Ubuntu
libiscsi package

[MIR] libiscsi

Bug #1271653 reported by Alexander List
18
This bug affects 1 person
Affects Status Importance Assigned to Milestone
libiscsi (Ubuntu)
Fix Released
Medium
Unassigned
Ubuntu ubuntu-16.04
qemu (Ubuntu)
Fix Released
Medium
James Page

Bug Description

Checking against https://wiki.ubuntu.com/UbuntuMainInclusionRequirements:

1: libiscsi is already available in universe: https://launchpad.net/ubuntu/+source/libiscsi
=====

2: Rationale:
=====
a) iSCSI has become the de-facto standard for connecting infrastructure servers to SAN/NAS storage
b) qemu, which is already in main, depends on libiscsi for iscsi support:
https://bugs.launchpad.net/ubuntu/+source/qemu/+bug/1271573

3: Security
=====
a) no entries found in CVE database
b) no entries found in Secunia database
c) no entries found in Ubuntu CVE tracker
d) executable security:

NO executables which have the suid or sgid bit set.
NO executables in /sbin, /usr/sbin.
NO packages which install daemons (/etc/init.d/*)
NO packages which open privileged ports (ports < 1024).
NO add-ons and plugins to security-sensitive software (filters, scanners, UI skins, etc)

4: QA
=====

a) no configuration required - installs shared library and supporting tools for inquiring iSCSI portals and targets

b) no debconf questions

c) no long-term outstanding important bugs

d)
Debian PTS: http://packages.qa.debian.org/libi/libiscsi.html
* 4 lintian warning about missing manpages for 2 binaries in the support tools
* 2 buildd log warnings
* 1 bug that a newer upstream version is available

Ubuntu
https://bugs.launchpad.net/ubuntu/+source/libiscsi/+bugs
* 1 NEW bug complaining that libiscsi doesn't work with multipath on EMC

Upstream:
* no open bugs: https://github.com/sahlberg/libiscsi/issues?page=1&state=open

e) Maintenance in Debian/Ubuntu is acceptable. However, several newer upstream releases are available: https://sites.google.com/site/libiscsitarballs/libiscsitarballs/
--> this needs to be fixed in Debian. Upstream development is very active.

f) no exotic hardware

g) test-tool is available, but not run during build because it requires a running iSCSI portal / target, which cannot be expected to be available on a build server

h) debian/watch does *not* exist, but debian/copyright contains a link to github
--> this needs to be fixed in Debian

5.) UI standards: n/a
=====

6.) Dependencies:
=====

* shared library has no external dependencies except for libc6, and only build-deps on debhelper and libpopt-dev which are already in main
* binaries depend on the shared library libiscsi1 which is created out of this source package, and libpopt0, which is already in main

7.) Standards compliance
=====
No issues found except for missing man pages for the support tools and some minor buildd warnings, already mentioned in 4d)

8.) Maintenance
=====

Debian maintenance seems to be OK, so syncing should be enough.

9.) Background info
=====

See 2.) Rationale

Revision history for this message
Alexander List (alexlist) wrote :

Additional reasoning:

http://manpages.ubuntu.com/manpages/trusty/man1/qemu.1.html mentions iSCSI support, main inclusion of libiscsi is the only blocker for qemu to support iSCSI natively (without going via the OS)

Revision history for this message
Alexander List (alexlist) wrote :

Upstream versioning discussion:

https://groups.google.com/forum/#!topic/libiscsi/94cGuTbctzA

--> DM waits for libiscsi > 1.10 to address these before updating the package in Debian unstable

Revision history for this message
Michael Terry (mterry) wrote :

I am not super impressed with code quality. Things like:

lib/md5.c:130:23: warning: argument to 'sizeof' in 'memset' call is the same expression as the destination; did you mean to dereference it? [-Wsizeof-pointer-memaccess]
  memset(ctx, 0, sizeof(ctx)); /* In case it's sensitive */

And plenty of:

lib/pdu.c:239:2: warning: dereferencing type-punned pointer will break strict-aliasing rules [-Wstrict-aliasing]
  ttt = ntohl(*(uint32_t *)&in->hdr[20]);

As for tests, is there a way we could run them as a dep8 test, and run a local server during it?

Changed in libiscsi (Ubuntu):
status: New → Incomplete
Revision history for this message
Launchpad Janitor (janitor) wrote :

[Expired for libiscsi (Ubuntu) because there has been no activity for 60 days.]

Changed in libiscsi (Ubuntu):
status: Incomplete → Expired
Revision history for this message
Jesse Keating (jesse-keating) wrote :

Upstream libiscsi has had numerous releases since this was last looked at. Would the devs be willing to take another look at including this?

Revision history for this message
Michael Terry (mterry) wrote :

This is much better these days. No compiler warnings and seemingly more active Debian maintainership.

- Needs a team bug subscriber for Ubuntu (some team that promises to look after this).
- I'd still like to see a running test suite. It has that test-tool directory, but that's designed for testing a real iSCSI target, not for testing the library. But not a blocker, since upstream doesn't have anything here.
- Good packaging nowadays. Symbols, no delta, dh9 conventions, etc.

So once there is a team bug subscriber in Ubuntu, this is fine from my (packaging) side.

However, since this is a network protocol library, I figure it makes sense for security team to weigh in on this too. Assigning to them.

Note that this is also late in the game for wily. May be good for 16.04 though.

Changed in libiscsi (Ubuntu):
assignee: nobody → Ubuntu Security Team (ubuntu-security)
status: Expired → New
James Page (james-page)
Changed in libiscsi (Ubuntu):
milestone: none → ubuntu-16.04
importance: Undecided → Medium
Revision history for this message
James Page (james-page) wrote :

+1 on including this in main for 16.04 and enabling in qemu; libiscsi support has been in OpenStack for some time now so having support in distro for it makes sense (and helps support upstream gating for this feature).

Revision history for this message
James Page (james-page) wrote :

Added ubuntu-server and ubuntu-openstack teams for bugs...

Revision history for this message
Seth Arnold (seth-arnold) wrote :

I reviewed libiscsi version 1.12.0-2 as checked into xenial. This
shouldn't be considered a full security audit but rather a quick gauge of
maintainability.

- libiscsi provides user-space iscsi initiator support so applications can
  use iscsi targets without needing privileged access to the host.
- Build-Depends: debhelper, dh-autoreconf, libcunit1-dev
- Only does CHAP, MD5 cryptography
- Extensive networking support
- Does not itself daemonize
- Does not itself listen on the network
- No pre/post inst/rm
- No initscripts
- No dbus services
- No setuid executables
- iscsi-test-cu, iscsi-ls, iscsi-swp, iscsi-inq, iscsi-readcapacity16
  executables in path
- No sudo fragments
- No udev rules
- iscsi-test-cu looks like an incredible test suite, if it functions as
  advertised
- No cron jobs
- Clean build logs

- No subprocesses spawned
- Very careful memory management, nice per-scsi-task abstraction layer
- No file IO
- Extensive error logging, spot checks all looked careful
- Several environment variables are used:
  LD_ISCSI_GET_LBA_STATUS
  LD_ISCSI_DEBUG (not-packaged ld_iscsi.so)
  LIBISCSI_DEBUG
  LIBISCSI_TCP_USER_TIMEOUT
  LIBISCSI_TCP_KEEPCNT
  LIBISCSI_TCP_KEEPINTVL
  LIBISCSI_TCP_KEEPIDLE
  LIBISCSI_TCP_SYNCNT
  LIBISCSI_BIND_INTERFACES
  LIBISCSI_CHAP_USERNAME
  LIBISCSI_CHAP_PASSWORD
  Results were typically handed to atoi(3) and then used to set settings;
  maybe strtoul(3) would be more robust but this is fine
- No privileged operations
- Essentially no cryptography -- CHAP barely counts. Use this on trusted
  networks or over IPsec. (Trusted networks is the expected use, this
  isn't unreasonable.)
- Extensive networking; spot checks on networking syscalls all looked
  careful
- No portions of code looked more privileged than others
- No temporary file handling
- Does not use WebKit
- Clean cppcheck
- Clean shellcheck
- No PolicyKit

libiscsi looks professionally programmed; SCSI and TCP/IP aren't exactly
easy things but the design of this package looks careful and thoughtful. I
haven't inspected the SCSI state machine in any way but the methods I
inspected all looked like they inspected preconditions and logged
violations, all pieces feel like logical separations of concerns and
designed for testing.

The iscsi-test-cu test suite looks incredible if true. No tests are run
during the build but it would be difficult to test these functions deeply
during build.

The only bug I found is a series of slightly misleading error messages:

- lib/login.c has instances of 'aprintf failed' error strings but the
  memory allocation is stack-based buffers, and the failed function is
  snprintf().

ld_iscsi looks like a _very_ cute hack -- pity it is too immature to
enable it but I love the idea. (I did not review its code because it's
clearly labeled not-yet-ready for use.)

Security team ACK for promoting libiscsi to main. Please keep an eye on
ld_iscsi in future syncs with Debian to ensure it doesn't get released
before it is ready.

Thanks

Changed in libiscsi (Ubuntu):
assignee: Ubuntu Security Team (ubuntu-security) → nobody
Michael Terry (mterry)
Changed in libiscsi (Ubuntu):
status: New → Fix Committed
Revision history for this message
Matthias Klose (doko) wrote :

Override component to main
libiscsi 1.12.0-2 in xenial: universe/net -> main
libiscsi-bin 1.12.0-2 in xenial amd64: universe/net/optional/100% -> main
libiscsi-bin 1.12.0-2 in xenial arm64: universe/net/optional/100% -> main
libiscsi-bin 1.12.0-2 in xenial armhf: universe/net/optional/100% -> main
libiscsi-bin 1.12.0-2 in xenial i386: universe/net/optional/100% -> main
libiscsi-bin 1.12.0-2 in xenial powerpc: universe/net/optional/100% -> main
libiscsi-bin 1.12.0-2 in xenial ppc64el: universe/net/optional/100% -> main
libiscsi-bin 1.12.0-2 in xenial s390x: universe/net/optional/100% -> main
libiscsi-dev 1.12.0-2 in xenial amd64: universe/libdevel/optional/100% -> main
libiscsi-dev 1.12.0-2 in xenial arm64: universe/libdevel/optional/100% -> main
libiscsi-dev 1.12.0-2 in xenial armhf: universe/libdevel/optional/100% -> main
libiscsi-dev 1.12.0-2 in xenial i386: universe/libdevel/optional/100% -> main
libiscsi-dev 1.12.0-2 in xenial powerpc: universe/libdevel/optional/100% -> main
libiscsi-dev 1.12.0-2 in xenial ppc64el: universe/libdevel/optional/100% -> main
libiscsi-dev 1.12.0-2 in xenial s390x: universe/libdevel/optional/100% -> main
libiscsi2 1.12.0-2 in xenial amd64: universe/libs/optional/100% -> main
libiscsi2 1.12.0-2 in xenial arm64: universe/libs/optional/100% -> main
libiscsi2 1.12.0-2 in xenial armhf: universe/libs/optional/100% -> main
libiscsi2 1.12.0-2 in xenial i386: universe/libs/optional/100% -> main
libiscsi2 1.12.0-2 in xenial powerpc: universe/libs/optional/100% -> main
libiscsi2 1.12.0-2 in xenial ppc64el: universe/libs/optional/100% -> main
libiscsi2 1.12.0-2 in xenial s390x: universe/libs/optional/100% -> main
22 publications overridden.

Changed in libiscsi (Ubuntu):
status: Fix Committed → Fix Released
James Page (james-page)
Changed in qemu (Ubuntu):
status: New → In Progress
importance: Undecided → Medium
assignee: nobody → James Page (james-page)
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package qemu - 1:2.5+dfsg-5ubuntu4

---------------
qemu (1:2.5+dfsg-5ubuntu4) xenial; urgency=medium

  * d/control{-in}: Re-generate and build with libiscsi-dev now
    that its in Ubuntu main (LP: #1271653).

 -- James Page <email address hidden> Wed, 24 Feb 2016 17:59:13 +0000

Changed in qemu (Ubuntu):
status: In Progress → Fix Released
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.