I reviewed libfreeaptx 0.1.1-1ubuntu1 as checked into kinetic. This
shouldn't be considered a full audit but rather a quick gauge of
maintainability.
libfreeaptx is an implementation of the audio processing technology
(aptX) codec. It is a fork of the libopenatpx library (which is in
universe) - the fork was done since the most recent version of
libopenaptx (0.2.1) now has an incompatible license and so this is a
fork of the 0.2.0 version with a real license.
- No CVE History
- No Build-Depends
- No pre/post inst/rm scripts
- No init scripts
- No systemd units
- No dbus services
- No setuid binaries
- 2 binaries in PATH from freeaptx-utils binary package
- -rwxr-xr-x root/root 14648 2022-05-20 22:53 ./usr/bin/freeaptxdec
- -rwxr-xr-x root/root 14648 2022-05-20 22:53 ./usr/bin/freeaptxenc
- utils to read / write raw 24-bit signed stereo samples from / to aptX via
stdin/stdout
- No sudo fragments
- No polkit files
- No udev rules
- No unit tests
- 3 simple autopkgtests
- build test compiles a very simple C program using libfreeaptx to check
headers / pkg-config files are installed correctly
- 2 other tests use freeaptxenc to encode a raw sample to aptX and then
decode it again in both regular and HD
- No cron jobs
- Build logs are quite clean
- No processes spawned
- No dynamic memory management other than allocating a structure on the heap to
store context for the session
- Otherwise uses buffers provided by the caller and appears to be quite good
at checking buffer lengths etc to not overflow them
- No file IO
- Logging is only done in CLI based enc/dec tools and is careful not to have
potential format string vulnerabilities
- No environment variable usage
- No use of privileged functions
- No use of cryptography / random number sources etc
- No use of temp files
- No use of networking
- No use of WebKit
- No use of PolicyKit
- No significant cppcheck results
- No significant Coverity results
- No significant shellcheck results
libfreeaptx looks like pretty decent code - it is small and doesn't do
anything fancy with memory management and appears quite defensive in how
it checks buffer lengths etc. The biggest issue I have with this package
is the lack of unit tests for the code - so it will make it hard to
verify that any future changes don't inadvertently break it. Lack of
these is annoying but the upstream repo doesn't contain them either nor
does libopenaptx either so this is not a blocker.
Security team ACK for promoting libfreeaptx to main.
** Changed in: libfreeaptx (Ubuntu)
Assignee: Ubuntu Security Team (ubuntu-security) => (unassigned)
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1971767
Title:
[MIR] libfreeaptx
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/libfreeaptx/+bug/1971767/+subscriptions
--
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
