Ubuntu
libtrio package

[MIR] libtrio

Bug #1471465 reported by Till Kamppeter
8
This bug affects 1 person
Affects Status Importance Assigned to Milestone
libtrio (Ubuntu)
Invalid
High
Ubuntu Security Team

Bug Description

[Availability]

libtrio is already available in Universe and builds for all supported architectures in Wily.

[Rationale]

libtrio is needed by the current version of Ghostscript (9.16) which is an essential part of the printing stack in Main. Ghostscript contains copies of all libraries it needs, but we want to use the libraries from the system's packages to do not duplicate source code which makes security updates more difficult and wastes space.

[Security]

No open or solved security issues or CVEs found.

This is a standard library package consisting of a binary package for the library itself and a -dev package. The files contained are only the usual *.so*, *.a, and *.h files, no SUID, SGID, /usr/sbin/*, daemons, does not listen on any port.

[Quality assurance]

Simple, straight library package, no direct user interaction, no UI or GUI, contains only the usual *.so*, *.a, and *.h files. API is documented in the -dev package.

No debconf questions asked during install.

Only one Ubuntu bug, no open Debian bugs.

Package is maintained, there are regular package uploads. Upstream version is the current one.

watch file is included.

[Dependencies]

Nothing special, only standard build tools which are in Main.

[Standards compliance]

Library package packaged following the standards for libraries. no UI/GUI .

[Maintenance]

Regular uploads by the package maintainer. Current package upstream version is the actally current upstream version.

[Background information]

Package is an improved replacement for printf(), used by current Ghostscript

Package is in Main in Debian.

Till Kamppeter (till-kamppeter)
Changed in libtrio (Ubuntu):
importance: Undecided → High
Revision history for this message
Michael Terry (mterry) wrote :

This looks mostly OK from a packaging point of view. Has nice symbols files, runs tests, no delta, etc.

- Bug 1371782 should be fixed, eh?
- It needs a team bug subscriber.
- It needs a security lookover. A printf replacement library screams 'buffer overflows' to me.

Changed in libtrio (Ubuntu):
assignee: nobody → Ubuntu Security Team (ubuntu-security)
status: New → Incomplete
Revision history for this message
Till Kamppeter (till-kamppeter) wrote :

Bug 1371782 looks like easy to fix. I would fix it if libtrio makes it into main, otherwise Ghostscript continues with its own libtrio which is most probably built with -lm as the rest of Ghostscript is built with -lm.

Not having it in main Ghostscript continues with its own libtrio, with Ghostscript developers taking care of security on the parts Ghostscript actually uses and other pacvkages do not use it as it is not generally available as development library in main.

Revision history for this message
Till Kamppeter (till-kamppeter) wrote :

Uploaded libtrio_1.16+dfsg1-3ubuntu1 with the fix for bug 1371782. Please wait for this version to appear in Universe and do the security audit with this version then.

Revision history for this message
Till Kamppeter (till-kamppeter) wrote :

libtrio_1.16+dfsg1-3ubuntu1 now available in Universe.

Changed in libtrio (Ubuntu):
status: Incomplete → Confirmed
Revision history for this message
Till Kamppeter (till-kamppeter) wrote :

Ghostscript 9.18 does not use libtrio any more, so I do not need libtrio in Main any more and therefore I am closing this bug. I will start with syncing Ghostscript from Debian beginning with Ghostscript 9.18 then, in the Ubuntu X 16.04 release.

If someone needs libtrio in Main for something else, please re-open this bug.

Changed in libtrio (Ubuntu):
status: Confirmed → Invalid
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.