I reviewed libwebp version 0.3.0-3 from saucy. This should not be considered a full security audit, but rather a quick gauge of code cleanliness.
- Package provides routines for lossy and lossless image encoding / decoding - Build-deps are image processing libraries - No daemons, no networking itself, no initscripts, no dbus services, no setuid, no sudo, no cron - Two unprivileged binaries in /usr/bin, dwebp and cwebp, to encode and decode images - Clean buildlogs - No spawned subprocesses - Careful memory management - Very few file open()s, all in examples/, looked safe - Logging looked safe, most is library code without logging - No environment use - No encryption - No privileged portions of code - No /tmp/ files - No webkit, no JS This code is extremely complicated in portions; depending upon the nature of potential security issues, we may be heavily reliant upon upstream for fixes. That said, the code is careful and well-written. Security team ACK for including in main. Thanks. ** Changed in: libwebp (Ubuntu) Assignee: Seth Arnold (seth-arnold) => (unassigned) -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1186553 Title: [MIR] libwebp To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/libwebp/+bug/1186553/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs