I reviewed thunderbolt-tools version 0.9.3-1 as checked into bionic. This
shouldn't be considered a full security audit but rather a quick gauge of
maintainability.
- No CVEs in our database
- thunderbolt-tools provides a simple interface to authorize thunderbolt
devices that are being added to a computer, since thunderbolt devices
have immense control over the safety of the system
- Build-Depends: debhelper, libboost-dev, libboost-filesystem-dev,
libboost-program-options-dev, cmake, pkg-config, udev, txt2tags
- Does not daemonize; udev hook scripts are used
- No pre/post inst/rm scripts
- No initscript / systemd unit files
- No DBus services
- No setuid files
- /usr/bin/tbtadm added to the PATH
- No sudo fragments
- udev rules -- appear to be configured for works-by-default behaviour,
some examples on how to configure for authorization-required would be
nice
- No tests, a bit unfortunate
- No cronjobs
- Clean build logs
- No subprocesses spawned
- C++ RAII memory management
- File IO done via RAII-C++ classes, not exactly obvious when it happens
- Some C++ exceptions, some C++ iostream
- No environment variable use
- The only privileged operations are file writes
- No cryptography
- No network connections
- No privileged portions of code
- No temporary files
- No WebKit
- No JavaScript
- No PolicyKit
- Clean cppcheck
thunderbolt-tools is short and sweet authorization tool. It's written in
modern C++, looks careful, and shouldn't be an undue maintenance burden.
It uses std::random_device for security uses -- I believe this is safe but
direct use of getrandom(2) would not have questions about underlying C++
library implementation choices.
Security team ACK for promoting thunderbolt-tools to main once the extra
udev configuration file is sorted out.
Thanks
** Changed in: thunderbolt-tools (Ubuntu)
Assignee: Ubuntu Security Team (ubuntu-security) => (unassigned)
--
You received this bug notification because you are a member of Kernel
Packages, which is subscribed to thunderbolt-tools in Ubuntu.
Matching subscriptions: Kernel Packages
https://bugs.launchpad.net/bugs/1748157
Title:
[MIR] thunderbolt-tools
Status in thunderbolt-tools package in Ubuntu:
Confirmed
Bug description:
== Overview ==
Intel Thunderbolt userspace components provides components for using
Intel Thunderbolt controllers with security level features.
Thunderboltâ„¢ technology is a transformational high-speed, dual
protocol I/O that provides unmatched performance with up to 40Gbps bi-
directional transfer speeds. It provides flexibility and simplicity by
supporting both data (PCIe, USB3.1) and video (DisplayPort) on a
single cable connection that can daisy-chain up to six devices.
[ See https://github.com/intel/thunderbolt-software-user-space ]
== Answers to UbuntuMainInclusionRequirements ==
= Requirements =
1. Availability
Package is in universe:
https://launchpad.net/ubuntu/+source/thunderbolt-tools
2. Rationale
Package a device enabler for users with Thunderbolt technology
3. Security:
No security issues exposed so far. However, the tools have only been in
Ubuntu since
2017-12-09, so this currently is less than the 90 days threshold.
4. Quality assurance:
* Manual is provided
* No debconf questions higher than medium
* No major outstanding bugs. I'm also helping Intel fix issues that I'm
finding with
static analysis tools such as scan-build, cppcheck and CoverityScan
Bugs outstanding:
#883857 please backport for stretch-backports
#882525 thunderbolt-tools: FTBFS on kFreeBSD:
_ZN5boost6system15system_categoryEv undefined
- I can fix this, but it makes no sense to run on kFreeBSD
* Exotic Hardware: Only Thunderbolt supported H/W is required, this is an
industry standard
and the support for the tools are in the 4.13+ kernels
* No Test Suite shipped with the package
* Does not rely on obsolete or demoted packages
5. UI standards:
* This is a CLI tool. Tool has normal CLI style short help and man pages
* No desktop file required as it is a CLI tool.
6. Binary Dependencies:
libboost-dev (main)
libboost-filesystem-dev (main)
libboost-program-options-dev (main)
udev (main)
7. Standards compliance:
lintian clean and meets the FHS + Debian Policy standards to the best of
my knowledge
8. Maintenance
* Package owning team: The Ubuntu Kernel Team
* Debian package maintained by Colin Ian King (myself from the Kernel Team)
9. Background Information
The user-space components implement device approval support:
a. Easier interaction with the kernel module for approving connected
devices.
b. ACL for auto-approving devices white-listed by the user.
Tools provided by this package:
tbtacl - triggered by udev (see the udev rules in tbtacl.rules).
It auto-approves devices that are found in ACL.
tbtadm - user-facing CLI tool. It provides operations for device
approval, handling the ACL and more.
The user-space components operate in coordination with the
upstream Thunderbolt kernel driver (found in v4.13) to provide the
Thunderbolt functionalities. These components are NOT compatible with
the old out-of-tree Thunderbolt kernel module.
= Security checks =
http://cve.mitre.org/cve/cve.html: Search in the National Vulnerability
Database using the package as a keyword
* No CVEs found
http://secunia.com/advisories/search/: search for the package as a keyword
* No security advisories found
Ubuntu CVE Tracker
http://people.ubuntu.com/~ubuntu-security/cve/main.html
* No
http://people.ubuntu.com/~ubuntu-security/cve/universe.html
* No
http://people.ubuntu.com/~ubuntu-security/cve/partner.html
* No
Check for security relevant binaries. If any are present, this
requires a more in-depth security review.
Executables which have the suid or sgid bit set.
* Not applicable
Executables in /sbin, /usr/sbin.
* None in these paths
Packages which install daemons (/etc/init.d/*)
* No
Packages which open privileged ports (ports < 1024).
* No
Add-ons and plugins to security-sensitive software (filters,
scanners, UI skins, etc)
* This does exec tbtacl from udev with new udev rules, so this
needs security checking
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/thunderbolt-tools/+bug/1748157/+subscriptions
--
Mailing list: https://launchpad.net/~kernel-packages
Post to : kernel-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~kernel-packages
More help : https://help.launchpad.net/ListHelp
