I reviewed libyuv 0.0~git202401110.af6ac82-1 as checked into noble. This shouldn't be considered a full audit but rather a quick gauge of maintainability.
libyuv is an open source project that includes YUV scaling and conversion functionality. - CVE History: - none - open bug reports are not a security concern - https://bugs.chromium.org/p/libyuv/issues/list - Build-Depends? - googletest build depend - pre/post inst/rm scripts? - none - init scripts? - none - systemd units? - none - dbus services? - none - setuid binaries? - none - binaries in PATH? - from libyuv-utils - ./usr/bin/yuvconstants - ./usr/bin/yuvconvert - sudo fragments? - none - polkit files? - none - udev rules? - none - unit tests / autopkgtests? - from d/rules, it appears all tests on armel s390x powerpc ppc64 and sparc64 are disabled - on amd64, 40 disabled tests - 256 counts of -Wstringop-overflow in build logs due to tests - more bugs in test possible, see coverity section - rather thorough testing otherwise - cron jobs? - none - Build logs: - missing man pages for binaries - 256 counts of -Wstringop-overflow due to tests - Processes spawned? - only in python, and in a script for maintaining upstream deps - not relevant - Memory management? - tests cause string overflows with memtest - just a bug, not a security concern - see coverity section - moderate memcpy use outside of tests - looks okay - File IO? - c++ fopen use appears safe - ignoring python upstream maintenance helper scripts - Logging? - no logging outside of python - Python uses logging.debug and logging.error - Environment variable usage? - only used for tests - Use of privileged functions? - none - Use of cryptography / random number sources etc? - none - Use of temp files? - none - Use of networking? - none - Use of PolicyKit? - none - Any significant cppcheck results? - not a concern - Any significant Coverity results? - non-security bug reported - https://bugs.chromium.org/p/libyuv/issues/detail?id=979 - many more non-relevant issues in tests - ignoring - upstream should improve unit tests. - ./tools_libyuv/ seems dangerous, but appears to only be for upstream maintenance - okay - unchecked return in ./util/yuconvert.cc:243 - report of uninitialized scalar variabile in ./util/yuconvert.cc seems difficult to trigger - MJpegDecoder::MJpegDecoder() does not initialize buf_vec_.pos - this is set early in MJpegDecoder::LoadFrame(), so probably *fine* - Any significant shellcheck results? - none - Any significant bandit results? - none - only in irrelevant source code maintenance scripts This was an expedited and less thorough review. Security team ACK for promoting foot to main. ** Changed in: libyuv (Ubuntu) Assignee: Ubuntu Security Team (ubuntu-security) => (unassigned) -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/2004516 Title: [MIR] libyuv (transitive dependency of libheif) To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/libyuv/+bug/2004516/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs