MainInclusionReportSysstat

Differences between revisions 3 and 6 (spanning 3 versions)
Revision 3 as of 2008-02-08 17:37:38
Size: 3867
Editor: mail
Comment:
Revision 6 as of 2008-08-06 16:39:43
Size: 3973
Editor: localhost
Comment: converted to 1.6 markup
Deletions are marked like this. Additions are marked like this.
Line 5: Line 5:
 0. ''Availability:'' [http://archive.ubuntu.com/ubuntu/pool/universe/s/sysstat]; available for all supported architectures.  0. ''Availability:'' [[http://archive.ubuntu.com/ubuntu/pool/universe/s/sysstat]]; available for all supported architectures.
Line 9: Line 9:
  * [http://cve.mitre.org/cgi-bin/cvekey.cgi?keyword=sysstat CVE entries]: 4 entries. none of them seem to affect the version in hardy.
  * [http://secunia.com/search/?search=sysstat Secunia history]: same story as CVE db.
  * [[http://cve.mitre.org/cgi-bin/cvekey.cgi?keyword=sysstat|CVE entries]]: 4 entries. none of them seem to affect the version in hardy.
  * [[http://secunia.com/search/?search=sysstat|Secunia history]]: same story as CVE db.
Line 50: Line 50:
    * undergoing security further analysis (potential problem which is easily fixed)     * spot-checked memory and string functions and it performs them properly
    * found slight problem with call to execvp function, but will report upstream and upload
Line 57: Line 58:
  * [http://bugs.debian.org/src:sysstat Debian bugs]: nothing scary.
  * [http://packages.qa.debian.org/s/sysstat.html Maintenance in Debian] is vigorous
  * [http://pagesperso-orange.fr/sebastien.godard/] is vigorous
  * [[http://bugs.debian.org/src:sysstat|Debian bugs]]: nothing scary.
  * [[http://packages.qa.debian.org/s/sysstat.html|Maintenance in Debian]] is vigorous
  * [[http://pagesperso-orange.fr/sebastien.godard/]] is vigorous
Line 63: Line 64:
  * [http://www.pathname.com/fhs/ FHS], [http://www.de.debian.org/doc/debian-policy/ Debian Policy]   * [[http://www.pathname.com/fhs/|FHS]], [[http://www.de.debian.org/doc/debian-policy/|Debian Policy]]
Line 65: Line 66:
  * [http://www.netfort.gr.jp/~dancer/column/libpkg-guide/libpkg-guide.html Debian library packaging guide] standards compliance ?   * [[http://www.netfort.gr.jp/~dancer/column/libpkg-guide/libpkg-guide.html|Debian library packaging guide]] standards compliance ?
Line 75: Line 76:
MIR bug: [https://bugs.launchpad.net/bugs/183469] MIR bug: [[https://bugs.launchpad.net/bugs/183469]]

Main Inclusion Report for sourcepackage

Requirements

  1. Availability: http://archive.ubuntu.com/ubuntu/pool/universe/s/sysstat; available for all supported architectures.

  2. Rationale:

  3. Security:

    • CVE entries: 4 entries. none of them seem to affect the version in hardy.

    • Secunia history: same story as CVE db.

    • Any binaries running as root or suid/sgid ? Any daemons ?
      • Yes one daemon running as root to collect data.
    • Network activity: does it open any port ? Does it handle incoming network data ?
      • no open ports. daemon run locally.
    • High level source code review performed by JamieStrandboge

      • sa1
        • /bin/sh script
        • called via /etc/cron.d/sysstat and /etc/init.d/sysstat
        • wrapper for sadc and does file manipulation in /var/log/sysstat properly
      • sa2
        • /bin/sh
        • called via /etc/cron.daily/sysstat
        • wrapper for sar.sysstat and does file manipulation properly (oddly, it does a cd to /usr/bin, then does 'rm' and 'find ... -exec' ..., but the paths to 'rm' and 'find' are absolute paths in /var/log/sysstat)
      • sadc
        • ELF binary
        • called via sa1 and sar.sysstat (and therefore sa2)
        • vulnerable to TOCTOU via access() in open_ofile(). High-level review shows this should not be an issue in practice, as checked files when run from cron and initscript are all in /var/log/sysstat, which is owned by root. Should only be a problem if run by root and output file is somewhere writable be normal users (eg /tmp)
        • spot-checked memory and string functions and it performs them properly
        • reads the following files (which can't be manipulated by users):
          1. /proc/stat
          2. /proc/loadavg
          3. /proc/meminfo
          4. /proc/vmstat
          5. /proc/tty/driver/serial (requires root)
          6. /proc/interrupts
          7. /proc/sys/fs/dentry-state
          8. /proc/sys/fs/file-nr
          9. /proc/sys/fs/inode-state
          10. /proc/net/dev
          11. /proc/net/sockstat
          12. /proc/net/rpc/nfs
          13. /proc/net/rpc/nfsd
          14. /proc/diskstats
          15. /proc/partitions
          16. /proc/uptime
        • it would be nice if sadc could be run as non-root, as it needs it for only one file (/proc/tty/driver/serial)
      • sar.sysstat
        • ELF binary
        • called via sa2
        • spot-checked memory and string functions and it performs them properly
        • found slight problem with call to execvp function, but will report upstream and upload
  4. Quality assurance:

    • In what situations does the package not work out of the box without configuration ?
      • none
    • Does the package ask any debconf questions higher than priority 'medium' ?
      • Yes, only when upgrading from < 8.0.0

    • Debian bugs: nothing scary.

    • Maintenance in Debian is vigorous

    • http://pagesperso-orange.fr/sebastien.godard/ is vigorous

    • Hardware: Does this package deal with hardware and if so how exotic is it ?
      • no
  5. Standards compliance:

  6. Dependencies:

    • B-D are all in main.
    • Depends for isag binary are not but it could easily stay in universe. The stuff for the core is all in main.

Reviewers

MIR bug: https://bugs.launchpad.net/bugs/183469

The author of this report should put their name here; reviewers will add comments etc. too

FabioMassimoDiNitto JamieStrandboge

MainInclusionReportSysstat (last edited 2008-08-06 16:39:43 by localhost)