I reviewed xdg-desktop-portal-gtk version 0.11-1 as checked into cosmic.
This isn't a full security audit but rather a quick gauge of
maintainability.
xdg-desktop-portal-gtk is a "backend" for the portal system to try to make
linux namespacing more ergonomic. It provides dialogs that serve dual
purposes: the standard file-pickers, etc., while simultaneously serving as
unobtrusive access control tools. (Aka "powerbox".)
- No CVE history
- xdg-desktop-portal-gtk is the user-facing portion of the portals
toolkit; sandboxed applications will use xdk-desktop-portal to call
into this package or other similar ones for different environments,
users will make access control decisions, and the results will be
passed back into the sandboxed applications.
All the interactions are handled over dbus.
- Build-Depends: dbus, debhelper, libdbus-1-dev, libglib2.0-dev,
libgtk-3-dev, xdg-desktop-portal-dev, xmlto
- Does not itself do networking
- No pre/post inst/rm scripts
- No init scripts
- systemd user unit file to start
/usr/lib/xdg-desktop-portal/xdg-desktop-portal-gtk on the dbus service
org.freedesktop.impl.portal.desktop.gtk
- No setuid files
- No binaries in PATH
- No sudo fragments
- No udev rules
- No test suite
- No cron jobs
- Build logs have some errors
- subprocesses are spawned. The launch_preview() function looks unsafe and
may need a CVE. The mail compose methods probably allow a malicious
file to exfiltrate data off the system if the operator isn't paying
close attention.
- memory management looked careful
- logging looked careful
- sets GIO_USE_VFS environment variable
- No cryptography
- Does not itself do networking, gnome vfs might
- Privileged vs unprivileged portions of code are difficult to untangle
via casual inspection; I believe this entire package is privileged, but
I'm not sure if filenames, inputs, etc., are therefore completely
trusted or completely untrusted or somewhere in the middle.
- No temporary files
- No WebKit
- No PolKit
Here's some of the messy logs:
update-rc.d: warning: start and stop actions are no longer supported; falling back to defaults
/usr/include/glib-2.0/glib/gmem.h:124:8: warning: mutter_session_proxy may be used uninitialized in this function [-Wmaybe-uninitialized]
src/remotedesktopdialog.c:148:16: warning: device_type_name may be used uninitialized in this function [-Wmaybe-uninitialized]
dh_install: Please use dh_missing --list-missing/--fail-missing instead
E: Lintian run failed (policy violation)
Lintian: fail
- image_button_clicked() does image previews
- compose_mail_thunderbird() and compose_mail_evolution() would probably
allow attaching arbitrary files via malicious addresses -- are the
addresses shown specifically to the user to confirm them first? The
thunderbird variant may also allow the same attack via subject and
body text.
- launch_preview() appears to use unsafe string-based execution with
user-supplied content rather than safe array-based execution.
A trusted helper tool like this is probably going to be an important
part of Linux safety and security in the future. I'm worried that this
implementation relies upon dbus, which is not particularly simple, and
provides ready access to a wide array of extremely "porous" targets --
mail user agents, evince, thumbnailing, etc., and appears to have made
some classic security programming mistakes itself.
These tools need more review by more reviewers.
Security team ACK for promoting xdg-desktop-portal-gtk to main for Cosmic,
but not yet for Bionic or previous LTS releases.
I reviewed xdg-desktop- portal- gtk version 0.11-1 as checked into cosmic.
This isn't a full security audit but rather a quick gauge of
maintainability.
xdg-desktop- portal- gtk is a "backend" for the portal system to try to make
linux namespacing more ergonomic. It provides dialogs that serve dual
purposes: the standard file-pickers, etc., while simultaneously serving as
unobtrusive access control tools. (Aka "powerbox".)
- No CVE history
- xdg-desktop- portal- gtk is the user-facing portion of the portals
toolkit; sandboxed applications will use xdk-desktop-portal to call
into this package or other similar ones for different environments,
users will make access control decisions, and the results will be
passed back into the sandboxed applications.
All the interactions are handled over dbus.
- Build-Depends: dbus, debhelper, libdbus-1-dev, libglib2.0-dev, portal- dev, xmlto lib/xdg- desktop- portal/ xdg-desktop- portal- gtk on the dbus service op.impl. portal. desktop. gtk
libgtk-3-dev, xdg-desktop-
- Does not itself do networking
- No pre/post inst/rm scripts
- No init scripts
- systemd user unit file to start
/usr/
org.freedeskt
- No setuid files
- No binaries in PATH
- No sudo fragments
- No udev rules
- No test suite
- No cron jobs
- Build logs have some errors
- subprocesses are spawned. The launch_preview() function looks unsafe and
may need a CVE. The mail compose methods probably allow a malicious
file to exfiltrate data off the system if the operator isn't paying
close attention.
- memory management looked careful
- logging looked careful
- sets GIO_USE_VFS environment variable
- No cryptography
- Does not itself do networking, gnome vfs might
- Privileged vs unprivileged portions of code are difficult to untangle
via casual inspection; I believe this entire package is privileged, but
I'm not sure if filenames, inputs, etc., are therefore completely
trusted or completely untrusted or somewhere in the middle.
- No temporary files
- No WebKit
- No PolKit
Here's some of the messy logs:
update-rc.d: warning: start and stop actions are no longer supported; falling back to defaults glib-2. 0/glib/ gmem.h: 124:8: warning: mutter_ session_ proxy may be used uninitialized in this function [-Wmaybe- uninitialized] opdialog. c:148:16: warning: device_type_name may be used uninitialized in this function [-Wmaybe- uninitialized] missing/ --fail- missing instead
/usr/include/
src/remotedeskt
dh_install: Please use dh_missing --list-
E: Lintian run failed (policy violation)
Lintian: fail
- image_button_ clicked( ) does image previews mail_thunderbir d() and compose_ mail_evolution( ) would probably
- compose_
allow attaching arbitrary files via malicious addresses -- are the
addresses shown specifically to the user to confirm them first? The
thunderbird variant may also allow the same attack via subject and
body text.
- supports
file chooser
app chooser
print
screenshot
notification
inhibit
access
account
email
screen cast
remote desktop
- launch_preview() appears to use unsafe string-based execution with
user-supplied content rather than safe array-based execution.
A trusted helper tool like this is probably going to be an important
part of Linux safety and security in the future. I'm worried that this
implementation relies upon dbus, which is not particularly simple, and
provides ready access to a wide array of extremely "porous" targets --
mail user agents, evince, thumbnailing, etc., and appears to have made
some classic security programming mistakes itself.
These tools need more review by more reviewers.
Security team ACK for promoting xdg-desktop- portal- gtk to main for Cosmic,
but not yet for Bionic or previous LTS releases.
Thanks