I reviewed librevenge version 0.0.1-1 as checked into utopic. This shouldn't be considered a full security audit, rather a quick gauge of code quality.
- librevenge provides interfaces for document import filters - Build-Depends: autotools-dev, dh-autoreconf, debhelper, libboost-dev, libboost-filesystem-dev, libcppunit-dev, pkg-config, zlib1g-dev - No networking - No cryptography - Does not daemonize - No maintainer scripts - No initscripts - No dbus - No setuid - No binaries in bin/ - No udev rules - Test suite run during build - No cronjobs - Build logs clean - No subprocesses spawned - Memory management is mixed; some C, some 'new' and 'delete' - File IO is under control of callers - No logging - No environment variables - No privileged portions of code - No cryptography - No networking - No temporary files - No webkit - Clean cppcheck - No PolicyKit librevenge's code quality is mixed; most looks average, but obvious opportunities for code cleanup have been overlooked and there are more type casts than usual. The library seems to lack a clear vision of what primitive data types it uses and why it uses them. I suspect as this library matures we'll have a potentially larger maintenance burden than usual as a result of code cleanups. Security team ACK for promoting librevenge to main. Thanks ** Changed in: librevenge (Ubuntu) Assignee: Seth Arnold (seth-arnold) => (unassigned) -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1328194 Title: [MIR] librevenge To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/librevenge/+bug/1328194/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs