[MIR] libcue

Bug #1770871 reported by Jeremy Bicha on 2018-05-12
This bug affects 1 person
Affects Status Importance Assigned to Milestone
libcue (Ubuntu)

Bug Description

Built for all supported architectures. In sync with Debian.

The Ubuntu Desktop team intends to include tracker by default in Ubuntu 18.10. tracker recommends tracker-miner-fs which depends on tracker-extract which has an optional dependency on libcue to handle metadata for CD music/audio tracks.

libcue was previously in Ubuntu main (until April 2015 I believe) so I'm hoping for fast-track processing. The previous MIR was LP: #641339

No known security issues


Quality assurance
- Please subscribe Ubuntu Desktop Packages.


Tests are run during the build.
No autopkgtests.

No binary universe dependencies

Standards compliance
4.1.4, dh compat 11, dh7 style simple rules




Jeremy Bicha (jbicha) on 2018-05-12
description: updated
Jeremy Bicha (jbicha) on 2018-05-12
description: updated
Jeremy Bicha (jbicha) on 2018-05-13
description: updated
Jeremy Bicha (jbicha) on 2018-05-14
description: updated
Matthias Klose (doko) wrote :

this looks ok, still pending:

 - bug subscriber
 - tracker-miners MIR

Changed in libcue (Ubuntu):
status: New → Incomplete
Launchpad Janitor (janitor) wrote :

[Expired for libcue (Ubuntu) because there has been no activity for 60 days.]

Changed in libcue (Ubuntu):
status: Incomplete → Expired
Jeremy Bicha (jbicha) on 2018-08-07
Changed in libcue (Ubuntu):
status: Expired → Incomplete
Changed in libcue (Ubuntu):
status: Incomplete → Expired
Jeremy Bicha (jbicha) on 2018-10-07
Changed in libcue (Ubuntu):
status: Expired → Incomplete
Iain Lane (laney) wrote :

I'll reset this back to New, because I would like to upload Nautilus depending on tracker soon. This is something we should do towards the start of a cycle.

Changed in libcue (Ubuntu):
status: Incomplete → New
importance: Undecided → Medium
Iain Lane (laney) wrote :

If the previous MIR can be used to promote this to main again, please just let us know.

Matthias Klose (doko) wrote :

this looks ok from the packaging side.
It's a little bit odd that the package is orphaned in Debian, and now pulled into main.

assigning to the security team for a review (parsing external data)

Changed in libcue (Ubuntu):
status: New → Confirmed
Jeremy Bicha (jbicha) on 2018-11-28
Changed in libcue (Ubuntu):
assignee: nobody → Ubuntu Security Team (ubuntu-security)
Alex Murray (alexmurray) wrote :

I reviewed libcue (2.2.1-2) from disco. This is not a full security audit but
rather a quick gauge of maintainability.

libcue is a library to parse CUE sheets / files (metadata which describes how
tracks of a CD or DVD are layed out). Stored as plain text and commonly have
the .cue extension. Parsed via flex / bison.

- Build dependencies:
  - bison, cmake, debhelper-compat, flex

- No CVE history

- no pre or postinst scripts
- no systemd unit files
- no system dbus services
- no setuid files
- no binaries in PATH
- no sudo fragments
- no udev rules
- tests run during the build, seems reasonably extensive
- no cron jobs
- clean build log other than warning regarding possible buffer overflow in
  time_frame_to_mmssff() - see below

- doesn't spawn other processes
- memory management looked careful
- file IO - reads from FILE* via flex, doesn't directly open files
- minimal logging, looked fine
- no environment variables used
- no ioctl() or other privileged syscalls
- Does not use cryptography
- Does not use DBus
- Does not use webkit
- Does not use temporary files
- Does not use javascript
- No cppcheck errors
- Does not use polkit

- Potential for signed integer overflow in time_msf_to_frame() if time is negative
- Potential for buffer overflow in time_frame_to_mmssff() if time is negative
  - Both would be fixed if time was treated everywhere as an unsigned quantity
    rather than signed integral types (int/long)

- ACK from security team to promote to main.

Changed in libcue (Ubuntu):
assignee: Ubuntu Security Team (ubuntu-security) → nobody
Sebastien Bacher (seb128) wrote :

libcue 2.2.1-2 in disco: universe/libs -> main

Changed in libcue (Ubuntu):
status: Confirmed → Fix Released
To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers