Ubuntu
woff2 package

[MIR] woff2

Bug #1742743 reported by Jeremy Bícha
8
This bug affects 1 person
Affects Status Importance Assigned to Milestone
webkit2gtk (Ubuntu)
Fix Released
Undecided
Unassigned
woff2 (Ubuntu)
Fix Released
Undecided
Unassigned

Bug Description

Availability
============
Built for all supported architectures. In sync with Debian.

Rationale
=========
woff2 is a library maintained by Google to convert fonts from TTF to the woff2 format and decompress from woff2 to TTF. The WOFF 2.0 format uses the Brotli compression algorithm to compress fonts suitable for use in CSS @font-face rules. WOFF 2.0 is a W3C Candidate Recommendation. See the brotli MIR at LP: #1737053.

brotli and woff2 are libraries that are technically already in main because they are bundled in Firefox and webkit2gtk.

The next major stable release of webkit2gtk, 2.20, will be released in March. It drops those 2 bundled libraries. I think our options are basically
1) Bundle those libraries anyway, or
2) Approve this MIR, or
3) Drop support for the WOFF2 format in webkit2gtk

Security
========
I assume we want a security review here.

https://security-tracker.debian.org/tracker/source-package/woff2
https://launchpad.net/ubuntu/+source/woff2/+cve

Quality assurance
=================
- Ubuntu Desktop Bugs is subscribed.
- No test suite
- No autopkgtests

https://bugs.launchpad.net/ubuntu/+source/woff2
https://bugs.debian.org/cgi-bin/pkgreport.cgi?src=woff2
https://github.com/google/woff2/issues

Dependencies
============
Only universe binary dependency is brotli (LP: #1737053)

Standards compliance
====================
4.1.2, debhelper compat 10, dh7 simple rules

Maintenance
===========
Actively maintained:
https://github.com/google/woff2

Maintained by the Debian Fonts Team in Debian. It's a small team so it may need co-maintenance help from the Ubuntu Desktop team.

Other Info
==========
woff2 was only packaged in Debian and Ubuntu very recently.

webkit2gtk is managed similar to Firefox and Chromium. So far, new releases are pushed to Ubuntu 16.04 LTS and newer as security updates, but the Ubuntu Security Team does not guarantee security support for webkit2gtk.

We are going to need to backport brotli and woff2 into main as security updates for 16.04 LTS and 17.10.

Packaging is at
https://salsa.debian.org/fonts-team/woff2/tree/debian/unstable/debian

See original description
Tags: bionic
Jeremy Bícha (jbicha)
tags: added: bionic
Jeremy Bícha (jbicha)
description: updated
Jeremy Bícha (jbicha)
description: updated
Revision history for this message
Didier Roche-Tolomelli (didrocks) wrote :

* you need to subscribe desktop-packages
* debian/copyright mentions the licence is Expact where it's distributed under the MIT license in the header (even if the LICENSE file is expact). Probably something you should get clarified…
* I think dh_install --fail-missing is deprecated and you should use dh_missing instead.

Otherwise, the rest looks good to me, once we get those license clarifications.

I'm deferring for a security review to the security team

Revision history for this message
Jeremy Bícha (jbicha) wrote :

Desktop Packages is subscribed now.

According to the Debian copyright format 1.0, it is recommended to use "Expat" instead of MIT since MIT is imprecise. I verified that the license text is the same as Expat.

https://www.debian.org/doc/packaging-manuals/copyright-format/1.0/

This package is already using dh_missing. :)

Emily Ratliff (emilyr)
Changed in woff2 (Ubuntu):
assignee: nobody → Ubuntu Security Team (ubuntu-security)
Revision history for this message
Chris Coulson (chrisccoulson) wrote :

I reviewed woff2 1.0.2-1 as checked in to cosmic. This isn't a full security audit, but rather a quick gauge of maintainability.

- woff2 is a library for decompressing WOFF2 font files to TTF, and is an implementation of the W3C spec (https://www.w3.org/TR/WOFF2/).
- No CVEs in our database.
- Build-Depends: cmake, debhelper, libbrotli-dev, pkg-config
- It is designed to process untrusted data from the web.

- Contains several binaries in PATH: woff2_info, woff2_compress, woff2_decompress

- Doesn't spawn any subprocesses.
- Uses a mixture of operator new[] and std::vector for allocating write buffers.
- Uses a convenience class (woff2::Buffer) for reading from memory buffers, designed to protect against out-of-bounds errors.
- Makes use of std::unique_ptr
- Doesn't open any files.
- Some logging via printf and fprintf.
- No environment variable use.
- No privileged code.
- No networking.
- No cryptography.
- No sql.
- Doesn't use temporary files.
- No webkit.

- Some cppcheck errors. The first 2 look bogus, and the remaining ones in woff2_enc.cc are struct members that are unused:
[src/font.cc:88]: (error) Uninitialized struct member: table.flavor
[src/font.cc:88]: (error) Uninitialized struct member: table.num_tables
[src/woff2_enc.cc:349]: (error) Uninitialized struct member: table.checksum
[src/woff2_enc.cc:349]: (error) Uninitialized struct member: table.offset
[src/woff2_enc.cc:349]: (error) Uninitialized struct member: table.length
[src/woff2_enc.cc:349]: (error) Uninitialized struct member: table.data
[src/woff2_enc.cc:349]: (error) Uninitialized struct member: table.reuse_of
[src/woff2_enc.cc:349]: (error) Uninitialized struct member: table.flag_byte
[src/woff2_enc.cc:349]: (error) Uninitialized struct member: table.src_offset
[src/woff2_enc.cc:349]: (error) Uninitialized struct member: table.dst_offset
[src/woff2_enc.cc:349]: (error) Uninitialized struct member: table.dst_length
[src/woff2_enc.cc:349]: (error) Uninitialized struct member: table.dst_data

- Build logs are mostly clean, but there is a compiler warning on 32-bit architectures:
/<<PKGBUILDDIR>>/src/woff2_dec.cc: In function ‘bool woff2::{anonymous}::ReadWOFF2Header(const uint8_t*, size_t, woff2::{anonymous}::WOFF2Header*)’:
/<<PKGBUILDDIR>>/src/woff2_dec.cc:1184:37: warning: format ‘%lu’ expects argument of type ‘long unsigned int’, but argument 4 has type ‘size_t {aka unsigned int}’ [-Wformat=]
       src_offset, length, dst_offset);
                                     ^

The format identifier here should probably be %zu.

- No init scripts or systemd unit files.
- No dbus services.
- No setuid binaries.
- Doesn't call any privileged commands.
- No sudo fragments.
- No udev rules
- No cronjobs.

- There doesn't appear to be any standalone tests in the woff2 repository. woff2 support in Chrome (using the same library) has its own tests, but that's no use here.

woff2 is fairly small and well maintained upstream. As expected for something that processes untrusted data, it is programmed defensively against invalid input. It is already embedded inside Firefox and Chrome, and shouldn't be a maintenance burden.

Security team ACK for promoting woff2 to main.

Changed in woff2 (Ubuntu):
assignee: Ubuntu Security Team (ubuntu-security) → nobody
Jeremy Bícha (jbicha)
Changed in woff2 (Ubuntu):
status: New → Fix Committed
Jeremy Bícha (jbicha)
Changed in woff2 (Ubuntu):
status: Fix Committed → New
Changed in webkit2gtk (Ubuntu):
status: New → Fix Committed
Revision history for this message
Jamie Strandboge (jdstrand) wrote :

Since this has an ACK from both MIR and security, marking Fix Committed.

Changed in woff2 (Ubuntu):
status: New → Fix Committed
Revision history for this message
Sebastien Bacher (seb128) wrote :

Override component to main
libwoff1 1.0.2-1 in cosmic amd64: universe/libs/optional/100% -> main
libwoff1 1.0.2-1 in cosmic arm64: universe/libs/optional/100% -> main
libwoff1 1.0.2-1 in cosmic armhf: universe/libs/optional/100% -> main
libwoff1 1.0.2-1 in cosmic i386: universe/libs/optional/100% -> main
libwoff1 1.0.2-1 in cosmic ppc64el: universe/libs/optional/100% -> main
libwoff1 1.0.2-1 in cosmic s390x: universe/libs/optional/100% -> main
Override [y|N]? y

Changed in woff2 (Ubuntu):
status: Fix Committed → Fix Released
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package webkit2gtk - 2.22.2-1ubuntu1

---------------
webkit2gtk (2.22.2-1ubuntu1) cosmic; urgency=medium

  * Enable woff2 support in Ubuntu too (LP: #1742743)

 -- Jeremy Bicha <email address hidden> Wed, 26 Sep 2018 20:37:46 -0400

Changed in webkit2gtk (Ubuntu):
status: Fix Committed → Fix Released
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.