[MIR] mosh

MIR team: the biggest blocker here will inevitably be the security review I presume will be necessary. I have a couple of outstanding things to fix for the MIR as well, but am filing this now to get this on the security team's list ASAP. I hope this is OK.

> Handle libio-socket-ip-perl Recommends that is not in main (but it seems to work without).

The perl-base package Provides: libio-socket-ip-perl (= 0.41).

On Tue, Nov 22, 2022 at 08:08:32PM -0000, Anders Kaseorg wrote:
> The perl-base package Provides: libio-socket-ip-perl (= 0.41).

Ah, perfect. Thanks!

Review for Package: src:mosh

[Summary]
Mosh is an alternative to openssh-client, which covers specific
usecases of slow, mobile, and/or high-latency connections. Development
seems to have slowed down, but a new contributor/maintainer stepped
up, who is also involved with Debian packaging, so we can hope for
more activity in the future.

MIR team ACK under the constraint to resolve the below listed
required TODOs and as much as possible having a look at the
recommended TODOs.

This does need a security review, so I'll assign ubuntu-security

List of specific binary packages to be promoted to main: mosh
Specific binary packages built, but NOT to be promoted to main: <None>

Notes:
#0 no translation present, but CLI only (I feel like this is OK as this
   application will not be presented to the end user)
#1 Upstream update history is sporadic, there seems to be a new
   maintainer, who is also involved with the Debian packaging,
   re-activating the release process (so should become better)
#2 needs security review, for several reasons:
   - parses data formats (network packets) from an untrusted source.
   - opens a port/socket (mosh-server UDP)
   - deals with system authentication (eg, pam), etc):
     https://bugs.debian.org/816372

Required TODOs:
#3 does not have a non-trivial test suite that runs as autopkgtest,
   please add automated integration tests
#4 other Dependencies to MIR due to this (to be discussed with Debian)
   libio-socket-ip-perl, which is also provided by perl-base (MAIN),
   so we should change that "Recommends: libio-socket-ip-perl" to
   "Recommends: perl-base"

Recommended TODOs:
#5 The package should get a team bug subscriber before being promoted
#6 build time warning (should be discussed with upstream):
   configure.ac:325: warning: The macro `AC_HELP_STRING' is obsolete.

[Duplication]
There is no other package in main providing the same functionality.
Mosh is an alternative to openssh-client, which covers specific usecases of
slow, mobile, and/or high-latency connections. Another alternative would be
"Eternal Terminal" (not in the archive).

[Dependencies]
OK:
- no -dev/-debug/-doc packages that need exclusion
- No dependencies in main that are only superficially tested requiring
  more tests now.
- lintian warnings
W: mosh: incorrect-path-for-interpreter /usr/bin/env perl != /usr/bin/perl [usr/bin/mosh]
N: Note that, as a particular exception, Debian Policy § 10.4 states that
N: Perl scripts should use /usr/bin/perl directly and not /usr/bin/env, etc.

Problems:
- other Dependencies to MIR due to this:
  libio-socket-ip-perl, which is also provided by perl-base, so we could
  change that "Recommends: libio-socket-ip-perl" to "Recommends: perl-base"

[Embedded sources and static linking]
OK:
- no embedded source present
- no static linking
- does not have unexpected Built-Using entries
- not a go package, no extra constraints to consider in that regard
- not a rust package, no extra constraints to consider in that regard
- Does not include vendored code

Problems: None

[Security]
OK:
- history of CVEs does not look concerning (only CVE-2012-2385 from 2012)
- does not run a daemon as root
- does not use we...

I reviewed mosh 1.4.0-1 as checked into lunar. This shouldn't be
considered a full audit but rather a quick gauge of maintainability.

mosh (Mobile Shell) is a remote terminal application that replaces
interactive SSH terminals. mosh supports intermittent connectivity and
claims to be more robust and responsive over lagging networks.

- CVE History:
  - CVE-2012-2385, was solved in a few days.
  - upstream seems pretty responsive, as already stated.
- Build-Depends?
  - debhelper-compat, protobuf-compiler, libprotobuf-dev, pkg-config,
    libutempter-dev, zlib1g-dev, libncurses5-dev, libssl-dev,
    bash-completion, locales, tmux, less (all in main)
- pre/post inst/rm scripts?
  - pre/post inst/rm scripts removes mosh file in bash_completion.d/
     `rm_conffile /etc/bash_completion.d/mosh 1.2.5\~ -- "$@"`.
- init scripts?
  - NA
- systemd units?
  - NA
- dbus services?
  - NA
- setuid binaries?
  - NA
- binaries in PATH?
  - mosh, mosh-client, mosh-server
- sudo fragments?
  - NA
- polkit files?
  - NA
- udev rules?
  - NA
- unit tests / autopkgtests?
  - There is a testsuite that runs during the build process with 31 tests,
    the tests are well documented in src/tests/README.md.
  - No autopkgtests.
- cron jobs?
  - NA
- Build logs:
  - Build log is clean.

- Processes spawned?
  - bash, shell and locale are being spawned in some places. they were
    reviewed and does not seem problematic. places spawning bash/shell are
    using execvp and locale invoked by system does not have interaction
    with user input, so it can't be exploited.
- Memory management?
  - it seems fine, tried to check all flawfinder reports and in general
    they look good.
- File IO?
  - most are standard i/o as used in a terminal application, all fine.
- Logging?
  - flawfinder pointed to some potential format string problems, but they
    where checked and are safe, the variables that could cause overflows
    are checked before their usage in logs.
- Environment variable usage?
  - use of env variable for general configuration and to pass the key, if
    needed (by mosh-client). seems well parsed and filtered.
- Use of privileged functions?
  - use of ioctls, mainly to get terminal window size.
- Use of cryptography / random number sources etc?
  - Uses OpenSSL AES-OCB implementation for secure network communication
    with 16bytes key length through OpenSSL EVP API.
- Use of temp files?
  - NA
- Use of networking?
  - seems well defined and implemented, nothing concerning.
- Use of WebKit?
  - NA
- Use of PolicyKit?
  - NA

- Any significant cppcheck results?
  - NA
- Any significant Coverity results?
  - There is a large stack usage being reported twice:
     src/frontend/stmclient.cc:306
     src/frontend/mosh-server.cc:835
    that is the buffer that handles the terminal input, having it as big as
    defined is part of the usability as I see.
- Any significant shellcheck results?
  - No
- Any significant bandit results?
  - NA

The project is well written and well documented.
Upstream seems active and have history of security awareness: there is a
security contact in mosh.org and there is history of Coverity runs in the
past.

Security team ACK for promo...

The server team is subscribed to the package and it was added to the seeds:

https://git.launchpad.net/~ubuntu-core-dev/ubuntu-seeds/+git/ubuntu/commit/?id=1c3747ea4d200683880ec8353911ba38edb9b72c

Ready for promotion, waiting for an AA to do it.

It seems to me that the mandadory MIR requirement #3 and #4 are not yet addressed.
Is there anything planned to fix this?

Can we at least run the build-time unittests against the installed package during autopkgtests for example?

Yes this will be addressed (or after trying explained why it would be impossible).
Assigning Sergio who pulled the short straw.

We had a brief discussion about libio-socket-ip-perl in #ubuntu-devel just now.

perl-base Provides it and is in main. There's also a binary package named libio-socket-ip-perl in universe.

It seems appropriate that mosh doesn't care where it comes from, so I'm not sure it would correct to change mosh packaging, unless it's needed to work around some other issue. But we don't know of any - it seems to us that perl-base would fulfil the libio-socket-ip-perl Recommends on a main-only system, and perl-base is Essential. So it shouldn't result in a component mismatch.

dep8 tests are uploaded and landed now that run the upstream test suite as well as a smoke test using openssh on localhost.

So I think this is ready to move to main now.

Thanks Robie and Sergio!

I wasn't fully aware of the perl-base vs libio-socket-ip-perl situation anymore. Thanks for the explanation. This is fine. I'm dropping TODO #4.

Autopkgtests have been added, so TODO #3 is good, too. I'd like to see those tests forwarded to Debian, but this shouldn't block the MIR and can be handled during the normal sync/merge process.

Server team subscribed to the package and security team is +1, so this is good for promotion.

Ack by the Security and MIR team, team subscription present and visible in component mismatch (via seed change). Ready for promotion:

Override component to main
mosh 1.4.0-1ubuntu1 in lunar: universe/net -> main
mosh 1.4.0-1ubuntu1 in lunar amd64: universe/net/optional/100% -> main
mosh 1.4.0-1ubuntu1 in lunar arm64: universe/net/optional/100% -> main
mosh 1.4.0-1ubuntu1 in lunar armhf: universe/net/optional/100% -> main
mosh 1.4.0-1ubuntu1 in lunar ppc64el: universe/net/optional/100% -> main
mosh 1.4.0-1ubuntu1 in lunar riscv64: universe/net/optional/100% -> main
mosh 1.4.0-1ubuntu1 in lunar s390x: universe/net/optional/100% -> main
Override [y|N]? y
7 publications overridden.