Bug #1786489 “[MIR] rygel” : Bugs : rygel package : Ubuntu

Revision history for this message

Launchpad Janitor (janitor) wrote on 2018-08-13:

#1

Status changed to 'Confirmed' because the bug affects multiple users.

Changed in rygel (Ubuntu):
status:	New → Confirmed

Sebastien Bacher (seb128) on 2018-08-14

Changed in rygel (Ubuntu):
status:	Confirmed → New

Matthias Klose (doko) on 2018-09-13

Changed in rygel (Ubuntu):
assignee:	nobody → Didier Roche (didrocks)

Revision history for this message

Didier Roche-Tolomelli (didrocks) wrote on 2018-10-25:

#2

* There are a lot of crash reports in launchpad. Those are several years old and shouldn't apply anymore. Maybe a little bit of cleanup of really old one, and looking at more recent ones will help once supported to review real new crashes (between launchpad and errors.ubuntu.com)?
* What is going to pull rygel on the iso: directly seeded or a recommends/deps somewhere? Note that there is as well rygel-tracker which shouldn't be promoted until tracker situation is deciphered.
* Some lintian warnings would be great to looked at, namely:
- W: rygel-2.6-dev: pkg-config-unavailable-for-cross-compilation (multiple of thm)
- W: rygel: uses-implicit-await-trigger interest /usr/lib/rygel-2.6 (line 1)
- W: rygel: uses-implicit-await-trigger interest rygel-restart (line 2)
* I guess rygel-preferences isn't going to be promoted, correct? (maybe we should list exactly the packages that are going to be promoted). It has a dep as linking on libgssdp-1.0-3, which is in universe.
* However rygel binary package has some dep issues as well:
- dep on libgssdp-1.0-3 (gssdp source in universe) and libgupnp-1.0-4 (gupnp source in universe), which are not listed in the current MIR for the stack.
- 2 recommends with its source in universe and not listed to be MIRed. They should be downgraded to Suggests, if possible: gstreamer1.0-libav and gstreamer1.0-plugins-ugly
* If we want to promote rygel-2.6-dev to main, there is again the libgupnp-1.0-dev dep as well which needs to be sorted out.
* librygel-server-2.6-2 is a dep of rygel, and depends as well on libgssdp-1.0-3 and libgupnp-1.0-4
* librygel-renderer-2.6-2 is a dep of rygel, and depends as well on libgupnp-1.0-4
* librygel-core-2.6-2 is a dep of rygel, and depends as well on libgssdp-1.0-3 and libgupnp-1.0-4
* some copyright are missing:
  - 2008-2009 Florian Brosch
  - 2012 Choe Hwanjin <email address hidden>
  - 2013 Cable Television Laboratories, Inc.
  - 2014 Jens Georg <email address hidden>
  - 2014 Atlantic PuffinPack AB.
  - 2017 Samuel CUELLA]
  - Intel Corporation copyright should be extended to 2013
  - Jens Georg copyright should be extended to 2016
I may have missed others but that should be about it.

Opened question:
- tests are ran during package build, do we want autopkgtests (unsure if those are just unit tests or not, but it would maybe prevent at least vala regression)?
- the doc is in the -dev package. That's ok with me, weird to have different standards considering debian maintainer is the same than the other packages though.

I think there is a bunch of work to be done before going to another review or give a conditional +1 on that one. I'll defer also to the security team once the package is a little bit more ready from the pure MIR perspective.

* There are a lot of crash reports in launchpad. Those are several years old and shouldn't apply anymore. Maybe a little bit of cleanup of really old one, and looking at more recent ones will help once supported to review real new crashes (between launchpad and errors.ubuntu.com)?
* What is going to pull rygel on the iso: directly seeded or a recommends/deps somewhere? Note that there is as well rygel-tracker which shouldn't be promoted until tracker situation is deciphered.
* Some lintian warnings would be great to looked at, namely:
- W: rygel-2.6-dev: pkg-config-unavailable-for-cross-compilation (multiple of thm)
- W: rygel: uses-implicit-await-trigger interest /usr/lib/rygel-2.6 (line 1)
- W: rygel: uses-implicit-await-trigger interest rygel-restart (line 2)
* I guess rygel-preferences isn't going to be promoted, correct? (maybe we should list exactly the packages that are going to be promoted). It has a dep as linking on libgssdp-1.0-3, which is in universe.
* However rygel binary package has some dep issues as well:
 - dep on libgssdp-1.0-3 (gssdp source in universe) and libgupnp-1.0-4 (gupnp source in universe), which are not listed in the current MIR for the stack.
 - 2 recommends with its source in universe and not listed to be MIRed. They should be downgraded to Suggests, if possible: gstreamer1.0-libav and gstreamer1.0-plugins-ugly
* If we want to promote rygel-2.6-dev to main, there is again the libgupnp-1.0-dev dep as well which needs to be sorted out.
* librygel-server-2.6-2 is a dep of rygel, and depends as well on libgssdp-1.0-3 and libgupnp-1.0-4
* librygel-renderer-2.6-2 is a dep of rygel, and depends as well on libgupnp-1.0-4
* librygel-core-2.6-2 is a dep of rygel, and depends as well on libgssdp-1.0-3 and libgupnp-1.0-4
* some copyright are missing:
  - 2008-2009 Florian Brosch
  - 2012 Choe Hwanjin <choe.hwanjin@gmail.com>
  - 2013 Cable Television Laboratories, Inc.
  - 2014 Jens Georg <mail@jensge.org>
  - 2014 Atlantic PuffinPack AB. 
  - 2017 Samuel CUELLA]
  - Intel Corporation copyright should be extended to 2013
  - Jens Georg copyright should be extended to 2016
I may have missed others but that should be about it.

Opened question:
- tests are ran during package build, do we want autopkgtests (unsure if those are just unit tests or not, but it would maybe prevent at least vala regression)?
- the doc is in the -dev package. That's ok with me, weird to have different standards considering debian maintainer is the same than the other packages though.

I think there is a bunch of work to be done before going to another review or give a conditional +1 on that one. I'll defer also to the security team once the package is a little bit more ready from the pure MIR perspective.

Sebastien Bacher (seb128) on 2018-10-25

description:

updated

Revision history for this message

Sebastien Bacher (seb128) wrote on 2018-12-03:

#3

Download full text (4.5 KiB)

> * There are a lot of crash reports in launchpad. Those are several years old and shouldn't apply anymore.
> Maybe a little bit of cleanup of really old one, and looking at more recent ones will help once supported
> to review real new crashes (between launchpad and errors.ubuntu.com)?

Done, the launchpad bugs are down to 7 & e.u.c is looks without real issues.

> * What is going to pull rygel on the iso: directly seeded or a recommends/deps somewhere?
> Note that there is as well rygel-tracker which shouldn't be promoted until tracker situation is deciphered.

gnome-control-center has the sharing UI, we plan to add the Recommends to the service there

> * Some lintian warnings would be great to looked at, namely:
> - W: rygel-2.6-dev: pkg-config-unavailable-for-cross-compilation (multiple of thm)

That's because the package is not using a multiarch location, do you consider that a pre-requirement to get the MIR approved? It's probably not too difficult to change the build but it requires some testing, etc.

> - W: rygel: uses-implicit-await-trigger interest /usr/lib/rygel-2.6 (line 1)
> - W: rygel: uses-implicit-await-trigger interest rygel-restart (line 2)

Fixed in 0.36.2-2 just uploaded to Debian (autosync to come)

> * I guess rygel-preferences isn't going to be promoted, correct?
> (maybe we should list exactly the packages that are going to be promoted). It has a dep as linking on libgssdp-1.0-3, which is in universe.

Correct, gnome-control-center is the UI to control the service in our usecase

> * However rygel binary package has some dep issues as well:
> - dep on libgssdp-1.0-3 (gssdp source in universe) and libgupnp-1.0-4 (gupnp source in universe), which are not listed in the current MIR for the stack.

Right, those used to be in main but new MIRs filed now to have a new look before re-promoting
https://bugs.launchpad.net/ubuntu/+source/gupnp/+bug/1799974
https://bugs.launchpad.net/ubuntu/+source/gssdp/+bug/1799977

> - 2 recommends with its source in universe and not listed to be MIRed.
> They should be downgraded to Suggests, if possible: gstreamer1.0-libav and gstreamer1.0-plugins-ugly

Right, those needs to be demoted but let's keep the package in sync for now it's going to lower the work until the other MIRs and this one are approved.

> * If we want to promote rygel-2.6-dev to main, there is again the libgupnp-1.0-dev dep as well which needs to be sorted out.

I don't think we need the -dev in main since we can build on universe. Also gupnp has a MIR in review.

> * librygel-server-2.6-2 is a dep of rygel, and depends as well on libgssdp-1.0-3 and libgupnp-1.0-4
> * librygel-renderer-2.6-2 is a dep of rygel, and depends as well on libgupnp-1.0-4
> * librygel-core-2.6-2 is a dep of rygel, and depends as well on libgssdp-1.0-3 and libgupnp-1.0-4

Right, those 2 MIRs are pre-requirements now

> * some copyright are missing:
> - 2008-2009 Florian Brosch
> - 2012 Choe Hwanjin <email address hidden>
> - 2013 Cable Television Laboratories, Inc.
> - 2014 Jens Georg <email address hidden>
> - 2014 Atlantic PuffinPack AB.
> - 2017 Samuel CUELLA]
> - Intel Corporation copyright should be extended to 2013
> - Jen...

> * There are a lot of crash reports in launchpad. Those are several years old and shouldn't apply anymore. 
> Maybe a little bit of cleanup of really old one, and looking at more recent ones will help once supported 
> to review real new crashes (between launchpad and errors.ubuntu.com)?

Done, the launchpad bugs are down to 7 & e.u.c is looks without real issues.

> * What is going to pull rygel on the iso: directly seeded or a recommends/deps somewhere? 
> Note that there is as well rygel-tracker which shouldn't be promoted until tracker situation is deciphered.

gnome-control-center has the sharing UI, we plan to add the Recommends to the service there

> * Some lintian warnings would be great to looked at, namely:
> - W: rygel-2.6-dev: pkg-config-unavailable-for-cross-compilation (multiple of thm)

That's because the package is not using a multiarch location, do you consider that a pre-requirement to get the MIR approved? It's probably not too difficult to change the build but it requires some testing, etc.

> - W: rygel: uses-implicit-await-trigger interest /usr/lib/rygel-2.6 (line 1)
> - W: rygel: uses-implicit-await-trigger interest rygel-restart (line 2)

Fixed in 0.36.2-2 just uploaded to Debian (autosync to come)

> * I guess rygel-preferences isn't going to be promoted, correct? 
> (maybe we should list exactly the packages that are going to be promoted). It has a dep as linking on libgssdp-1.0-3, which is in universe.

Correct, gnome-control-center is the UI to control the service in our usecase

> * However rygel binary package has some dep issues as well:
>  - dep on libgssdp-1.0-3 (gssdp source in universe) and libgupnp-1.0-4 (gupnp source in universe), which are not listed in the current MIR for the stack.

Right, those used to be in main but new MIRs filed now to have a new look before re-promoting
https://bugs.launchpad.net/ubuntu/+source/gupnp/+bug/1799974
https://bugs.launchpad.net/ubuntu/+source/gssdp/+bug/1799977

> - 2 recommends with its source in universe and not listed to be MIRed. 
> They should be downgraded to Suggests, if possible: gstreamer1.0-libav and gstreamer1.0-plugins-ugly

Right, those needs to be demoted but let's keep the package in sync for now it's going to lower the work until the other MIRs and this one are approved.

> * If we want to promote rygel-2.6-dev to main, there is again the libgupnp-1.0-dev dep as well which needs to be sorted out.

I don't think we need the -dev in main since we can build on universe. Also gupnp has a MIR in review.

> * librygel-server-2.6-2 is a dep of rygel, and depends as well on libgssdp-1.0-3 and libgupnp-1.0-4
> * librygel-renderer-2.6-2 is a dep of rygel, and depends as well on libgupnp-1.0-4
> * librygel-core-2.6-2 is a dep of rygel, and depends as well on libgssdp-1.0-3 and libgupnp-1.0-4

Right, those 2 MIRs are pre-requirements now

> * some copyright are missing:
>  - 2008-2009 Florian Brosch
>  - 2012 Choe Hwanjin <choe.hwanjin@gmail.com>
>  - 2013 Cable Television Laboratories, Inc.
>  - 2014 Jens Georg <mail@jensge.org>
>  - 2014 Atlantic PuffinPack AB.
>  - 2017 Samuel CUELLA]
>  - Intel Corporation copyright should be extended to 2013
>  - Jens Georg copyright should be extended to 2016
> I may have missed others but that should be about it.

Thanks for listing those, I had a look and I think your list looks good, I updated it in 0.36.2-2

> Opened question:
> - tests are ran during package build, do we want autopkgtests (unsure if those are just unit tests or not, but it would maybe prevent at least vala regression)?

The test just exercice the code indeed, no integration test, so not really useful as autopkgtest by themself. You have a good point about vala though, let's have a look at adding them then.

> - the doc is in the -dev package. That's ok with me, weird to have different standards considering debian maintainer is the same than the other packages though.

Right, a bit weird but probably not worth pushing for that change.

> I think there is a bunch of work to be done before going to another review or give a conditional +1 on that one. I'll defer also to the security team once the package is a little bit more ready from the pure MIR perspective.

Security team has been adding the review to their backlog but they would prefer for the MIR team to state that it's likely to be ok from a MIR perspective before starting, hopfully with the uploaded tweaks and the replies we are good for bouncing to them while we sort out the multiarch/pkgconfig & autopkgtest questions?

Revision history for this message

Launchpad Janitor (janitor) wrote on 2018-12-04:

#4

This bug was fixed in the package rygel - 0.36.2-2

---------------
rygel (0.36.2-2) unstable; urgency=medium

  * Some tweaks following the Ubuntu MIR reviews (lp: #1786489)
  * debian/copyright: updated the list of copyright owners
  * debian/rygel.triggers: use noawait triggers

-- Sebastien Bacher <email address hidden> Mon, 03 Dec 2018 16:36:28 +0100

Changed in rygel (Ubuntu):
status:	New → Fix Released

Jeremy Bícha (jbicha) on 2018-12-04

Changed in rygel (Ubuntu):
status:	Fix Released → New

Sebastien Bacher (seb128) on 2018-12-05

description:

updated

Revision history for this message

Didier Roche-Tolomelli (didrocks) wrote on 2018-12-07:

#5

Ok, so to sum up, remaining work to do:
- Add multi-arch to the libs
- (optional) Run as autopkgtests to ensure vala doesn't break this build

Once the above is addressed (multi-arch), +1 from the MIR team.
I think the security team can start right now reviewing this package and the rdepends.

Didier Roche-Tolomelli (didrocks) on 2019-02-12

Changed in rygel (Ubuntu):
assignee:	Didier Roche (didrocks) → nobody

Revision history for this message

Sebastien Bacher (seb128) wrote on 2019-03-05:

#6

The multi-arching is done now (and synced to disco)

We discussed the autopkgtest rebuild thing on IRC and decided that it was probably best serve to have vala itself including the rebuild of some packages in its tests, and then use a ppa to test rebuild things with new versions before upload

Changed in rygel (Ubuntu):
assignee:	nobody → Ubuntu Security Team (ubuntu-security)

Revision history for this message

Chris Coulson (chrisccoulson) wrote on 2019-08-14:

#7

Download full text (8.8 KiB)

I reviewed rygel 0.36.2-5ubuntu1 as checked in to eoan. This isn't a full security audit, but rather a quick gauge of maintainability.

- rygel is a UPnP AV media server, allowing audio and video to be shared with other devices. It can also operate as a media renderer which can be controlled by UPnP controllers.
- rygel is part of the GNOME project.
- rygel is written in vala.
- The website claims it us under active development, but activity seems to have slowed somewhat this year - since February, the only git commits are mostly translation updates and what look like minor build / bug fixes.
- Of the 118 issues currently open in gitlab, many of them appear to have been originally imported from Bugzilla and haven't had much activity since the migration.
- No CVEs in our database.
- Build dependencies in main, except for:
  - libgssdp-1.2-dev (bug 1799977)
  - libgupnp-1.2-dev, libgupnp-av-1.0-dev, libgupnp-dlna-2.0-dev (bug 1799974)
  - valac (this doesn't create any binary package dependencies)
- The rygel binary package recommends gstreamer1.0-plugins-ugly, which is in universe.

- I ran coverity, although this mostly highlights problems in C code that is auto-generated by valac.
- Coverity shows up quite a few unreachable code issues, like this one in rygel_base_configuration_real_get_interface:
...
    g_propagate_error (error, _inner_error0_);
    return NULL;
    return result;
}

And also rygel_basic_management_test_real_run_co:
...
    }
    g_object_unref (_data_->_async_result);
    return FALSE;
    g_task_return_pointer (_data_->_async_result, _data_, NULL);
    if (_data_->_state_ != 0) {
        while (!_data_->_task_complete_) {
...

These look like vala bugs.

- There's a fd leak in rygel_energy_management_get_mac_and_network_type if fd == 0. I'm not sure if this is a real issue - it's only possible to hit this condition if stdin is closed.
- Coverity catches what looks like an obvious null deref here in rygel_ruih_service_manager_real_constructed in the second call to block1_data_unref:
...
        if (G_UNLIKELY (_inner_error0_ != NULL)) {
            _g_object_unref0 (config_dir_file);
            block1_data_unref (_data1_);
            _data1_ = NULL;
            if (_inner_error0_->domain == RYGEL_RUIH_SERVICE_ERROR) {
                goto __catch2_rygel_ruih_service_error;
            }
            if (_inner_error0_->domain == G_IO_ERROR) {
                goto __catch2_g_io_error;
            }
            _g_object_unref0 (config_dir_file);
            block1_data_unref (_data1_);
            _data1_ = NULL;
            _g_free0 (ui_listing_directory);
            g_critical ("file %s: line %d: unexpected error: %s (%s, %d)", __FILE__, __LINE__, _inner_error0_->message, g_quark_to_string (_inner_error0_->domain), _inner_error0_->code);
            g_clear_error (&_inner_error0_);
            return;
        }
...

I'm not sure if this is actually a vala bug though.

- Rygel.SimpleDataSource.run uses lseek without checking the return value.
- The uint.clamp() call in Rygel.External.Container constuctor generates C code that does a negative unsigned compare. Would "uint.min(child_count, int.MAX)" be more appropriate th...

I reviewed rygel 0.36.2-5ubuntu1 as checked in to eoan. This isn't a full security audit, but rather a quick gauge of maintainability.

- rygel is a UPnP AV media server, allowing audio and video to be shared with other devices. It can also operate as a media renderer which can be controlled by UPnP controllers.
- rygel is part of the GNOME project.
- rygel is written in vala.
- The website claims it us under active development, but activity seems to have slowed somewhat this year - since February, the only git commits are mostly translation updates and what look like minor build / bug fixes.
- Of the 118 issues currently open in gitlab, many of them appear to have been originally imported from Bugzilla and haven't had much activity since the migration.
- No CVEs in our database.
- Build dependencies in main, except for:
  - libgssdp-1.2-dev (bug 1799977)
  - libgupnp-1.2-dev, libgupnp-av-1.0-dev, libgupnp-dlna-2.0-dev (bug 1799974)
  - valac (this doesn't create any binary package dependencies)
- The rygel binary package recommends gstreamer1.0-plugins-ugly, which is in universe.

- I ran coverity, although this mostly highlights problems in C code that is auto-generated by valac.
- Coverity shows up quite a few unreachable code issues, like this one in rygel_base_configuration_real_get_interface:
...
    g_propagate_error (error, _inner_error0_);
    return NULL;
    return result;
}

And also rygel_basic_management_test_real_run_co:
...
    }
    g_object_unref (_data_->_async_result);
    return FALSE;
    g_task_return_pointer (_data_->_async_result, _data_, NULL);
    if (_data_->_state_ != 0) {
        while (!_data_->_task_complete_) {
...

These look like vala bugs.

- There's a fd leak in rygel_energy_management_get_mac_and_network_type if fd == 0. I'm not sure if this is a real issue - it's only possible to hit this condition if stdin is closed.
- Coverity catches what looks like an obvious null deref here in rygel_ruih_service_manager_real_constructed in the second call to block1_data_unref:
...
        if (G_UNLIKELY (_inner_error0_ != NULL)) {
            _g_object_unref0 (config_dir_file);
            block1_data_unref (_data1_);
            _data1_ = NULL;
            if (_inner_error0_->domain == RYGEL_RUIH_SERVICE_ERROR) {
                goto __catch2_rygel_ruih_service_error;
            }
            if (_inner_error0_->domain == G_IO_ERROR) {
                goto __catch2_g_io_error;
            }
            _g_object_unref0 (config_dir_file);
            block1_data_unref (_data1_);
            _data1_ = NULL;
            _g_free0 (ui_listing_directory);
            g_critical ("file %s: line %d: unexpected error: %s (%s, %d)", __FILE__, __LINE__, _inner_error0_->message, g_quark_to_string (_inner_error0_->domain), _inner_error0_->code);
            g_clear_error (&_inner_error0_);
            return;
        }
...

I'm not sure if this is actually a vala bug though.

- Rygel.SimpleDataSource.run uses lseek without checking the return value.
- The uint.clamp() call in Rygel.External.Container constuctor generates C code that does a negative unsigned compare. Would "uint.min(child_count, int.MAX)" be more appropriate than "child_count.clamp(0, int.MAX)" ?
- Rygel.MediaExport.DVDContainer.constructed parses XML with options that are vulnerable to External Entity injection, specifically Xml.ParserOptions.NOENT. See https://cwe.mitre.org/data/definitions/611.html for more context.
  - Use of Xml.ParserOptions.RECOVER also triggers another defect in coverity. These issues may be repeated in other locations.
- Rygel.Tracker.Titles.create_title_for_value performs a negative unsigned compare when checking the result of get_char_validated, and produces C code that always evaluates false and could be optimised away. "if (unlikely (c == -2)) {" (which I think would expand to the C code "if (G_UNLIKELY (c == ((gunichar) -2))) {") might be more correct.

- Most of the code is written in vala, which compiles to intermediate C code and handles memory management (eg freeing and checking whether allocations are successful) transparently, as long as the memory management GIR annotations are correct. Memory management is performed via glib + gobject APIs (g_new0, g_object_new, g_string_new etc).
- Works with files, using glib's GFile API's (at least, in the gst media engine and media-export plugin).
- Limited logging using g_debug (not logged by default) and g_message, which go to the user's journal. There doesn't appear to be anything sensitive logged.
- Allows environment variables to override configuration file options.
- No privileged code.
- Doesn't use temporary files.
- No privileged commands.
- No webkit.
- Processes local media files using gstreamer.
- Build logs look ok - just one compiler warning in the build:

CDPATH="${ZSH_VERSION+.}:" && cd . && /usr/bin/valac -H rygel-renderer-gst.h --library=rygel-renderer-gst-2.6 --gir=Rygel-2.6.gir --enable-experimental --pkg gupnp-1.2 --pkg gee-0.8 --pkg gupnp-av-1.0 --pkg gstreamer-1.0 --pkg gstreamer-audio-1.0 --vapidir=/<<PKGBUILDDIR>>/src/librygel-renderer --pkg rygel-renderer-2.6 --vapidir=/<<PKGBUILDDIR>>/src/librygel-core --pkg rygel-core-2.6 --vapidir=/<<PKGBUILDDIR>>/src/librygel-core --pkg rygel-build-config    --enable-deprecated --target-glib=2.40  -C rygel-playbin-player.vala rygel-playbin-renderer.vala
rygel-playbin-player.vala:33.1-33.44: warning: Namespace Playbin does not have a GIR namespace and version annotation
public errordomain Rygel.Playbin.PlayerError {
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
Compilation succeeded - 1 warning(s)

- Lintian clean, except for one warning (missing manpage for rygel-preferences).
- Ships a configuration files in /etc/rygel.conf, which can be overridden by a per-user config. A summary of some of the configuration options:
  - The network interface isn't hardcoded (which I think means that rygel publishes on all interfaces).
  - The port that the HTTP server(s) run on is allocated dynamically.
  - The log level is set to a sane value.
  - Uploading and deletion of media files is disabled.
  - Both the media-export and tracker media-server plugins are enabled in /etc/rygel.conf, although only one can be used at a time. When you use the sharing panel in gnome-control-center to enable media sharing, it copies /etc/rygel.conf to ~/.config/rygel.conf and disables the tracker plugin.
  - The media-export plugin is configured to export from ~/Music, ~/Pictures and ~/Videos by default.
  - The playbin media renderer is enabled.
- No systemd system services
- There is a systemd user service, although it's not started by default as part of the user session (gnome-settings-daemon asks systemd to start and stop it as required, depending on the configuration).
- There is a dbus service.
- No setuid binaries.
- No fs capabilities.
- No privileged commands.
- No sudo fragments.
- No udev rules.
- No cron jobs.
- There are some tests that run in the build (and currently pass).
- The media-export plugin uses sqlite for caching. It makes use of prepared statements, although in some cases (eg, Rygel.MediaExport.MediaCache.get_children), the prepared statement comes from a printf style formatter. The parameters to this are derived from a string which is provided by client devices (sort criteria - a comma separated list of columns to sort on) and looks to be filtered and validated sufficiently to be safe. The individual values are filtered in Rygel.MediaQueryAction.validate_sort_criteria and then each value is mapped to a column name in Rygel.MediaExport.MediaCache.map_operand_to_column, with that function returning an error if any value doesn't map to a column.
- It exports a HTTP server, the availability of which is advertised via SSDP. Most of the HTTP networking code is implemented in gupnp, for which there is a separate MIR. Rygel implements 2 UPnP devices (media server and media renderer) which are described by XML served over HTTP, and which contain a set of service descriptions. Rygel uses the gupnp API to implement handlers for actions described by those services.
  - It does create an additional HTTP endpoint via the gupnp API for streaming media files and their metadata. Resources are identified by what looks like an encoded MD5 hash of the file paths, and those map to MediaObject instances via a database lookup.
- Spawns subproceses for the purpose of extracting metadata from media files (from the media-export plugin). Rygel is using glib's GSubprocessLauncher for this, which does extra things like set the O_CLOEXEC flag on fds that aren't explicitly requested to be passed to the child process.
  - There doesn't appear to be any effort to sandbox or limit the privileges of the metadata extractor process in any way.

Security team ACK for promoting rygel to main, as long as gstreamer1.0-plugins-ugly is dropped from recommends and somebody looks at the issue with the XML parser options to see if there's a real bug there.

Changed in rygel (Ubuntu):
assignee:	Ubuntu Security Team (ubuntu-security) → nobody

Revision history for this message

Jens Georg (yg-jensge) wrote on 2019-08-14:

#8

Are you going to file upstream tickets for the relevant findings?

Revision history for this message

Sebastien Bacher (seb128) wrote on 2019-08-14:

#9

@Jens, yes I plan to do that (thanks for keeping an eye on launchpad btw ;-)

Revision history for this message

Mathieu Trudel-Lapierre (cyphermox) wrote on 2019-08-20:

#10

Current state appears to be that Desktop Team should look into the Recommends (gstreamer plugins-ugly), and someone have a review of the XML parser options (as pointed out in the security review, specifically for NOENT and RECOVER... maybe NONET should be added?).

Changed in rygel (Ubuntu):
assignee:	nobody → Ubuntu Desktop (ubuntu-desktop)

Revision history for this message

Jens Georg (yg-jensge) wrote on 2019-08-20:

#11

Actually I completely mis-understood NOENT - it does the exact opposite of what I thought it does ...

Revision history for this message

Sebastien Bacher (seb128) wrote on 2019-08-22:

#12

The Rygel recommends on gst-plugins-ugly has been lowered to a suggest, the review problems have been upstreamed and upstream acked the NOENT issue here. Sending back to the MIR team, we will backport the NOENT fix but otherwise I think it should be good to be acked on the MIR side now

Changed in rygel (Ubuntu):
assignee:	Ubuntu Desktop (ubuntu-desktop) → nobody

Revision history for this message

Didier Roche-Tolomelli (didrocks) wrote on 2019-08-28:

#13

Now that all remarks have been addressed, I'm happy to give an official +1 from the MIR team side.

Changed in rygel (Ubuntu):
status:	New → Triaged

Didier Roche-Tolomelli (didrocks) on 2019-08-28

Changed in rygel (Ubuntu):
status:	Triaged → In Progress

Revision history for this message

Matthias Klose (doko) wrote on 2019-08-28:

#14

see https://people.canonical.com/~ubuntu-archive/component-mismatches-proposed.svg
rygel tries to pull in 30+ other packages into main.

Revision history for this message

Sebastien Bacher (seb128) wrote on 2019-08-29:

#15

Sorry, it was a leftover recommends on gstreamer libav, downgraded to a suggests now

Revision history for this message

Didier Roche-Tolomelli (didrocks) wrote on 2019-09-11:

#16

+1 on the MIR side

Changed in rygel (Ubuntu):
status:	In Progress → Fix Committed

Sebastien Bacher (seb128) on 2019-09-16

Changed in rygel (Ubuntu):
status:	Fix Committed → Fix Released

Ubuntu
rygel package

[MIR] rygel

Bug Description

Other bug subscribers

Remote bug watches

Ubunturygel package

[MIR] rygel

Bug Description

Other bug subscribers

Remote bug watches

Ubuntu
rygel package