I reviewed libheif 1.6.1-1 as checked into focal. This shouldn't be considered a full audit but rather a quick gauge of maintainability.
libheif is an image codec library necessary for decoding photos from some newer phones. - CVE History: - CVE-2019-11471, our database says still unfixed in 18.04 LTS. - Build-Depends: debhelper-compat, libde265-dev, libgdk-pixbuf2.0-dev, libjpeg-dev, libpng-dev, libx265-dev, pkg-config - no pre/post inst/rm scripts - no init scripts - no systemd units - no dbus services - no setuid binaries - binaries in PATH - heif-thumbnailer in heif-thumbnailer - heif-convert, heif-enc, heif-info in libheif-examples - no sudo fragments - no udev rules - There are some very thin unit tests. No autopkgtests. THere's some support for fuzzers but I don't see it used. - no cron jobs - relatively clean build logs - no processes spawned - significant memory management and C-style manipulation of data. Most calls looked like there were checks in place, but this level of C-style memory manipulation probably has errors. - No file IO in library, only in examples - Very little human logging; looked fine - No environment variable usage - No use of privileged functions - No cryptography - No temp files - No networking - No webkit - No polkit - cppcheck false positive - an earlier look found some coverity issues, which the team addressed Here's a list of the small handful of things I noticed: In convert_libde265_image_to_heif_image() what constrains stride to reasonable values? I get lost reading libde265 code to find the stride. setjmp() used for error handling in example code; this kind of error handling is very difficult to use correctly over time. Y4MEncoder::Encode() doesn't appear to guard against integer overflow in fwrite() calls Box_iloc::write_mdat_after_iloc() 4gig outputs unhandled I'm not sure the consequences of any of these issues. Code quality looked goodh, especially for a codec library; the examples didn't look as good, but this is common. Security team ACK for promoting the libheif library packages libheif1 and heif-gdk-pixbuf to main. I'd like to keep the examples in heif-thumbnailer and libheif-examples in universe. Thanks ** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2019-11471 ** Changed in: libheif (Ubuntu) Assignee: Ubuntu Security Team (ubuntu-security) => (unassigned) -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1827442 Title: [MIR] libheif To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/libde265/+bug/1827442/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
