[MIR] libcue

Bug #1770871 reported by Jeremy Bicha on 2018-05-12
8
This bug affects 1 person
Affects Status Importance Assigned to Milestone
libcue (Ubuntu)
Medium
Unassigned

Bug Description

Availability
============
Built for all supported architectures. In sync with Debian.

Rationale
=========
The Ubuntu Desktop team intends to include tracker by default in Ubuntu 18.10. tracker recommends tracker-miner-fs which depends on tracker-extract which has an optional dependency on libcue to handle metadata for CD music/audio tracks.

libcue was previously in Ubuntu main (until April 2015 I believe) so I'm hoping for fast-track processing. The previous MIR was LP: #641339

Security
========
No known security issues

https://security-tracker.debian.org/tracker/source-package/libcue
https://launchpad.net/ubuntu/+source/libcue/+cve

Quality assurance
=================
- Please subscribe Ubuntu Desktop Packages.

https://bugs.launchpad.net/ubuntu/+source/libcue
https://bugs.debian.org/cgi-bin/pkgreport.cgi?src=libcue
https://github.com/lipnitsk/libcue/issues

Tests are run during the build.
No autopkgtests.

Dependencies
============
No binary universe dependencies

Standards compliance
====================
4.1.4, dh compat 11, dh7 style simple rules

Maintenance
===========
Orphaned.

https://salsa.debian.org/debian/libcue

upstream:
https://github.com/lipnitsk/libcue

Jeremy Bicha (jbicha) on 2018-05-12
description: updated
Jeremy Bicha (jbicha) on 2018-05-12
description: updated
Jeremy Bicha (jbicha) on 2018-05-13
description: updated
Jeremy Bicha (jbicha) on 2018-05-14
description: updated
Matthias Klose (doko) wrote :

this looks ok, still pending:

 - bug subscriber
 - tracker-miners MIR

Changed in libcue (Ubuntu):
status: New → Incomplete
Launchpad Janitor (janitor) wrote :

[Expired for libcue (Ubuntu) because there has been no activity for 60 days.]

Changed in libcue (Ubuntu):
status: Incomplete → Expired
Jeremy Bicha (jbicha) on 2018-08-07
Changed in libcue (Ubuntu):
status: Expired → Incomplete
Changed in libcue (Ubuntu):
status: Incomplete → Expired
Jeremy Bicha (jbicha) on 2018-10-07
Changed in libcue (Ubuntu):
status: Expired → Incomplete
Iain Lane (laney) wrote :

I'll reset this back to New, because I would like to upload Nautilus depending on tracker soon. This is something we should do towards the start of a cycle.

Changed in libcue (Ubuntu):
status: Incomplete → New
importance: Undecided → Medium
Iain Lane (laney) wrote :

If the previous MIR can be used to promote this to main again, please just let us know.

Matthias Klose (doko) wrote :

this looks ok from the packaging side.
It's a little bit odd that the package is orphaned in Debian, and now pulled into main.

assigning to the security team for a review (parsing external data)

Changed in libcue (Ubuntu):
status: New → Confirmed
Jeremy Bicha (jbicha) on 2018-11-28
Changed in libcue (Ubuntu):
assignee: nobody → Ubuntu Security Team (ubuntu-security)
Alex Murray (alexmurray) wrote :

I reviewed libcue (2.2.1-2) from disco. This is not a full security audit but
rather a quick gauge of maintainability.

libcue is a library to parse CUE sheets / files (metadata which describes how
tracks of a CD or DVD are layed out). Stored as plain text and commonly have
the .cue extension. Parsed via flex / bison.

- Build dependencies:
  - bison, cmake, debhelper-compat, flex

- No CVE history

- no pre or postinst scripts
- no systemd unit files
- no system dbus services
- no setuid files
- no binaries in PATH
- no sudo fragments
- no udev rules
- tests run during the build, seems reasonably extensive
- no cron jobs
- clean build log other than warning regarding possible buffer overflow in
  time_frame_to_mmssff() - see below

- doesn't spawn other processes
- memory management looked careful
- file IO - reads from FILE* via flex, doesn't directly open files
- minimal logging, looked fine
- no environment variables used
- no ioctl() or other privileged syscalls
- Does not use cryptography
- Does not use DBus
- Does not use webkit
- Does not use temporary files
- Does not use javascript
- No cppcheck errors
- Does not use polkit

- Potential for signed integer overflow in time_msf_to_frame() if time is negative
- Potential for buffer overflow in time_frame_to_mmssff() if time is negative
  - Both would be fixed if time was treated everywhere as an unsigned quantity
    rather than signed integral types (int/long)

- ACK from security team to promote to main.

Changed in libcue (Ubuntu):
assignee: Ubuntu Security Team (ubuntu-security) → nobody
Sebastien Bacher (seb128) wrote :

libcue 2.2.1-2 in disco: universe/libs -> main

Changed in libcue (Ubuntu):
status: Confirmed → Fix Released
To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers