[MIR] xdg-desktop-portal-gtk

Status changed to 'Confirmed' because the bug affects multiple users.

This seems fine from a MIR perspective, but needs a security review.

I will probably finish this MIR in ~two weeks, I thought I'd share the notes I've collected so far in case they are useful to anyone:

Some unclean logs:

update-rc.d: warning: start and stop actions are no longer supported; falling back to defaults
/usr/include/glib-2.0/glib/gmem.h:124:8: warning: mutter_session_proxy may be used uninitialized in this function [-Wmaybe-uninitialized]
src/remotedesktopdialog.c:148:16: warning: device_type_name may be used uninitialized in this function [-Wmaybe-uninitialized]
dh_install: Please use dh_missing --list-missing/--fail-missing instead
E: Lintian run failed (policy violation)
Lintian: fail

And some notes on the code:

- image_button_clicked() does image previews
- compose_mail_thunderbird() and compose_mail_evolution() would probably
  allow attaching arbitrary files via malicious addresses -- are the
  addresses shown specifically to the user to confirm them first? The
  thunderbird variant may also allow the same attack via subject and
  body text.

- supports
  file chooser
  app chooser
  print
  screenshot
  notification
  inhibit
  access
  account
  email
  screen cast
  remote desktop

- launch_preview() appears to use unsafe string-based execution with
  user-supplied content rather than safe array-based execution.

Thanks

I reviewed xdg-desktop-portal-gtk version 0.11-1 as checked into cosmic.
This isn't a full security audit but rather a quick gauge of
maintainability.

xdg-desktop-portal-gtk is a "backend" for the portal system to try to make
linux namespacing more ergonomic. It provides dialogs that serve dual
purposes: the standard file-pickers, etc., while simultaneously serving as
unobtrusive access control tools. (Aka "powerbox".)

- No CVE history

- xdg-desktop-portal-gtk is the user-facing portion of the portals
  toolkit; sandboxed applications will use xdk-desktop-portal to call
  into this package or other similar ones for different environments,
  users will make access control decisions, and the results will be
  passed back into the sandboxed applications.

  All the interactions are handled over dbus.

- Build-Depends: dbus, debhelper, libdbus-1-dev, libglib2.0-dev,
  libgtk-3-dev, xdg-desktop-portal-dev, xmlto
- Does not itself do networking
- No pre/post inst/rm scripts
- No init scripts
- systemd user unit file to start
  /usr/lib/xdg-desktop-portal/xdg-desktop-portal-gtk on the dbus service
  org.freedesktop.impl.portal.desktop.gtk
- No setuid files
- No binaries in PATH
- No sudo fragments
- No udev rules
- No test suite
- No cron jobs
- Build logs have some errors

- subprocesses are spawned. The launch_preview() function looks unsafe and
  may need a CVE. The mail compose methods probably allow a malicious
  file to exfiltrate data off the system if the operator isn't paying
  close attention.

- memory management looked careful
- logging looked careful
- sets GIO_USE_VFS environment variable
- No cryptography
- Does not itself do networking, gnome vfs might
- Privileged vs unprivileged portions of code are difficult to untangle
  via casual inspection; I believe this entire package is privileged, but
  I'm not sure if filenames, inputs, etc., are therefore completely
  trusted or completely untrusted or somewhere in the middle.
- No temporary files
- No WebKit
- No PolKit

Here's some of the messy logs:

update-rc.d: warning: start and stop actions are no longer supported; falling back to defaults
/usr/include/glib-2.0/glib/gmem.h:124:8: warning: mutter_session_proxy may be used uninitialized in this function [-Wmaybe-uninitialized]
src/remotedesktopdialog.c:148:16: warning: device_type_name may be used uninitialized in this function [-Wmaybe-uninitialized]
dh_install: Please use dh_missing --list-missing/--fail-missing instead
E: Lintian run failed (policy violation)
Lintian: fail

- image_button_clicked() does image previews
- compose_mail_thunderbird() and compose_mail_evolution() would probably
  allow attaching arbitrary files via malicious addresses -- are the
  addresses shown specifically to the user to confirm them first? The
  thunderbird variant may also allow the same attack via subject and
  body text.

- supports
  file chooser
  app chooser
  print
  screenshot
  notification
  inhibit
  access
  account
  email
  screen cast
  remote desktop

- launch_preview() appears to use unsafe string-based execution with
  user-supplied content rather than safe array-based execution.

A trusted helper tool like this is probably g...

Override component to main
xdg-desktop-portal-gtk 1.0.2-2 in cosmic: universe/misc -> main
xdg-desktop-portal-gtk 1.0.2-2 in cosmic amd64: universe/gnome/optional/100% -> main
xdg-desktop-portal-gtk 1.0.2-2 in cosmic arm64: universe/gnome/optional/100% -> main
xdg-desktop-portal-gtk 1.0.2-2 in cosmic armhf: universe/gnome/optional/100% -> main
xdg-desktop-portal-gtk 1.0.2-2 in cosmic i386: universe/gnome/optional/100% -> main
xdg-desktop-portal-gtk 1.0.2-2 in cosmic ppc64el: universe/gnome/optional/100% -> main
xdg-desktop-portal-gtk 1.0.2-2 in cosmic s390x: universe/gnome/optional/100% -> main
Override [y|N]? y
7 publications overridden.

@seth-arnold You approved this for cosmic only. What's the status of getting this approved for bionic and xenial? Getting this in bionic and xenial would greatly improve the snap desktop support.

Thanks for the reminder Ken, I completely forgot to file issues on the gui backend.

My intention was for this package to be exposed to wider use and wider inspection for three or four months before encouraging use in our previous LTS releases. I'm still worried that this package hasn't received sufficient community review for it to take such an important role in our ecosystem.

Thanks

https://github.com/flatpak/xdg-desktop-portal-gtk/issues/165
https://github.com/flatpak/xdg-desktop-portal-gtk/issues/166
https://github.com/flatpak/xdg-desktop-portal-gtk/issues/167

Thanks

Marked the xenial and bionic tasks as incomplete. Seth gave some guidance but the desktop team needs to respond on how to handle it before anything is done with the seeding.

Security team ACK for promoting xdg-desktop-portal-gtk and xdg-desktop-portal to main for bionic and xenial.

Thanks

(Setting the bug back to Triaged per comment 10)

Override component to main
xdg-desktop-portal-gtk 1.0.2-0ubuntu1.1 in bionic: universe/misc -> main
xdg-desktop-portal-gtk 1.0.2-0ubuntu1.1 in bionic amd64: universe/gnome/optional/100% -> main
xdg-desktop-portal-gtk 1.0.2-0ubuntu1.1 in bionic arm64: universe/gnome/optional/100% -> main
xdg-desktop-portal-gtk 1.0.2-0ubuntu1.1 in bionic armhf: universe/gnome/optional/100% -> main
xdg-desktop-portal-gtk 1.0.2-0ubuntu1.1 in bionic i386: universe/gnome/optional/100% -> main
xdg-desktop-portal-gtk 1.0.2-0ubuntu1.1 in bionic ppc64el: universe/gnome/optional/100% -> main
xdg-desktop-portal-gtk 1.0.2-0ubuntu1.1 in bionic s390x: universe/gnome/optional/100% -> main
7 publications overridden.

Override component to main
xdg-desktop-portal-gtk 1.0.2-0ubuntu0.0 in xenial: universe/gnome -> main
xdg-desktop-portal-gtk 1.0.2-0ubuntu0.0 in xenial amd64: universe/gnome/optional/100% -> main
xdg-desktop-portal-gtk 1.0.2-0ubuntu0.0 in xenial arm64: universe/gnome/optional/100% -> main
xdg-desktop-portal-gtk 1.0.2-0ubuntu0.0 in xenial armhf: universe/gnome/optional/100% -> main
xdg-desktop-portal-gtk 1.0.2-0ubuntu0.0 in xenial i386: universe/gnome/optional/100% -> main
xdg-desktop-portal-gtk 1.0.2-0ubuntu0.0 in xenial powerpc: universe/gnome/optional/100% -> main
xdg-desktop-portal-gtk 1.0.2-0ubuntu0.0 in xenial ppc64el: universe/gnome/optional/100% -> main
xdg-desktop-portal-gtk 1.0.2-0ubuntu0.0 in xenial s390x: universe/gnome/optional/100% -> main
8 publications overridden.