[MIR] libntlm

Review for Package: libntlm

[Summary]
I needed more time than expected checking for duplicates or if gl is
embedded from anywhere else, but I come to the conclusion that it LGTM.

MIR team ACK

As already suggested by the reporter this does need a security review,
so I'll assign ubuntu-security.

Specific binary packages built, but NOT to be promoted to main: libntlm0, libntlm0-dev

[Duplication]
There is cyrus-sasl2 has ntlm (main), gss-ntlmssp provides it for kerberos
gssapi and also other languages python3-ntlm-auth / ruby-ntlm as well as
proxies cntlm - but all except the first are in universe.
But the ntlm in cycrus-sasl2 is just an auth plugin to sasl itself. It is not
using a library (like libntlm) nor is it providing one outside of the sasl2
context.
libntlm0: /usr/lib/x86_64-linux-gnu/libntlm.so.0
libsasl2-modules: /usr/lib/x86_64-linux-gnu/sasl2/libntlm.so

There is one more ntlm implementation in main, that is in dovecot.
But they didn't externalize theirs like cyrus did - so that isn't
an option either.

Therefore despite the similarity it seems there is no duplication in main.

The project lists gsasl on [2] which is also here the reason it is needed
to be promoted.

[Dependencies]
OK:
- no other Dependencies to MIR due to this (only libc6)
- no -dev/-debug/-doc packages that need exclusion (deps are safe)
- No dependencies in main that are only superficially tested requiring
  more tests now.

Problems: None

[Embedded sources and static linking]
OK:
- no embedded source present; the onle one is a local gnulib like so many
  packages do (grub, gnutls, ... just check [1]). Therefore I'd not consider
  this a blocker.
- no static linking
- does not have odd Built-Using entries
- not a go package, no extra constraints to consider in that regard

Problems: None

[Security]
OK:
- history of CVEs does not look concerning
- does not run a daemon as root
- does not use webkit1,2
- does not use lib*v8 directly
- does not open a port/socket
- does not process arbitrary web content
- does not use centralized online accounts
- does not integrate arbitrary javascript into the desktop
- does not deal with security attestation (secure boot, tpm, signatures)

Problems:
- does not parse data formats
- does not deal with system authentication (eg, pam), etc)

[Common blockers]
OK:
 - does not FTBFS currently
 - does have a test suite that runs at build time
   - test suite fails will fail the build upon error.
 - does have a non-trivial test suite that runs as autopkgtest
   (only upstream testsuite and a simple link and run, but fine for such a lib)
 - No special HW required
 - no new python2 dependency

Problems: None

[Packaging red flags]
OK:
- Ubuntu does not carry a delta
- symbols tracking is in place
- d/watch is present and looks ok
- Upstream update history is ok
- Debian/Ubuntu update history is ok
- the current release is packaged
- promoting this does not seem to cause issues for MOTUs that so far
  maintained the package
- no massive Lintian warnings (as shown by the reporter)
- d/rules is rather clean (6 lines)
- It is not on the lto-disabled list

Problems: None

[Upstream red flags]
OK:
- no Errors/warnings during the build
- n...

I reviewed libntlm 1.6-4 as checked into kinetic. This shouldn't be
considered a full audit but rather a quick gauge of maintainability.

- CVE History:
  - CVE-2019-17455
    - "It was discovered that Libntlm incorrectly handled specially crafted NTML requests. An attacker could possibly use this issue to cause a denial of service or another unspecified impact."
    - https://ubuntu.com/security/notices/USN-5108-1
- Open Bugs?
  - "Problem with cross domain authentication"
    - https://gitlab.com/gsasl/libntlm/-/issues/1
- Build-Depends?
  - gnulib built into package for DES
  - linux-vdso.so.1
  - libc.so.6
  - ld-linux-x86-64.so.2
- pre/post inst/rm scripts?
  - none
- init scripts?
  - none
- systemd units?
  - none
- dbus services?
  - none
- setuid binaries?
  - none
- binaries in PATH?
  - none
- sudo fragments?
  - none
- polkit files?
  - none
- udev rules?
  - none
- unit tests / autopkgtests?
  - yes
- cron jobs?
  - none
- Build logs:
  - handful of "warning: inlining failed in call to 'getUnicodeString.constprop'" on build

- Processes spawned?
  - not checked
- Memory management?
  - four memcpy calls in smbutil.c
  - first use is very obtuse
  - no size checking--might be fine
- File IO?
  - no, only test code
- Logging?
  - no, only example code
- Environment variable usage?
  - none
- Use of privileged functions?
  - none
- Use of cryptography / random number sources etc?
  - NTLMv1 is deprecated and highly unsafe (!)
  - implementation looks good
- Use of temp files?
  - none
- Use of networking?
  - no, only example code
- Use of WebKit?
  - none
- Use of PolicyKit?
  - none

- Any significant cppcheck results?
  - smbutil.c:317 assigns a pointer to Null
    - AddString appears to be purposely built this way
- Any significant Coverity results?
  - gnulib overwrites part of a buffer being copied in md4_process_bytes function
    - perhaps intentional if buffer is under 16? should use memmove otherwise
    - Libntlm calls md4_buffer which calls md4_process_bytes
    - ./gl/md4.c:269
  - test code reports ignored
- Any significant shellcheck results?
  - none
- Any significant bandit results?
  - none

This package encourages the use of NTLMv1. It implies that a NTLM server should use deprecated authentication. In many scenarios this means enabling SMBv1 as well! This is only acceptable in completely controlled environments.
 - https://support.microsoft.com/en-us/topic/security-guidance-for-ntlmv1-and-lm-network-authentication-da2168b6-4a31-0088-fb03-f081acde6e73

From Libntlm's README:
"""
I don't consider NTLM a secure authentication protocol -- it uses MD4
and single-DES. MD4 has been broken, and single-DES have a too small
key size to be considered secure against brute-force attacks. You
should only use libntlm for interoperability purposes, not to achieve
any kind of security.
"""

Security team ACK for promoting libntlm to main.

This is already pulled in as a dependency in -proposed. Also, I've subscribed ~foundations-bugs.

MIR team & security team ACK => Fix Committed

$ change-override -c main -S -s kinetic libntlm
Override component to main
libntlm 1.6-4 in kinetic: universe/libs -> main
libntlm0 1.6-4 in kinetic amd64: universe/libs/optional/100% -> main
libntlm0 1.6-4 in kinetic arm64: universe/libs/optional/100% -> main
libntlm0 1.6-4 in kinetic armhf: universe/libs/optional/100% -> main
libntlm0 1.6-4 in kinetic ppc64el: universe/libs/optional/100% -> main
libntlm0 1.6-4 in kinetic riscv64: universe/libs/optional/100% -> main
libntlm0 1.6-4 in kinetic s390x: universe/libs/optional/100% -> main
libntlm0-dev 1.6-4 in kinetic amd64: universe/libdevel/optional/100% -> main
libntlm0-dev 1.6-4 in kinetic arm64: universe/libdevel/optional/100% -> main
libntlm0-dev 1.6-4 in kinetic armhf: universe/libdevel/optional/100% -> main
libntlm0-dev 1.6-4 in kinetic ppc64el: universe/libdevel/optional/100% -> main
libntlm0-dev 1.6-4 in kinetic riscv64: universe/libdevel/optional/100% -> main
libntlm0-dev 1.6-4 in kinetic s390x: universe/libdevel/optional/100% -> main
Override [y|N]? y
13 publications overridden.

What is the mutt task here for?

That was for update-excuse tracking, as this was blocking mutt. It's now resolved and I marked that task "Invalid".