Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 521664

Summary: www-servers/webfs-1.21-r3: suspicious use of einstall
Product: Gentoo Linux Reporter: Michał Górny <mgorny>
Component: Current packagesAssignee: No maintainer - Look at https://wiki.gentoo.org/wiki/Project:Proxy_Maintainers if you want to take care of it <maintainer-needed>
Status: RESOLVED WONTFIX    
Severity: QA CC: proxy-maint, treecleaner, wicher
Priority: Normal Keywords: PMASKED
Version: unspecified   
Hardware: All   
OS: Linux   
See Also: https://bugs.gentoo.org/show_bug.cgi?id=591890
Whiteboard: Pending removal: 2016-09-21
Package list:
Runtime testing required: ---
Bug Depends on:    
Bug Blocks: 521420    

Description Michał Górny archtester Gentoo Infrastructure gentoo-dev Security 2014-08-29 22:09:12 UTC
Please check whether the use of 'einstall' in this ebuild is actually
needed. From a quick glance at the Makefile, it seems to have proper
support for DESTDIR.

Therefore, if possible please replace the call to 'einstall' with proper
'default' or 'emake DESTDIR="${D}" install'. Thanks.
Comment 1 Pacho Ramos gentoo-dev 2016-02-18 12:05:51 UTC
1.21 was released years ago to fix security issues included in 1.20 (a CVE from 2003)... 1.21 is from 2004 and, then, I really wonder about the security status of this server. I would then remove it
Comment 2 Wicher Minnaard 2016-08-22 04:56:37 UTC
I actually quite like this package. There's been no CVE for this package since 2004, well, isn't that actually a good thing? Does not seem like a reason for removal.
Comment 3 Pacho Ramos gentoo-dev 2016-08-22 09:37:35 UTC
It has no CVE because nobody is caring and using it for years, and looking the history of CVEs that this *server* was getting when people cared, I wouldn't really trust it
Comment 4 Wicher Minnaard 2016-08-22 12:43:24 UTC
https://web.nvd.nist.gov/view/vuln/search-results?query=webfs&search_type=all&cves=on

Yes, those were quite bad indeed.

Still I don't subscribe to a logic of "there must still be security bugs because there were some in the past and I guess no one is using it because there are no recent CVEs". It's quite possible that the author took a good look at the whole of the request parsing code when fixing these bugs. And I don't think absence of recent CVEs equates to "no one is using it".

I could proxy-maintain it and fix up the ebuild if that's the pain point.
Comment 5 klz 2016-08-22 12:48:36 UTC
I like this package a lot as well. Please keep it in portage.

'ik use dit'
Comment 6 Pacho Ramos gentoo-dev 2016-08-22 15:38:30 UTC
There are plenty of web servers available, why do you want to keep people using this one that is clearly abandoned and probably risky to run? This is not like a small local app that you can run safely on your computer, this is about a server that is exposed to attacks and also has a clear history of important security issues (and a lot of them) until this became completely dead and nobody care about them. 

This reminds me to the times of webkit-gtk supposedly having no security issues until, suddenly, they looked to it and they told us to drop the old versions as soon as possible as they were vulnerable a lot
Comment 7 Wicher Minnaard 2016-08-23 02:29:31 UTC
> There are plenty of web servers available,

Which one the webservers in the `www-servers` portage category allow for no-config-file-required serving a dir of files with dirindex as the current user using a one-liner? Our own Górny's `pshs` comes close but doesn't do directory indices.

> why do you want to keep people using this one

I am not telling people what to run.

> that is clearly abandoned

It has a homepage and the author is alive. Define abandoned.

> and probably risky to run?

As I pointed out before, the argument you constructed for deeming it 'probably risky' is logically flawed.

A more substantive argument about code quality would at least include a mention of the many compiler warnings it throws.

> This is not like a small local app that you can run safely on your computer

"People" (N=4) are kinda using it in that manner though, to quickly share a dir of files for a couple of minutes to colleagues on a local LAN. I'd say the initscript has to go; it may very well not even have been the authors intention for it to be used that way. Plus the initscript has had a CVE of its own (CVE-2013-0347, severity high, zomg! don't use gentoo initscripts!).

> until this became completely dead and nobody care about them.

Without substantiation this is just speculation.

> This reminds me to the times of webkit-gtk supposedly having no security issues until, suddenly, they looked to it and they told us to drop the old versions as soon as possible as they were vulnerable a lot

Yes, that's how these things go, isn't it? There's an incident and then someone or a bunch of people take a second look.

I've mentioned an offer to proxy-maintain this to which you didn't respond. Proxy-maintainers are important for Gentoo though. Anyway, if you want to follow up properly on your suspicions, wait for me to attain maintainership, and then analyse the source code and file security bugs against the package. When I get tired of those security bugs filed we'll drop the package after all. But that time, with substantiation.
Comment 8 Pacho Ramos gentoo-dev 2016-08-24 09:20:16 UTC
Let CC proxy-maint people... even if my concerns about keeping this for the wide use still stand
Comment 9 strites 2016-09-25 12:07:16 UTC
for the record, I'm using it, and asking if this is removed what can be used in its scope (lightweight server to temporary open a filesystem directory for download files by http)
Comment 10 Pacho Ramos gentoo-dev 2016-10-01 07:43:47 UTC
removed