I reviewed `speexdsp` `1.2.1-1` as checked into Noble. This shouldn't be
considered a full audit, but rather a quick gauge of maintainability that
involves static and dynamic analysis techniques.
Speex is an open-source and free audio compression codec specialised in
reproducing human speech (at low bitrates, ~2.1–32 kbit/s/channel). The
format is contained by other formats such as Ogg and Flash Video.
The format was replaced by its parent organisation, Xiph, with the Opus format.
Despite its obsoletion, the format is still supported by open-source software
such as [OpenWrt](https://github.com/openwrt/packages/issues/3747).
SpeexDSP is a library that includes the preprocessor, the acoustic echo
canceller, the jitter buffer, and the resample. It should be noted that
`speexdsp`'s code was part of main until Ubuntu 22.04. Before this release, the
codebase wasn't represented by a separate package but as part of the `speex`
package.
As SpeexDSP is a no-dependency library, it can be linked by programs with
`-lspeexdsp -lm`. Likewise, the simple input is the Speex-encoded data provided
by the program linking SpeexDSP. As the library is written in C but lacks OS
interaction, the codebase is prone to memory corruption issues that may
ultimately lead to code execution in the context of the parent process.
- CVE History
- There is no CVE issued for SpeexDSP.
- The Speex library, which is a sibling codebase as `speexdsp` was derived
from it, has two other CVEs in the past:
- CVE-2020-23904: Bogus stack buffer overflow that couldn't be validated by
the maintainers.
- CVE-2020-23903: Division by zero in `speexenc`, an example program
- The Speex sibling codebase was also integrated into OSS-Fuzz.
- The integration definition files are placed in the
[Speex](https://gitlab.xiph.org/xiph/speex/-/blob/master/contrib/oss-fuzz/speexd
ec_fuzzer.cc) and
[OSS-Fuzz](https://github.com/google/oss-fuzz/tree/master/projects/speex)
repositories.
- [There are 13
bugs](https://bugs.chromium.org/p/oss-fuzz/issues/list?q=speex=1) between
2019 and 2021 that were maturely tackled by the maintainers.
- Build-Depends
- It depends only on `libm` and `libc`.
- pre/post inst/rm scripts
- N/A
- init scripts
- N/A
- systemd units
- N/A
- dbus services
- N/A
- setuid binaries
- N/A
- binaries in PATH
- N/A
- sudo fragments
- N/A
- polkit files
- N/A
- udev rules
- N/A
- unit tests / autopkgtests
- There is no unit test for the whole codebase.
- The encoding and decoding of the Speex code are tested in the
previously-mentioned sibling codebase and OSS-Fuzz.
- cron jobs
- N/A
- Build logs
- N/A
- Processes spawned
- N/A
- Memory management
- The allocations take place for the members of the "states". These are
internal structures, with multiple fields, that contain the current state of a
given operation executed by the library.
- The library defines wrappers over the standard memory management functions
in its `libspeexdsp/os_support.h` file. These wrapper functions are called in
all files where memory management is needed. The functions are properly called:
if the library allocates a lot of members in an initialisation function (for
example, `speex_preprocess_state_init`, which deals with allocating
`SpeexPreprocessState` structures), it also frees them in another specialised
function (to continue the preprocessor example, in the
`speex_preprocess_state_destroy` function).
- File IO
- Files are opened in:
- `libspeexdsp/testecho.c`, which is a test program that has arguments
corresponding to the files to be opened and written; and
- `libspeexdsp/mdf.c`, in which the 3 file paths are hard-coded (for example,
`aec_rec.sw`) and safely opened and written.
- Logging
- The library logs static messages using functions defined in its
`libspeexdsp/os_support.h`, such as `speex_warning` and `speex_notify`.
- It also exports a logging-related, speex_resampler_strerr, which deals with
converting a resampling status code into a string.
- Environment variable usage
- N/A
- Use of privileged functions
- N/A
- Use of cryptography / random number sources etc
- N/A
- Use of temp files
- N/A
- Use of networking
- N/A
- Use of WebKit
- N/A
- Use of PolicyKit
- N/A
- Any significant cppcheck results
- `cppcheck` was run again with additional flags to include the headers.
- No warning was generated.
- The `cppcheck.manual.txt` file was additionally generated.
- Any significant Coverity results
- Coverity reported two issues with possible security impact. Both are in the
`update_filer` function from `resample.c`, but they were manually invalidated:
- `st->num_rate/st->den_rate` cannot trigger a division by zero.
`st->den_rate` is set in the function `speex_resampler_set_rate_frac` to the
value of one argument of `update_filter`. The argument is checked in the
prologue of the function to contain a value different from 0.
-
