerpaint
  mir_demo_client_eglplasma
  mir_demo_client_basic
  mir_demo_client_eglflash
  mir_demo_client_egltriangle
- Good test suite
- Fairly messy build logs, several instances of:
  - warning: format '%d' expects argument of type 'int', but argument 4
    has type 'size_t {aka long unsigned int}'
- Many instances of:
  - Warning: no uniquely matching class member found for ...
  - Warning: no matching class member found for
- Lintian errors:
  - E: libmirplatform: postinst-must-call-ldconfig
    usr/lib/x86_64-linux-gnu/libmirplatformgraphics.so
  - E: mir-test-tools: arch-dependent-file-not-in-arch-specific-directory
    usr/bin/mir_stress
- Lintian warnings:
  - (two) W: libmirplatform: shlib-without-versioned-soname
    usr/lib/x86_64-linux-gnu/libmirplatformgraphics.so
    libmirplatformgraphics.so
  - (twelve) W: mir-demos: binary-without-manpage
    usr/bin/mir_demo_client_basic
  - (one) W: mir-doc: embedded-javascript-library
    usr/share/doc/mir-doc/html/jquery.js

- One instance of spawning a subprocess, examples/basic_server.cpp, just
  passes along a command-line argument to system(3); not itself unsafe,
  but might be unsafe in some potential uses of this example.
- Most memory management is handled via C++ safe pointers
- File IO is largely two types: socket parsing and device ioctls, looked safe
- Logging looked safe, lttng toolkit provides nice tracing tools
- Environment variables used: MIR_CLIENT_RPC_REPORT, MIR_SOCKET,
  XDG_CONFIG_HOME, HOME, XDG_CONFIG_DIRS, MIR_BYPASS,
  MIR_SERVER_HOST_SOCKET, ANDROID_ROOT, ANDROID_DATA
- Environment variable use looked safe
- Extensive ioctl use, possible mistake detailed below
- Expects to run with sufficient privileges to manipulate hardware
  devices, does not separate into high-privileged and low-privileged
  portions during execution
- No cryptography
- Extensive Unix-domain networking, Google protobufs used in some cases to
  provide structure-over-socket support, RPC support
- Does not use WebKit
- Does not use qtjsbackend

Mir is professionally-written C++11 code; while it is well-written by
disciplined programmers, maintenance tasks on Mir will require experts
knowledgeable in its design and construction. The security team will
largely be reliant upon "upstream" for any fixes that may be needed
in the future, and it is vital that we retain in-house expertise on
this codebase for as long as we commit to supporting it.

I'm concerned about the instructions to "chmod 777 /tmp/mir_socket" that
appear in the documentation, and baked into another package: a Unix domain
socket should not have execute permissions, and such wide-open permissions
makes me worried about the reliability of this socket.

(Please forgive a small aside: normally, when I see instructions on
web sites along the lines of "chmod 777 /path/to/something", I usually
ignore the rest of that person's advice on the basis that they probably
didn't apply scientific thinking to their problem solving. We should
not encourage "chmod 777" as a solution to anything, even if the only
change is "chmod 666".)

Setting the permissions after the socket is created and a name is bound
to it is a race condition, one that might end up with users accidentally
executing content written by another user (if non-Ubuntu kernels are used
that lack our symlink and hardlink protections). Perhaps fchmod(2) can be
used to set the permissions after the socket has been bound into the
filesystem. If not, perhaps the umask(2) needs to be configured before the
socket is bound into the filesystem.

I'd love to see a test case like this added to the test suite, ideally it
would run concurrently with all the other tests:

while true do ; dd if=/dev/random of=/tmp/mir_socket bs=$RANDOM count=1 ; done

Most methods assume input validation is handled elsewhere. This is
okay in the early stages of a project, where the demarcation lines are
clear and well-known to all members of the team, but in the long run I
fear that lacking internal defense may become a reliability problem. Some
methods have encouraging assert() macros to test preconditions; I would
like to see more use of defensive assert()s.

I took some assorted notes while reading the source; some are duplicates
of prose above (but the details seemed worth keeping). Feel free to handle
most of these whenever it is convenient.

- Includes copy of input.h from Linux kernel sources
  The version included in Mir shares the Android definitions of two
  ioctls:
    #define EVIOCGSUSPENDBLOCK  _IOR('E', 0x91, int)      /* get suspend block enable */
    #define EVIOCSSUSPENDBLOCK  _IOW('E', 0x91, int)      /* set suspend block enable */
  The version in the mainline Linux kernel has different symbols and
  meanings for these specific ioctls:
    #define EVIOCGRAB               _IOW('E', 0x90, int) /* Grab/Release device */
    #define EVIOCREVOKE             _IOW('E', 0x91, int) /* Revoke device access */

This is used in
  3rd_party/android-input/android/frameworks/base/services/input/EventHub.cpp

- EventHub.cpp still uses usleep(2), which was removed from POSIX in 2008.
  usleep(2) may fail around clock skews; nanosleep(2) uses the MONOTONIC
  clock and thus won't fail around clock skews.

- progressbar.c still uses usleep(2)
- progressbar.c uses unsafe routines in signal handlers, assume it's a
  toy, no further investigation :)

- ./3rd_party/android-deps/std/properties.h property_get() uses
  default_value if it is given, regardless of value. No length checks are
  performed, and the handful of callers in the source base all give a
  value parameter that could not be overwritten if default_value weren't
  NULL. It's not broken within this package, but it is also not pretty.

- Missing required O_RDONLY, O_WRONLY, O_RDWR in:
  ./tests/integration-tests/test_swapinterval.cpp
  ./tests/unit-tests/frontend/test_protobuf_sends_fds.cpp
  ./tests/unit-tests/client/test_client_mir_surface.cpp
  ./tests/unit-tests/client/input/test_android_input_receiver_thread.cpp
  ./tests/acceptance-tests/test_server_shutdown.cpp

- tests/mir-stress/src/threading.cpp run_mir_test() double-counts some
  tests, if (!p->create_surface()) is true, both false and true are added

- src/server/frontend/published_socket_connector.cpp
  mf::BasicConnector::client_socket_fd() creates a socketpair for
  communication between clients and Mir, but I don't see the corresponding
  bind(2) to give it a name in the filesystem, nor permissions setting,
  nor options to use abstract sockets (@foo in netstat output..)

- ./src/client/rpc/mir_socket_rpc_channel.cpp send_message() uses manual
  bit-fiddling rather than ntohs() and htons(), this might restrict client
  and server to running on same endianness architecture, may complicate
  emulator construction with qemu.

- Other methods use manual bit-fiddling for socket communications.

SUMMARY
=======

Please change "chmod 777" to "chmod 666" soon. I don't want "chmod 777" to
be seen as reasonable advice. :)

Please investigate better approaches to change the permissions on the
bound socket than chmod(2). Suggested replacements are fchmod(2) and
then umask(2). Since the socket is created in this package, I'd recommend
keeping permissions management of the socket in this package, rather than
in unity-system-compositor.

Please investigate lintian warnings and C++ compiler warnings.

None of the above blocks including Mir into Ubuntu Saucy.

Security team ACK for including Mir in main.

Thanks

Changed in mir (Ubuntu):
assignee:	Seth Arnold (seth-arnold) → nobody

Revision history for this message

Daniel van Vugt (vanvugt) wrote on 2013-10-10:

#18

Doesn't this count as "fixed" by now?

Michael Terry (mterry) on 2013-10-10

Changed in mir (Ubuntu):
status:	Triaged → Fix Committed

Michael Terry (mterry) on 2013-10-10

Changed in mir (Ubuntu):
status:	Fix Committed → Fix Released

Ubuntu
mir package

[MIR] mir

Bug Description

Other bug subscribers

Remote bug watches

Ubuntumir package

[MIR] mir

Bug Description

Other bug subscribers

Remote bug watches

Ubuntu
mir package