Snap security updates needed

[chennes]

We received the following automated email from Canonical today:

---

A scan of this snap shows that it was built with packages from the Ubuntu
archive that have since received security updates. The following lists new
USNs for affected binary packages in each snap revision:

Revision r1248 (amd64; channels: stable, candidate)

• binutils: 7306-1
• binutils-common: 7306-1
• binutils-x86-64-linux-gnu: 7306-1
• git: 7207-1
• git-man: 7207-1
• libbinutils: 7306-1
• libc-dev-bin: 7259-1
• libc6-dev: 7259-1
• libctf-nobfd0: 7306-1
• libctf0: 7306-1
• libharfbuzz0b: 7251-1
• libmysqlclient21: 7245-1
• libopenjp2-7: 7223-1
• libpoppler118: 7213-1
• libpq5: 7315-1
• libpython3.10: 7218-1, 7280-1
• libpython3.10-dev: 7218-1, 7280-1
• libpython3.10-minimal: 7218-1, 7280-1
• libpython3.10-stdlib: 7218-1, 7280-1
• libsndfile1: 7273-1
• libxml2: 7240-1, 7302-1
• python3.10-dev: 7218-1, 7280-1

Simply rebuilding the snap will pull in the new security updates and
resolve this. If your snap also contains vendored code, now might be a
good time to review it for any needed updates.

Thank you for your snap and for attending to this matter.

References:

• https://ubuntu.com/security/notices/USN-7207-1/
• https://ubuntu.com/security/notices/USN-7213-1/
• https://ubuntu.com/security/notices/USN-7218-1/
• https://ubuntu.com/security/notices/USN-7223-1/
• https://ubuntu.com/security/notices/USN-7240-1/
• https://ubuntu.com/security/notices/USN-7245-1/
• https://ubuntu.com/security/notices/USN-7251-1/
• https://ubuntu.com/security/notices/USN-7259-1/
• https://ubuntu.com/security/notices/USN-7273-1/
• https://ubuntu.com/security/notices/USN-7280-1/
• https://ubuntu.com/security/notices/USN-7302-1/
• https://ubuntu.com/security/notices/USN-7306-1/
• https://ubuntu.com/security/notices/USN-7315-1/

[furgo16]

A scan of this snap

@chennes which snap is "this snap"?

My guess is that's the freecad-deps-core22 or the freecad-deps-core24 snap. There we use packages from the Ubuntu archive.

For the freecad snap we use the KDE Neon archive, which has newer Qt packages than the Ubuntu archive (and allows us to build a Qt 6 snap). That raises a good point: we should find out about the security updates policy for the KDE Neon archive.

[kkremitzki]

I've been getting emails about this recently, so I looked into the issue a bit. For starters, the current emails are for different security notices than what this issue was originally created for, so the real problem is having a way of handling these rebuilds automatically.

Also, as @furgo16 said, it isn't necessarily us that need to do these rebuilds, or perhaps it's necessary but not sufficient, i.e. others will need to do so as well. For example, I found this forum post on using the security scanning tools locally which I followed, first by testing on the downloaded snap, and then testing again on a locally rebuilt one. In short, most but not all of the security notices were gone from the report after rebuilding just the freecad-snap.

Downloaded test:

ubuntu@ubuntu-server:~/Downloads$ snap download freecad
Fetching snap "freecad"
Fetching assertions for "freecad"
Install the snap with:
   snap ack freecad_1634.assert
   snap install freecad_1634.snap
ubuntu@ubuntu-server:~/Downloads$ review-tools.check-notices freecad_1634.snap
{
  "freecad": {
    "1634": {
      "cpp-11": [
        "7700-1"
      ],
      "g++-11": [
        "7700-1"
      ],
      "gcc-11": [
        "7700-1"
      ],
      "gcc-11-base": [
        "7700-1"
      ],
      "gfortran-11": [
        "7700-1"
      ],
      "libasan6": [
        "7700-1"
      ],
      "libatomic1": [
        "7700-1"
      ],
      "libcc1-0": [
        "7700-1"
      ],
      "libgcc-11-dev": [
        "7700-1"
      ],
      "libgfortran-11-dev": [
        "7700-1"
      ],
      "libgfortran5": [
        "7700-1"
      ],
      "libgomp1": [
        "7700-1"
      ],
      "libitm1": [
        "7700-1"
      ],
      "libjs-jquery-ui": [
        "5181-1"
      ],
      "liblsan0": [
        "7700-1"
      ],
      "libopenexr25": [
        "5620-1"
      ],
      "libpmix-dev": [
        "6434-1"
      ],
      "libpmix2": [
        "6434-1"
      ],
      "libquadmath0": [
        "7700-1"
      ],
      "libslurm37": [
        "6458-1"
      ],
      "libstdc++-11-dev": [
        "7700-1"
      ],
      "libtiff5": [
        "7707-1"
      ],
      "libtsan0": [
        "7700-1"
      ],
      "libubsan1": [
        "7700-1"
      ],
      "libxml2": [
        "7694-1"
      ],
      "python3-git": [
        "5968-1",
        "6326-1"
      ],
      "python3-scipy": [
        "6226-1"
      ]
    }
  }
}

Rebuild results:

ubuntu@ubuntu-desktop:~/src/freecad-snap$ SNAPCRAFT_BUILD_INFO=1 snapcraft pack
[ ... ]
ubuntu@ubuntu-desktop:~/src/freecad-snap$ review-tools.check-notices freecad_1.1-g67d00158_amd64.snap
{
  "freecad": {
    "1.1-g67d00158": {
      "libjs-jquery-ui": [
        "5181-1"
      ],
      "libopenexr25": [
        "5620-1"
      ],
      "libpmix-dev": [
        "6434-1"
      ],
      "libpmix2": [
        "6434-1"
      ],
      "libslurm37": [
        "6458-1"
      ],
      "python3-git": [
        "5968-1",
        "6326-1"
      ],
      "python3-scipy": [
        "6226-1"
      ]
    }
  }
}

[furgo16]

The current edge channel snap, which will ultimately become the 1.1 stable channel build on release day does not have any security notices. To be expected, as it's rebuilt daily and picks up the latest security updates from the Ubuntu archive. This will affect mostly the stable release and the freecad-deps-snap always, as they remain static, other than backports, during a release cycle.

I think the task here might be to have a CI job that scans the .snap artifact with the review tools say weekly, and create an issue to request a rebuild that picks all updates. The other question is how we version these updates, as I don't think one can upload a rebuilt snap with the same version number to the store.

Perhaps another low-key change which might still be helpful, would be to automatically redirect these security notices sent to @chennes by e-mail. That is, make these e-mails send an e-mail to the FreeCAD/FreeCAD-snap issue tracker directly to open an issue.

[chennes]

Is there a scanner that we can run locally that does what their scanner is doing? We might get better issue creation, and maybe even PR creation, if it's a GitHub action instead of a forwarded email. Also, if you send me your email address I'd be happy to add you to the "snap@freecad.org" distribution list.