© 2004
Canonical Ltd.
•
Terms of use
•
Data privacy
•
Contact Launchpad Support
•
Blog
•
Careers
•
System status
•
1b1ed1a
(Get the code!)
I reviewed libbluray 1:1.3.2-1 as checked into kinetic. This shouldn't be considered a full audit but rather a quick gauge of maintainability.
> Libbluray is an open-source library designed for Blu-Ray Discs playback for media players, like VLC or MPlayer.
Upstream: https:/
- CVE History:
- trivial
- CVE-2015-7810
- "libbluray MountManager class has a time-of-check time-of-use (TOCTOU) race when expanding JAR files"
- upstream never vulnerable with default build settings
- ./debian/
- see https:/
- Build-Depends?
- ld-linux-
- libbluray.so.2
- libbrotlicommon
- libbrotlidec.so.1
- libc.so.6
- libexpat.so.1
- libfontconfig.so.1
- libfreetype.so.6
- libgcc_s.so.1
- libicudata.so.70
- libicuuc.so.70
- liblzma.so.5
- libm.so.6
- libpng16.so.16
- libstdc++.so.6
- libudfread.so.0
- libuuid.so.1
- libxml2.so.2
- libz.so.1
- linux-vdso.so.1
- pre/post inst/rm scripts?
- none
- init scripts?
- none
- systemd units?
- none
- dbus services?
- none
- setuid binaries?
- none
- binaries in PATH?
- ./usr/bin/bd_info
- ./usr/bin/
- ./usr/bin/bd_splice
- sudo fragments?
- none
- polkit files?
- none
- udev rules?
- none
- unit tests / autopkgtests?
- MISSING !!!
- cron jobs?
- none
- Build logs:
- clean logs--lgtm
- Processes spawned?
- mutex.c defines <pthread.h> initialization, locking and destruction
- use of Xlets
- Memory management?
- heavy memory use
- ~300 uses of memcpu, strcpy, sprintf, calloc, etc outside of build/documentation
- what I examined looked okay
- see cppcheck results below
- File IO?
- heavy IO use
- functions defined mostly in src/file/* and bluray.c
- paths are being checked
- Logging?
- heavy logging use
- many debug/error messages (+1500)
- log overflows possible
- xine, java, and rest of codebase use different logging methods
- see logging.c
- Environment variable usage?
- sanitized
- see dirs_xdg.c and strutl.h
- Use of privileged functions?
- yes, in Java
- import java.security.
- primarily defined in BDJSecurityMana
- Use of cryptography / random number sources etc?
- no, only video codecs
- Use of temp files?
- CacheDir.java defines CacheDir object used by other Java files.
- Use of networking?
- socket use appears to be locked to "bd://"
- Use of WebKit?
- none
- Use of PolicyKit?
- none
- any significant cppcheck results? (checked C)
- memleakOnRealloc in bd_info
- https:/
- nb: src/examples/
- any significant Coverity results? (checked C and Java)
- null dereferences in asm's MethodWriter.java and ClassReader.java
- e.g., ClassReader.
- usage of large stack frame often
- +32k frame allocations
- e.g., disc.c:
- none of installed /usr/bin/ have -fstack-
- /usr/bin/
- any signficant flawfinder results? (checked C)
- 338 total hits
- what I checked were false positives
- Evangelion's "org.videolan.
- src/libbluray/
- ReplaceMethodPa
- "Implement overriding method calls in Xlets"
- use of this class must be monitored tightly future misuse
- relevant commits are 1ce479c1cfa1dfd
- After examination and conferring with other Security Members this code appears to be safe and works as commented
This is a complex codebase which uses low level C and Java. It contains third party projects and libraries. There is heavy use of memory, IO, & logging.
Security team cautiously ACK for promoting libbluray to main on the strict conditions that (1) autopkgtests and build tests are added as suggested by @paslzer (2) add test to check if instances of ReplaceMethodPa