I reviewed papers 48~beta-3ubuntu1 as checked into plucky. This shouldn't be
considered a full audit but rather a quick gauge of maintainability.
papers is a document viewer for the GNOME desktop.
- CVE History
- Evince had a few CVEs, the last being from 2023. The list does not look
concerning.
- Build-Depends
- 203 vendored crates in debian/missing-sources/
- many of those crates have dependencies that I was not able to find
vendored, or any reference in the build log.
- pre/post inst/rm scripts
- only AppArmor
- init scripts
- none
- systemd units
- none
- dbus services
- none
- setuid binaries
- none
- binaries in PATH
-rwxr-xr-x root/root 7121616 2025-02-19 00:48 ./usr/bin/papers
-rwxr-xr-x root/root 47712 2025-02-19 00:48 ./usr/bin/papers-previewer
-rwxr-xr-x root/root 18904 2025-02-19 00:48 ./usr/bin/papers-thumbnailer
- sudo fragments
- none
- polkit files
- none
- udev rules
- none
- unit tests / autopkgtests
- no tests are run at build time.
- has autopkgtests
- cron jobs
- none
- Build logs
- some deprecation warnings:
- libview/pps-annotation-window.c:235:25: warning:
‘gdk_x11_surface_set_skip_taskbar_hint’ is deprecated
- DeprecationWarning: glob.glob1 is deprecated
- DeprecationWarning: glob.glob1 is deprecated
- Warning: program compiled against libxml 212 using older 209
- Processes spawned
- none (only considering papers)
- Memory management
- none
- File IO
- none (only considering papers)
- Logging
- none (only considering papers)
- Environment variable usage
- none (only considering papers)
- Use of privileged functions
- none
- Use of cryptography / random number sources etc
- none
- Use of temp files
- none (only considering papers)
- Use of networking
- none (only considering papers)
- Use of WebKit
- none
- Use of PolicyKit
- none
- Any significant cppcheck results
- none
- Any significant Coverity results
- none
- Any significant shellcheck results
- none
- Any significant bandit results
- none
- Any significant govulncheck results
- none
- Any significant Semgrep results
- None.
This package comes with 203 vendored crates from which 51 are using the
unsafe{} rust call.
Some dependencies are unmaintained:
- The vendored crate anstyle-parse depends on 'difference' which seems to be
unmaintained. Last upstream commit was 7 years ago. (difference is present in
the Cargo.lock file)
- A few vendored crates depends on atty, which is unmantained as of Jul 18,
2024. (atty is present in the Cargo.lock file). See
https://github.com/softprops/atty/commit/5bfdbe9e48c6ca6a4909e8d5b04f5e843a257e93.
- The vendored crate "winnow" depends on "instant" which is unmaintained.
(instant is present in the Cargo.lock file). See
https://crates.io/crates/instant.
Can we verify from where are those dependencies being pulled?
The package has an AppArmor profile at debian/apparmor-profile. This
profile is using the deprecated syntax of '#include <foo>' to include
abstractions. Is it possible to update it to the 'include <foo>' syntax?
There are a few FIXMEs in the code. These are likely known errors or
pending tasks.
The software is falling back to http:// when any URL starts with "www".
Why not https? See ./shell/src/document_view/signals.rs:205 and
./shell/src/window.rs:1144.
Since this is a fork of evince, many of the code present in this package
is already in main.
Security team ACK for promoting papers to main
** Changed in: papers (Ubuntu)
Assignee: Ubuntu Security Team (ubuntu-security) => (unassigned)
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/2097727
Title:
[MIR] papers
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/papers/+bug/2097727/+subscriptions
--
ubuntu-bugs mailing list
[email protected]
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
