[MIR] spice-vdagent

Bug #1200296 reported by Christophe Fergeau
24
This bug affects 2 people
Affects Status Importance Assigned to Milestone
spice-vdagent (Ubuntu)
Fix Released
Wishlist
Andy Whitcroft
ubuntu-meta (Ubuntu)
Fix Released
Wishlist
Unassigned

Bug Description

Availability
============
Built for all supported architectures.

In sync with Debian except for one cherry-picked patch to hide spice-vdagent from Startup Applications.

Rationale
=========
"spice-vdagent adds some nice features to guest systems running over SPICE: copy and paste between guest and host, arbitrary resolution support, ... It's also very tiny (40kB compressed, less than 200kB installed) and won't startup when not running in a SPICE guest.
Shipping it on the desktop ISOs will improve the user experience when using SPICE (eg in GNOME Boxes), and will have no impact on other use cases, so it would be really nice to add this package to the ISO."

Ubuntu GNOME 16.10 and 17.04 included it in the default install.

Security
========
No known open security vulnerabilities.

https://rhn.redhat.com/errata/RHSA-2013-0924.html (CVE-2013-2152)

Quality assurance
=================
Bug subscriber: Ubuntu Desktop Bugs

https://bugs.launchpad.net/ubuntu/+source/spice-vdagent
https://bugs.debian.org/cgi-bin/pkgreport.cgi?src=spice-vdagent
https://bugs.freedesktop.org/buglist.cgi?bug_status=__open__&component=unix agent&product=Spice

No tests.

Dependencies
============
check-mir reports all other binary dependencies are in main

Standards compliance
====================
3.9.8

Maintenance
===========
- Actively developed upstream
https://cgit.freedesktop.org/spice/linux/vd_agent/log/
https://anonscm.debian.org/git/collab-maint/spice-vdagent.git

- Maintained in Debian by the same Debian Developer who maintains the other Spice packages.

short dh7 style rules, dh compat 10

Background information
======================
N/A

CVE References

Revision history for this message
Christophe Fergeau (teuf-gnome) wrote :

Forgot to add, the ISOs already contain the qxl SPICE driver, so there are already SPICE specific packages in there.

Changed in spice-vdagent (Ubuntu):
importance: Undecided → Wishlist
status: New → Confirmed
Jeremy Bícha (jbicha)
Changed in ubuntu-meta (Ubuntu):
importance: Undecided → Wishlist
Revision history for this message
Launchpad Janitor (janitor) wrote :

Status changed to 'Confirmed' because the bug affects multiple users.

Changed in ubuntu-meta (Ubuntu):
status: New → Confirmed
Jeremy Bícha (jbicha)
summary: - Please ship spice-vdagent on the livecd
+ [MIR] spice-vdagent
Jeremy Bícha (jbicha)
description: updated
Revision history for this message
Mathieu Trudel-Lapierre (cyphermox) wrote :

The package in general looks fine, properly maintained in Debian, and low effort to maintain in Ubuntu; so this part looks fine for the MIR.

However, spice-vdagent is missing a team subscriber; please fix this.

Finally, given the use of spice-vdagent to capture mouse and such, its tight integration with ConsoleKit for session handling, its clipboard capture, and mucking with X, randr, etc., this will require a review by the Security Team.

Changed in ubuntu-meta (Ubuntu):
assignee: nobody → Ubuntu Security Team (ubuntu-security)
assignee: Ubuntu Security Team (ubuntu-security) → nobody
Changed in spice-vdagent (Ubuntu):
assignee: nobody → Ubuntu Security Team (ubuntu-security)
Revision history for this message
Mathieu Trudel-Lapierre (cyphermox) wrote :

Please also make sure to update ubuntu-meta / seed; if nothing brings in the package, it won't stay in main.

Jeremy Bícha (jbicha)
description: updated
Revision history for this message
Didier Roche-Tolomelli (didrocks) wrote :

security team: ping?

Revision history for this message
Didier Roche-Tolomelli (didrocks) wrote :

Can we have that checked before FF by the security team? Most of popular distros are shipping it by default and the VM experience is the first one people may get. Would be bad to get ubuntu showing off not optimized default acceleration/integration in a VM.

Revision history for this message
Seth Arnold (seth-arnold) wrote :

I reviewed spice-vdagent 0.17.0-1ubuntu1 as checked into zesty. This
shouldn't be considered a full audit but rather a quick gauge of
maintainability.

spice-vdagent provides some services between virtual machine host and
guests to make the experience less jarring.

One CVE is in our database for the Windows client.

- Build-Depends: debhelper, pkg-config, dh-systemd, libspice-protocol-dev,
  libdbus-1-dev, libx11-dev, libxrandr-dev, libxfixes-dev,
  desktop-file-utils, libxinerama-dev, libpciaccess-dev, autoconf, automake,
  libglib2.0-dev, systemd, libsystemd-dev, libasound2-dev
- Provides a client and server; both daemonize
- pre/post inst/rm scripts automatically generated
- spice-vdagent init script starts the guest daemon, modprobes uinput
- spice-vdagentd and spice-vdagent systemd service files, start their
  daemons
- no dbus services
- No setuid or setgid files
- Two executables in PATH /usr/bin/spice-vdagent and
  /usr/sbin/spice-vdagentd
- No sudo fragments
- One udev rule for virtio-ports
- No test suite
- No cron
- Clean build logs

- Subprocesses spawned using system(), unsafe construction, reported
  upstream
- Memory management looked good enough; some cases of malloc(a*b) but 'b'
  was often 4, 8, maybe 16, and 'a' calculated from data on the wire in a
  fashion that looked difficult to really abuse.
- File IO looked safe except for uses of system()
- Logging looked safe
- No environment variable use
- chmod(socket, 0666) looked out of place
- other privileged ioctl() calls looked fine
- No cryptography
- Does networking; a quick skim looked like all Unix Domain Sockets
- I didn't see privileged portions of the code
- No tmp files
- No WebKit
- No PolicyKit
- Clean cppcheck

Here's some notes I collected while reviewing spice-vdagent:

- vdagent_file_xfers_data() does not escape xfers->save_dir before giving
  it to the shell (CVE-2017-15108 was assigned for this issue)
- vdagent_file_xfers_data() does not check snprintf() return code; a
  too-long xfers->save_dir could cause the & or ' or any number of other
  characters to go missing.
- daemonize() from ./src/vdagentd.c only forks once
- daemonize() from ./src/vdagent.c only forks once
- why does main() in ./src/vdagentd.c set vdagentd_socket to 0666

This symlink looks out of place:

/usr/share/gdm/greeter/autostart/spice-vdagent.desktop -> /etc/xdg/autostart/spice-vdagent.desktop

Please make sure https://cgit.freedesktop.org/spice/linux/vd_agent/commit/?id=8ba174816d245757e743e636df357910e1d5eb61 is included in our package before promoting the package.

Security team ACK for promoting spice-vdagent to main.

Thanks

Changed in spice-vdagent (Ubuntu):
assignee: Ubuntu Security Team (ubuntu-security) → nobody
Changed in spice-vdagent (Ubuntu):
status: Confirmed → Fix Committed
Jeremy Bícha (jbicha)
Changed in ubuntu-meta (Ubuntu):
status: Confirmed → Fix Committed
Revision history for this message
Andy Whitcroft (apw) wrote :

Confirmed that the security fix at the URL below is include in the package as git_cve-2017-15108.patch:

    https://cgit.freedesktop.org/spice/linux/vd_agent/commit/?id=8ba174816d245757e743e636df357910e1d5eb61

Changed in spice-vdagent (Ubuntu):
assignee: nobody → Andy Whitcroft (apw)
Revision history for this message
Andy Whitcroft (apw) wrote :

Override component to main
spice-vdagent 0.17.0-1ubuntu2 in bionic: universe/x11 -> main
spice-vdagent 0.17.0-1ubuntu2 in bionic amd64: universe/x11/optional/100% -> main
spice-vdagent 0.17.0-1ubuntu2 in bionic arm64: universe/x11/optional/100% -> main
spice-vdagent 0.17.0-1ubuntu2 in bionic armhf: universe/x11/optional/100% -> main
spice-vdagent 0.17.0-1ubuntu2 in bionic i386: universe/x11/optional/100% -> main
spice-vdagent 0.17.0-1ubuntu2 in bionic ppc64el: universe/x11/optional/100% -> main
spice-vdagent 0.17.0-1ubuntu2 in bionic s390x: universe/x11/optional/100% -> main
7 publications overridden.

Changed in spice-vdagent (Ubuntu):
status: Fix Committed → Fix Released
Revision history for this message
Jeremy Bícha (jbicha) wrote :
Changed in ubuntu-meta (Ubuntu):
status: Fix Committed → Fix Released
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.

Duplicates of this bug

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.