[MIR] libcupsfilters libppd cups-browsed

Note that this is reported for "cups-filters" for now as the actual packages are not yet uploaded to Lunar. You can find them, plus the new cups-filters source package with the appropriate components removed, in this PPA:

https://launchpad.net/~till-kamppeter/+archive/ubuntu/new-arch-dev/+packages

Thanks for the MIR, however, as you wanted to do a simple MIR and not a full one, this is really lacking details and not tracking the real packages the MIRs are supposed to apply on.
Please be considerate for the reviewer and help them as much as possible by following the process, so that from one bug report, we can see:
- which source packages are impacted
- which binary packages needs to be promoted.

That, without any more verbiage.

Also, those packages were packaged a very long time ago, so it’s probably the right opportunity to ensure, especially with the split, that they all confirmant with the MIR policy.

So, do you mind:
- add one source package for any source package impacted.
- for each source package, check the MIR requirements and file the template, ONE FOR EACH, in the description (you can separate them by markers to make it clearer).
- state in each source package what code was moved where
- remove cups-filters source package from here, and tell what’s going to happens with current cups-filters source package. Should it be demoted?

Until there, I’m marking that bug as incomplete.

The 4 packages of the new generation of cups-filters are uploaded to Lunar now: libcupsfilters 2.0~b2, libppd 2:2.0~b2, cups-filters 2.0~b2, cups-browsed 2.0~b2, all but cups-filters considered NEW.

As soon as the NEW packages land in Universe I will add tasks for them to this MIR bug report.

Set importance to "High", as cups-filters 2.0b1 is already uploaded to Main and depends on libcupsfilters and libppd.

Thanks for the detailed description and bug report, this will really help getting it through faster :)

I still have one request: it’s to the reporter to check which packages are in main and if new dependencies needs MIR in main, not the MIR team which is only doing a double check ("bretelles et chaussures" check) :)

So, can you please amend the description after confirming exactly those 2 points:
* --> ALL THESE BINARY PACKAGES MUST GET PROMOTED INTO MAIN (IF THEY ARE
    NOT ALREADY THERE).

Please list packages that are not in main and do this research work.

* --> SO MOST PROBABLY NO NEW DEPENDENCIES IN PACKAGES ALREADY EXISTING
     IN MAIN AND NO NEW SEEDS ARE NEEDED TO ACTUALLY GET EVERYTHING
     INTO MAIN AFTER THE APPROVAL OF THIS MIR.

Please ensure this. there is no "probably", but it’s part of the reporter's work to do the checking. Once this work is done, feel free to assign the 3 bug tasks to me and revert the status to NEW.

Re-launched with the fixes asked for:

- Disussed the promotion needs on Mattermost, also with @seb128
- Checked all the package's situations with rmadison
- Updated the description text, checked for absence of words "probably" and "if" related to
  presence of anything in Main or Universe.
- Clearly marked at all appropriate points what needs to get promoted

Also found by failures of autopkgtests that there was a missing dependency of libcups2-dev in debian/tests/control in both libcupsfilters and libppd and an upstream bug which broke monochrome PCL-XL output in libcupsfilters. Uploaded libcupsfilters_2.0~b2-0ubuntu10 and libppd_2.0~b2-0ubuntu5. Also applied the fix to the upstream code, to be included in libcupsfilters 2.0~b3.

Sorry, libppd upload is libppd_2.0~b2-0ubuntu8.

Review for Package: libcupsfilters

[Summary]
MIR team ACK under the constraint to resolve the below listed required TODOs and as much as possible having a look at the recommended TODOs.

This package parse many formats from untrusted sources in many formats and use LD_LIBRARY_PATH. As the code within the package this is originated from has greatly changed
over the years and when it entered main, we even didn’t have a MIR process, I suggest that this package is audited
by our security team. Assigning to them, but let’s not that block the required and recommended todos that you can work in parallel to the security review.

List of specific binary packages to be promoted to main:
- libcupsfilters2
- libcupsfilters2-common

Required TODOs:
- The autopkgtests is marked as superficial, and indeed, when looking at what is done, it builds the lib and call a logging function in it.
For packages in main, we need non trivial autopkgtests. As this package is doing quite a lot, we need to get to a higher standard
and improve the autopkgtests suite.
- Remember to subscribe the desktop-packages team as I think it will be the official team owning the packages so that list of criticals bugs can be adressed.
Recommended TODOs:
- There are a lot of warnings during the build. This makes the build process hard to read if a new error occur and it’s a nice opportunity to fix them upstream and downstream.

[Duplication]
This is a transition from some older package, no package will duplicate this functionality.

[Dependencies]
OK:
- no other Dependencies to MIR due to this
- libcupsfilter checked with `check-mir`
- no -dev/-debug/-doc packages that need exclusion
- No dependencies in main that are only superficially tested requiring
  more tests now.

[Embedded sources and static linking]
OK:
- no embedded source present
- no static linking
- does not have unexpected Built-Using entries

- not a go package, no extra constraints to consider in that regard
- not a rust package, no extra constraints to consider in that regard

[Security]
OK:
- history of CVEs does not look concerning
- does not run a daemon as root
- does not use webkit1,2
- does not use lib*v8 directly
- does not open a port/socket
- does not process arbitrary web content
- does not use centralized online accounts
- does not integrate arbitrary javascript into the desktop
- does not deal with system authentication (eg, pam), etc)
- does not deal with security attestation (secure boot, tpm, signatures)
- does not deal with cryptography (en-/decryption, certificates, signing, ...)

Problems:
- Does parse many formats from untrusted sources. As the code within the package this is originated from has greatly changed
  over the years and when it entered main, we even didn’t have a MIR process, I suggest that this package is audited
  by our security team.

[Common blockers]
OK:
- does not FTBFS currently
- does have a test suite that runs at build time
- test suite fails will fail the build upon error.
- no new python2 dependency

Problems:
- the autopkgtests is marked as superficial, and indeed, when looking at what is done, it builds the lib and call a logging function in it.
For packages in main, we nee...

Review for Package: cups-browsed

[Summary]
MIR team ACK under the constraint to resolve the below listed required TODOs and as much as possible having a look at the recommended TODOs.

This package is running as root, with an ungated (protected by apparmor, but not restriction on the systemd service itself). As the code within the package this is originated from has greatly changed over the years and when it entered main, we even didn’t have a MIR process, I suggest that this package is audited
by our security team. Assigning to them, but let’s not that block the required and recommended todos that you can work in parallel to the security review.

Only the source package needs promotion, as this package is a transition from another source.

Required TODOs:
- There are no package build time tests nor autopkgtests in the package which is a requirement for entering main. I know you mention that before this wazs already the case. However, this should have been addressed when we raised the bar in quality for packages in main and it seems the right opportunity to gate on having at least an initial autopkgtests testsuite with strong indication of improving it in the near future.
- Remember to subscribe the desktop-packages team as I think it will be the official team owning the packages so that list of criticals bugs can be adressed.
- The package does install one service, gated with apparmor. However, additional permission on the service would be great.
See the MIR template on which ones to add like reduced permissions, temp envronment, restricted users/groups...
Due to this service running as root and as this requires a security review too.

Recommended TODOs:
- This package do not ship library or symbol files, however, it has this in debian/rules, which is useless for that package:
override_dh_makeshlibs:
 dh_makeshlibs -- -c4
This could be cleaned.
- I suggest that you revisit the lintian override about file permission on the executable, if you look at <https://lintian.debian.org/tags/executable-is-not-world-readable>, there is no security gain by this permission set. It should be 0744 if you don’t want other users to be able to execute it.

[Duplication]
This is a transition from some older package, no package will duplicate this functionality.

[Dependencies]
OK:
- no other Dependencies to MIR due to this
- cups-browsed checked with `check-mir`
- no -dev/-debug/-doc packages that need exclusion
- No dependencies in main that are only superficially tested requiring
  more tests now.

[Embedded sources and static linking]
OK:
- no embedded source present
- no static linking
- does not have unexpected Built-Using entries
- not a go package, no extra constraints to consider in that regard
- not a rust package, no extra constraints to consider in that regard

[Security]
OK:
- history of CVEs does not look concerning
- does not run a daemon as root
- does not use webkit1,2
- does not use lib*v8 directly
- does not open a privilege port/socket
- does not parse data formats (files [images, video, audio,
 xml, json, asn.1], network packets, structures, ...) from
 an untrusted source.
- does not process arbitrary web content
- does not use centralized ...

@Didier, I'm replying to that specific point about libcupsfilter since I'm the one who tweaked the symbols to the current state

> - The symbols file is not up to date. If you look at https://launchpadlibrarian.net/648110944/buildlog_ubuntu-lunar-amd64.libcupsfilters_2.0~b2-0ubuntu10_BUILDING.txt.gz, there are a lot of missing symbols for instance. I suggest that symbol files update will block and fail build by exporting DPKG_GENSYMBOLS=4.

in fact the debian/rules enforces that level. I've marked a stack of c++ symbols as optional since their mangling is different between architectures leading to different names, which isn't great but afaik we don't really have a proper solution for those and it's not the only packaging doing that.

Is that acceptable with that context or would you still like to see changes? One other alternative would be to create a .symbols.arch for each architecture but that's even more tedious and I don't think I've seen us go that way with other packages

For libcupsfilters the warnings are harmless and there are only 2 types signalling deprecations of feature in QPDF.

Very long term solution is replacing QPDF by PDFio (https://github.com/michaelrsweet/pdfio), to have simple C instead of C++ for easier maintenance

But for now, we will update the code to not use the deprecated features any more.

One deprecation is solved upstream now:

    https://github.com/OpenPrinting/libcupsfilters/commit/46f6896

The second is more complex to solve but one can suppress the warnings when building the package:

    CXXFLAGS='-DPOINTERHOLDER_TRANSITION=0' ./configure
    make

This would at least make warnings about atual problems more visible.

After applying above methods I currently do not get any warning at all any more.

How do I subscribe "desktop-packages" to a package? Under "Subscribe to bug mail" this group is not listed (for any of my packages, not only libcupsfilters).

@Till: excellent!

@seb128: It’s something that we phased in Unity and other projects too. IIRC, we unmangled the symbols to arch-independent ones beforehand with a debian helper (in the KDE toolset IIRC)? Do you mind having a look at this? I think that would be a good first set of efforts. If this is not successful then, the current mitigation with marking them optional is OK.

@didrocks, and how do I subscribe "desktop-packages" to my packages?

@didrocks, do yopu mean pkgkde-symbolshelper of pkg-kde-tools. It seems that the Debian people use it for libgs10 of Ghostscript, as it uses some C++ libraries.

@Till, yes that's the utility Didier was referring to ... could you see if that would help simplifying the symbols?

@seb128, I tried to run a "rewrite"

    pkgkde-symbolshelper rewrite -i debian/libcupsfilters2.symbols

but the result is identical to what you have done manually. It only changes the order of the lines. The file has 569 lines.

If I do "create", "patch", or "batchpatch" I create a completely new file, without any history. But this should not be a problem as libcupsfilters2 is a new library.

So I try (after having built the package):

rm debian/libcupsfilters2.symbols
pkgkde-gensymbols -plibcupsfilters2 -v2.0~b2-0ubuntu11 -Osymbols.amd64 -edebian/libcupsfilters2/usr/lib/x86_64-linux-gnu/libcupsfilters.so.2.0.0 > out
pkgkde-symbolshelper create -o debian/libcupsfilters2.symbols -v 2.0~b2-0ubuntu11 symbols.amd64

This produces a debian/libcupsfilters2.symbols file with 405 lines, so many symbols of the old file are not present, but there are several internal (no public or private API of the library) C++ symbols again. All are marked as introduced in 2.0~b2-0ubuntu11 and none is marked as optional. The file "out" seems to be a patch which creates debian/libcupsfilters2.symbols from an empty file.

The attached file is the symbols file created from scratch as described in the previous comment. I found the method in the man page of pkgkde-symbolshelper.

The QPDF 11 warnings about the "PointerHolder" are solved upstream now. I gave the problem to a GSoC contributor candidate as part of the selection process. An hour later I had a pull request:

https://github.com/OpenPrinting/libcupsfilters/pull/13

Tested it, works. But had to set the -DPOINTERHOLDER_TRANSITION=0 independent of that as the warning is always issued, also without "PointerHolder" in the code.

Now the libcupsfilters code is free of warnings (on Lunar).

I have checked again, libcupsfilters has a test program, doing 6 individual tests, which is run by "make check". Can be that I had forgotten it in the first place.

The test program was inherited from the old cups-filter 1.x package.

Same for libppd. It also has a test program, run by "make check", 1 program doing a lot of tests.

$ make check
make[1]: Entering directory '/home/till/printing/openprinting/libppd/x'
make testppd
make[2]: Entering directory '/home/till/printing/openprinting/libppd/x'
  CC ppd/testppd.o
ppd/testppd.c: In function ‘main’:
ppd/testppd.c:1534:7: warning: pointer ‘filename’ may be used after ‘free’ [-Wuse-after-free]
 1534 | unlink(filename);
      | ^~~~~~~~~~~~~~~~
ppd/testppd.c:1352:5: note: call to ‘free’ here
 1352 | free(filename);
      | ^~~~~~~~~~~~~~
  CCLD testppd
make[2]: Leaving directory '/home/till/printing/openprinting/libppd/x'
make check-TESTS
make[2]: Entering directory '/home/till/printing/openprinting/libppd/x'
make[3]: Entering directory '/home/till/printing/openprinting/libppd/x'
PASS: testppd
============================================================================
Testsuite summary for libppd 2.0b3
============================================================================
# TOTAL: 1
# PASS: 1
# SKIP: 0
# XFAIL: 0
# FAIL: 0
# XPASS: 0
# ERROR: 0
============================================================================
make[3]: Leaving directory '/home/till/printing/openprinting/libppd/x'
make[2]: Leaving directory '/home/till/printing/openprinting/libppd/x'
make[1]: Leaving directory '/home/till/printing/openprinting/libppd/x'
$ make testppd
$ ./testppd
ppdOpenFile("ppd/test.ppd"): PASS
ppdFindAttr(wildcard): PASS
ppdFindNextAttr(wildcard): PASS
ppdFindAttr(Foo): PASS
ppdFindNextAttr(Foo): PASS
ppdMarkDefaults: PASS
ppdEmitString (defaults): PASS
ppdEmitString (custom size and string): PASS
ppdGetConflicts(InputSlot=Envelope): PASS
ppdConflicts(): PASS (2)
ppdResolveConflicts(InputSlot=Envelope): PASS (Resolved by changing PageSize)
ppdResolveConflicts(No option/choice): PASS (Resolved by changing InputSlot)
ppdInstallableConflict(): PASS
ppdPageSizeLimits: PASS
ppdMarkOptions(media=iso-a4): PASS
ppdMarkOptions(media=na_letter_8.5x11in): PASS
ppdMarkOptions(media=oe_letter-fullbleed_8.5x11in): PASS
ppdMarkOptions(media=A4): PASS
ppdMarkOptions(media=Custom.8x10in): PASS
ppdLocalizeIPPReason(text): PASS
ppdLocalizeIPPReason(http): PASS
ppdLocalizeIPPReason(help): PASS
ppdLocalizeIPPReason(file): PASS
ppdLocalizeIPPReason(fr text): PASS
ppdLocalizeIPPReason(zh_TW text): PASS
ppdLocalizeMarkerName(bogus): PASS
ppdLocalizeMarkerName(cyan): PASS
ppdLocalizeMarkerName(fr cyan): PASS
ppdLocalizeMarkerName(zh_TW cyan): PASS
ppdOpenFile("ppd/test2.ppd"): PASS
ppdMarkDefaults: PASS
ppdEmitString (defaults): PASS
ppdConflicts(): PASS (1)
ppdResolveConflicts(Quality=Photo): PASS (Unable to resolve)
ppdResolveConflicts(No option/choice): PASS
ppdResolveConflicts(loop test): PASS
ppdInstallableConflict(): PASS
ppdPageSizeLimits(default): PASS
ppdPageSizeLimits(InputSlot=Manual): PASS
ppdPageSizeLimits(Quality=Photo): PASS
ppdPageSizeLimits(Quality=Photo): PASS
ppdRasterExecPS("setpagedevice"): PASS
ppdRasterExecPS("roll"): PASS
ppdRasterExecPS("dup index"): PASS
ppdRasterExecPS("%%Begin/EndFeature code"): PASS
$

I could re-use them as autopkgtest, so that they get re-run when a dependency gets into proposed migration.

Warning in the compilation of the libppd test fixed upstream.

On Thu, Feb 16, 2023 at 10:58:19PM -0000, Till Kamppeter wrote:
> ppd/testppd.c:1534:7: warning: pointer ‘filename’ may be used after ‘free’ [-Wuse-after-free]
> 1534 | unlink(filename);
> | ^~~~~~~~~~~~~~~~
> ppd/testppd.c:1352:5: note: call to ‘free’ here
> 1352 | free(filename);
> | ^~~~~~~~~~~~~~

Is this shipped to users? Is it part of an automatic workflow, or is it a
debugging utility that almost no one will ever use?

Thanks

@seth-arnold, I have fixed this already now. And in general, it was only in the test program, not anything for the end user.

https://github.com/OpenPrinting/libppd/commit/32c1da4b6ce

@Till:
- I will let you go on the symbol file enhancements.
- For the tests, please hook them up during package build (for those where they were not running) and autopkgtests
- For desktop-packages, I know that seb has the right to do the subcription. He generally does it once the MIR is approved.

Thanks Till, I was curious if we ought to try to coordinate with other distros / vendors / users etc, but this seems innocuous enough if it's just a test program. (If we assigned CVEs for every less-than-perfect coding practice in test programs we'd be drowning in paperwork for very little benefit.)

Review for Package: pppd

[Summary]
MIR team ACK under the constraint to resolve the below listed required TODOs and as much as possible having a look at the recommended TODOs.

This package parse ppd formats from untrusted sources and is using setuid. As the code within the package this is originated from has greatly changed over the years and when it entered main, we even didn’t have a MIR process, I suggest that this package is audited by our security team. Assigning to them, but let’s not that block the required and recommended todos that you can work in parallel to the security review.

Binary packages to be promoted:
- libppd-dev
- libppd2
- libppd2-common
- ppdc (see below on ppdc)

Required TODOs:
- One question: do we really need ppdc to be promoted? You stated it’s a debugging/development binary, not for end user?
- There are no autopkgtests in the package which is a requirement for entering main. I know you mention that before this was already the case. However, this should have been addressed when we raised the bar in quality for packages in main and it seems the right opportunity to gate on having at least an initial autopkgtests testsuite with strong indication of improving it in the near future.
- Remember to subscribe the desktop-packages team as I think it will be the official team owning the packages so that list of criticals bugs can be adressed.

Recommended TODOs:
- There is one warning during build (variable that could be used after free) that would be good to fix.
- Check if we can enhance symbols file tracking (see the other MIR for this)

[Duplication]
This is a transition from some older package, no package will duplicate this functionality.

[Dependencies]
OK:
- no other Dependencies to MIR due to this
- ppd checked with `check-mir`
- no -dev/-debug/-doc packages that need exclusion
- No dependencies in main that are only superficially tested requiring
  more tests now.

[Embedded sources and static linking]
OK:
- no embedded source present
- no static linking
- does not have unexpected Built-Using entries
- not a go package, no extra constraints to consider in that regard
- not a rust package, no extra constraints to consider in that regard

[Security]
OK:
- history of CVEs does not look concerning
- does not run a daemon as root
- does not use webkit1,2
- does not use lib*v8 directly
- does not open a privilege port/socket
- does not process arbitrary web content
- does not use centralized online accounts
- does not integrate arbitrary javascript into the desktop
- does not deal with system authentication (eg, pam), etc)
- does not deal with security attestation (secure boot, tpm, signatures)
- does not deal with cryptography (en-/decryption, certificates, signing, ...)

Problem:
- This package parse ppd formats from untrusted sources.

[Common blockers]
OK:
- does not FTBFS currently
- does have a test suite that runs at build time
- test suite fails will fail the build upon error.
- no new python2 dependency

Problems:
- There are no autopkgtests in the package which is a requirement for entering main. I know you mention that before this was already the case. However, this should have been addressed when we rais...

libppd 2.0~b4-0ubuntu2 uploaded.

- Has an autopkgtest now which runs the program `testppd` (also used by `make check`) on the libppd installed into the system.
- Was put through Coverity and appropriately fixed by Red Hat printing maintainer Zdenek Dohnal.
- The symbols file is created by KDE's symbolshelper and architecture-specific symbols (as of build logs of Launchpad builds of 2.0~b4-0ubuntu1) added afterwards, marked as (optional). See debian/NEWS.
- No compiler warnings on building `testppd`
- Bug fixes for reported bugs, see CHANGES.md

libcupsfilters 2.0~b4-0ubuntu4 uploaded.

- Has an autopkgtest now which runs the test programs used by `make check` on the libcupsfilters installed into the system.
- Was put through Coverity and appropriately fixed by Red Hat printing maintainer Zdenek Dohnal.
- The symbols file is created by KDE's symbolshelper and architecture-specific symbols (as of build logs of Launchpad builds) added afterwards, marked as (optional). See debian/NEWS.
- All deprecated functions of QPDF are replaced by the appropriate substitutions now, making the build of the package free of warnings.
- Bug fixes for reported bugs, see CHANGES.md

Cups-browsed 2.0~b4-0ubuntu1 uploaded.

- Daemon runs as normal user now, user only needs to be member of the "lpadmin" group to be able to create and modify CUPS queues. It is directly started as that user by systemd.
- Has both 'make check' and an autopkgtest now. The latter runs the test script used by `make check` on the cups-browsed installed into the system. The script I have designed appropriately to work in both modes.
- Was put through Coverity and appropriately fixed by Red Hat printing maintainer Zdenek Dohnal.
- Many upstream bug fixes for bugs discovered during the development of the test script, see CHANGES.md

Checked through everything whether I have nothing forgotten, seems that I overlooked the question with the ppdc.

The ppdc is actually only needed for development and debugging:

- CUPS 2.x needs ppdc as external executable, but it has its own ppdc.

- Printer Applications (the PPD/driver-retro-fitting ones) manage collections of PPDs (including *.drv files) with libppd's API for PPD collections and these call the library functions for the ppdc functionality directly (the functions are in libppd), without needing an external executable.

- CUPS 3.x does not support PPD files (and also not *.drv files) at all, so it will not need ppdc.

The code in the ppdc binary package is actually only wrappers which call corresponding library functions. The actual functionality is completely in libppd.

So an actual promotion of ppdc is not needed, but ppdc should not add any extra risks due to its functionality already residing in libppd.

The "setuid()" in libppd is harmless, it is only for dropping, not for gaining privileges, and the function where it is called, "PipeCommand()", is static, so it is only used in the same file and not available to the outside. Checking the calls in that file, ppd/ppd-collection.cxx, the privilege-dropping facility is even not made use of ...

I reviewed cups-browsed 2.0~b4-0ubuntu2 as checked into lunar.
This shouldn't be considered a full audit but rather a quick gauge of
maintainability.

cups-browsed is a a helper daemon to browse the network for remote CUPS
queues and IPP network printers and automatically create local queues
pointing to them. It used to be a binary in cups-filters source and was
now split into a new source.

- CVE History:
  - CVE history is applicable to cups-filter, and it is all good. The CVEs
    that existed were fixed.
- Build-Depends?
  - avahi, cups, dbus, glib2.0, openldap, pkgconf, poppler, zlib all in main
  - libppd, also targeted in the same MIR bug.
- pre/post inst/rm scripts?
  - preinst: runs dh_installdeb
  - prerm: runs dh_installsystemd dh_installdeb
  - postinst: runs dh_apparmor, dh_installdeb, dh_installsystemd and
    accepts a configure param to setup /var/ directories and add
    cups-browsed user.
  - postrm: runs dh_apparmor dh_installdeb dh_installsystemd and accepts a
    purge param to remove the previously setup /var/ directories and remove
    the cups-browsed user.
- init scripts?
  - NA
- systemd units?
  - starts the daemon /usr/sbin/cups-browsed
- dbus services?
  - NA
- setuid binaries?
  - NA
- binaries in PATH?
  - cups-browsed: ./usr/sbin/cups-browsed
  - cups-browsed-tests: ./usr/bin/run-tests.sh
- sudo fragments?
  - NA
- polkit files?
  - NA
- udev rules?
  - NA
- unit tests / autopkgtests?
  - Tests are defined in the script cups-browsed-2.0~b4/test/run-tests.sh,
  that seems to do a good job in creating the test setup. it gives the
  chance to make different types of tests. This is the script that runs in
  the autopkgtests.
- cron jobs?
  - NA
- Build logs:
  - build log is clean, there is an information about the tests being
    executed in the autopkgtest and not during the build, due to the
    need of avahi-daemon in the build chroot.
  - Lintian throws the following Errors and Warnings.
      E: cups-browsed: depends-on-obsolete-package Depends: lsb-base
      E: cups-browsed: maintainer-script-lacks-home-in-adduser "adduser --system --ingroup lpadmin cups-browsed" [postinst:8]
      W: cups-browsed: debian-news-entry-has-unknown-version 2.0~b1-0ubuntu1 [usr/share/doc/cups-browsed/NEWS.Debian.gz:1]
      W: cups-browsed: maintainer-script-needs-depends-on-adduser adduser (does not satisfy adduser) [postinst:8]
      W: cups-browsed: mismatched-override executable-in-usr-lib usr/lib/cups/backend/implicitclass [usr/share/lintian/overrides/cups-browsed:4]
      W: cups-browsed: non-standard-executable-perm 0744 != 0755 [usr/lib/cups/backend/implicitclass]
      W: cups-browsed: wrong-name-for-upstream-changelog [usr/share/doc/cups-browsed/CHANGES.md.gz]
      W: cups-browsed-tests: no-manual-page [usr/bin/run-tests.sh]
      W: cups-browsed-tests: script-with-language-extension [usr/bin/run-tests.sh]
    Some seems OK, like the warnings for 'cups-browsed-tests', but the
    others could be checked better.

- Processes spawned?
  - No
- Memory management?
  - malloc's and calloc's are being checked, strcpy and sprintf seems fine
  - some coverity reports on memory management will be forwarded to upstream,
    not...

I reviewed libcupsfilters 2.0~b4-0ubuntu5 as checked into lunar. This shouldn't be
considered a full audit but rather a quick gauge of maintainability.

libcupsfilters contains backends, filters, and other software that was
once part of the core CUPS distribution. It contains more filters and software
developed once Apple stopped maintaining this library. For compiling and using
this package CUPS (2.2.2 or newer), libcupsfilters 2.x, and libppd are needed.

- CVE History:
  - No history of CVE found
- Build-Depends?
  - avahi, ghostscript, cups, dbus, glib2.0, pkgconfig, qpdf, tiff, poppler,
    zlib, exif
- pre/post inst/rm scripts?
  - NA
- init scripts?
  - NA
- systemd units?
  - NA
- dbus services?
  - NA
- setuid binaries?
  - NA
- binaries in PATH?
  - libcupsfilters-tests_2.0~b4-0ubuntu5_amd64.deb:
    -rwxr-xr-x root/root 14656 2023-02-24 13:43 ./usr/bin/test-analyze
    -rwxr-xr-x root/root 14656 2023-02-24 13:43 ./usr/bin/test-pdf
    -rwxr-xr-x root/root 14656 2023-02-24 13:43 ./usr/bin/test-ps
    -rwxr-xr-x root/root 14656 2023-02-24 13:43 ./usr/bin/test1284
    -rwxr-xr-x root/root 18752 2023-02-24 13:43 ./usr/bin/testcmyk
    -rwxr-xr-x root/root 14656 2023-02-24 13:43 ./usr/bin/testdither
    -rwxr-xr-x root/root 14656 2023-02-24 13:43 ./usr/bin/testimage
    -rwxr-xr-x root/root 14656 2023-02-24 13:43 ./usr/bin/testpdf1
    -rwxr-xr-x root/root 14656 2023-02-24 13:43 ./usr/bin/testpdf2
    -rwxr-xr-x root/root 14728 2023-02-24 13:43 ./usr/bin/testrgb
- sudo fragments?
  - NA
- polkit files?
  - NA
- udev rules?
  - NA
- unit tests / autopkgtests?
  - All the unit tests are resides in ./cupsfilters/test\*.c files.
    Also, drive test is defined in ./test-driver script. These test cases are
    included in autopkgtests and it is working as expected.
- cron jobs?
  - NA
- Build logs:
  - Lintian throws the following Warningsi and Errors
    E: libcupsfilters source: missing-build-dependency-for-dh-addon pkgkde_symbolshelper (does not satisfy pkg-kde-tools:any) [debian/rules]
    W: libcupsfilters source: build-depends-on-obsolete-package Build-Depends: libfontconfig1-dev => libfontconfig-dev
    W: libcupsfilters source: dependency-is-not-multi-archified libcupsfilters2 depends on libcupsfilters2-common (multi-arch: no)
    W: libcupsfilters-tests: no-manual-page [usr/bin/test-analyze]
    W: libcupsfilters-tests: no-manual-page [usr/bin/test-pdf]
    W: libcupsfilters-tests: no-manual-page [usr/bin/test-ps]
    W: libcupsfilters-tests: no-manual-page [usr/bin/test1284]
    W: libcupsfilters-tests: no-manual-page [usr/bin/testcmyk]
    W: libcupsfilters-tests: no-manual-page [usr/bin/testdither]
    W: libcupsfilters-tests: no-manual-page [usr/bin/testimage]
    W: libcupsfilters-tests: no-manual-page [usr/bin/testpdf1]
    W: libcupsfilters-tests: no-manual-page [usr/bin/testpdf2]
    W: libcupsfilters-tests: no-manual-page [usr/bin/testrgb]
    W: libcupsfilters2: symbols-file-contains-debian-revision on symbol Floyd16x16@Base and 388 others (libcupsfilters.so.2) [symbols]
    W: libcupsfilters2: wrong-name-for-upstream-changelog [usr/share/doc/libcupsfilters2/CHANGES.md.gz]

    ...

@cups-browsed

The review feedback from Didier was

> Required TODOs:
> - There are no package build time tests nor autopkgtests in the package which is a requirement for entering main.

The autopkgtests got added
https://autopkgtest.ubuntu.com/packages/c/cups-browsed

The build was changed to call 'make check' but that was reverted because those tests expect avahi to be active which is not. Till could we skip part of the tests but still run the tests that don't rely on avahi?

> - Remember to subscribe the desktop-packages team as I think it will be the official team owning the packages so that list of criticals bugs can be adressed.

Subscribed

> - The package does install one service, gated with apparmor. However, additional permission on the service would be great.
> See the MIR template on which ones to add like reduced permissions, temp envronment, restricted users/groups...
> Due to this service running as root and as this requires a security review too.

The service didn't need the privilege, it was changed in to use https://launchpad.net/ubuntu/+source/cups-browsed/2.0~b4-0ubuntu1 User=cups-browsed

Security team review was also done and gave a +1

> Recommended TODOs:
> - This package do not ship library or symbol files, however, it has this in debian/rules, which is useless for that package:
> override_dh_makeshlibs:
> dh_makeshlibs -- -c4
> This could be cleaned.

fixed in https://launchpad.net/ubuntu/+source/cups-browsed/2.0~b4-0ubuntu2

> - I suggest that you revisit the lintian override about file permission on the executable, if you look at <https://lintian.debian.org/tags/executable-is-not-world-readable>, there is no security gain by this permission set. It should be 0744 if you don’t want other users to be able to execute it.

fixed in https://launchpad.net/ubuntu/+source/cups-browsed/2.0~b4-0ubuntu2

Till, could you check if there is a set of the tests we could do a build time still? Once that resolved we should be able to promote cups-browsed

@libcupsfilters

The MIR review feedback was

> Required TODOs:
> - The autopkgtests is marked as superficial, and indeed, when looking at what is done, it builds the lib and call a logging function in it.
> For packages in main, we need non trivial autopkgtests. As this package is doing quite a lot, we need to get to a higher standard
> and improve the autopkgtests suite.

It was fixed in https://launchpad.net/ubuntu/+source/libcupsfilters/2.0~b4-0ubuntu1
Till added a libcupsfilters-tests binary including the same checks as the upstream testsuite and is using them as autopkgtests now
https://autopkgtest.ubuntu.com/packages/lib/libcupsfilters

> - Remember to subscribe the desktop-packages team as I think it will be the official team owning the packages so that list of criticals bugs can be adressed.

desktop-packages subscribed now

> Recommended TODOs:
> - There are a lot of warnings during the build. This makes the build process hard to read if a new error occur and it’s a nice opportunity to fix them upstream and downstream.

Till fixed some of the warnings upstream now.
@Till, should we also set CXXFLAGS='-DPOINTERHOLDER_TRANSITION=0' as you said it would help cut some of the remaining noise?

Security team also gave a +1 for promotion.

Since there is no remaining blocker item I'm promoting libcupsfilters now

$ ./change-override -c main -t libcupsfilters
Override component to main
libcupsfilters 2.0~b4-0ubuntu5 in lunar: universe/net -> main
Override [y|N]? y
1 publication overridden.

$ ./change-override -c main libcupsfilters2 libcupsfilters2-common
Override component to main
libcupsfilters2 2.0~b4-0ubuntu5 in lunar amd64: universe/libs/optional/100% -> main
libcupsfilters2 2.0~b4-0ubuntu5 in lunar arm64: universe/libs/optional/100% -> main
libcupsfilters2 2.0~b4-0ubuntu5 in lunar armhf: universe/libs/optional/100% -> main
libcupsfilters2 2.0~b4-0ubuntu5 in lunar ppc64el: universe/libs/optional/100% -> main
libcupsfilters2 2.0~b4-0ubuntu5 in lunar riscv64: universe/libs/optional/100% -> main
libcupsfilters2 2.0~b4-0ubuntu5 in lunar s390x: universe/libs/optional/100% -> main
libcupsfilters2-common 2.0~b4-0ubuntu5 in lunar amd64: universe/libs/optional/100% -> main
libcupsfilters2-common 2.0~b4-0ubuntu5 in lunar arm64: universe/libs/optional/100% -> main
libcupsfilters2-common 2.0~b4-0ubuntu5 in lunar armhf: universe/libs/optional/100% -> main
libcupsfilters2-common 2.0~b4-0ubuntu5 in lunar i386: universe/libs/optional/100% -> main
libcupsfilters2-common 2.0~b4-0ubuntu5 in lunar ppc64el: universe/libs/optional/100% -> main
libcupsfilters2-common 2.0~b4-0ubuntu5 in lunar riscv64: universe/libs/optional/100% -> main
libcupsfilters2-common 2.0~b4-0ubuntu5 in lunar s390x: universe/libs/optional/100% -> main
Override [y|N]? y
13 publications overridden.

@libcupsfilters

> > Recommended TODOs:
> > - There are a lot of warnings during the build. This makes the build process hard to read if a > new error occur and it’s a nice opportunity to fix them upstream and downstream.
>
> Till fixed some of the warnings upstream now.
> @Till, should we also set CXXFLAGS='-DPOINTERHOLDER_TRANSITION=0' as you said it would help cut
> some of the remaining noise?

As of CHANGES.md

https://github.com/OpenPrinting/cups-filters/blob/master/CHANGES.md

the POINTERHOLDER_TRANSITION should be fixed in current upstream version (2.0b4) which is base of the current Ubuntu package.

@cups-browsed

First off, cups-browsed got promoted off-MIR by @vorlon, as it is a spin-off of the former cups-filters 1.x which was in Main and the code base is merly the same.

Second, cups-browsed as we use it in Ubuntu does nothing at all if there is no avahi-daemon, it will even immediately exit as it has nothing to do.

I would need to add a "testing mode" to the upstream code of cups-browsed which fakes DNS-SD broadcasts, but this is very invasive and the risk of bugs to get introduced by that is higher than the probablility to discover bugs in the rest of cups-browsed's functionality.

Another solution would be to use the legacy CUPS browsing support, but with this I would test a functionality which is completely irrelevant to Ubuntu (it is there to interact with VERY old Red Hat Enterprise versions). Also I would need a counterpart, meaning that I had to re-implement legacy CUPS browsing in an external test program ...

Third, the security team has no problem with the missing build test as we have the autopkgtest which is testing cups-browsed very well:

> - unit tests / autopkgtests?
> - Tests are defined in the script cups-browsed-2.0~b4/test/run-tests.sh,
> that seems to do a good job in creating the test setup. it gives the
> chance to make different types of tests. This is the script that runs in
> the autopkgtests.
> - cron jobs?
> - NA
> - Build logs:
> - build log is clean, there is an information about the tests being
> executed in the autopkgtest and not during the build, due to the
> need of avahi-daemon in the build chroot.

> First off, cups-browsed got promoted off-MIR by @vorlon, as it is a spin-off of the former cups-filters 1.x which was in Main and the code base is merly the same.

All new packages require MIR. There are no spin-off exceptions.

> Third, the security team has no problem with the missing build test as we have the autopkgtest which is testing cups-browsed very well:

MIR Team and Security Team are separate stakeholders and have separate requirements. I would check with MIR Team if their requirements for cups-browsed testing is satisfied.

Since libppd MIR is no longer required per comment 37 and MM discussion, setting status to invalid and removing Security Team.

@eslerm, why is the libppd MIR not needed any more? The source package libppd and the binary packages libppd2, libppd-dev, and libppd2-common need to get promoted into Main, as they are used by cups-filters and cups-browsed, which are both in Main.

It was only ppdc which is not required to be in Main.

Also which MM discussion? Which channel?

Till, Sebastien, and I have discussed libppd out-of-band. I'm giving libppd's MIR my full attention for the rest of today.

Coverity report is attached.

I reviewed libppd 2:2.0~b4-0ubuntu3 as checked into lunar. This shouldn't be considered a full audit but rather a quick gauge of maintainability.

> libppd, the legacy support library for PPD files

- CVE History:
  - past cups-filters CVEs likely do not affect libppd code
    - most CVEs are reported to affect cups-filter's footmatic-rip
  - past cups-filters CVEs are mostly for "allows remote attackers to executing arbitrary commands"
- Build-Depends?
  - autoconf, debhelper-compat, dh-sequence-pkgkde-symbolshelper, ghostscript, libcups2-dev, libcupsfilters-dev, pkg-config, poppler-utils, and zlib1g-dev
- pre/post inst/rm scripts?
  - none
- init scripts?
  - none
- systemd units?
  - none
- dbus services?
  - none
- setuid binaries?
  - none
- binaries in PATH?
  - ./usr/bin/testppd
  - ./usr/bin/ppdc
  - ./usr/bin/ppdhtml
  - ./usr/bin/ppdi
  - ./usr/bin/ppdmerge
  - ./usr/bin/ppdpo
  - ./usr/bin/testppdfile
- sudo fragments?
  - none
- polkit files?
  - none
- udev rules?
  - none
- unit tests / autopkgtests?
  - has build and autopkgtests
  - see bug comments
- cron jobs?
  - none
- Build logs:
  - looks alright

- Processes spawned?
  - ppdCollectionGetPPD() -> PipeCommand() -> ExecCommand runs arbitrary execv(command, argv)
  - many functions lead to reading PPD files
  - several renders (e.g., poppler) can be executed
  - documentation is being added to warn downstream users to sanitize untrusted input
- Memory management?
  - heavy memory use
  - issues reported upstream
- File IO?
  - some cloexec
  - file IO appears okay and restrict mode
- Logging?
  - has logging and debugging
- Environment variable usage?
  - used for setting renderer executable paths at compile time
  - ./ppd/ppd-filter.c uses many env variables
    - $PPD loads a non-executable file
- Use of privileged functions?
  - used to prevent using file if setuid
  - elsewhere drops privilege
- Use of cryptography / random number sources etc?
  - none
- Use of temp files?
  - none
- Use of networking?
  - none
- Use of WebKit?
  - none
- Use of PolicyKit?
  - none

- Any significant Coverity results?
  - issues reported upstream
- Any significant cppcheck results?
  - see coverity
- Any significant shellcheck results?
  - okay - for compiling

Upstream added the ability to report security bugs privately and is adding security documentation \o/

Upstream and Desktop have agreed to own reported issue maintenance. Security team ACK for promoting libppd to main.

Thanks Mark, promoting libppd now!

$ ./change-override -c main -t libppd
Override component to main
libppd 2:2.0~b4-0ubuntu3 in lunar: universe/libs -> main
Override [y|N]? y
1 publication overridden.

$ ./change-override -c main libppd-dev libppd2 libppd2-common
Override component to main
libppd-dev 2:2.0~b4-0ubuntu3 in lunar amd64: universe/libdevel/optional/100% -> main
libppd-dev 2:2.0~b4-0ubuntu3 in lunar arm64: universe/libdevel/optional/100% -> main
libppd-dev 2:2.0~b4-0ubuntu3 in lunar armhf: universe/libdevel/optional/100% -> main
libppd-dev 2:2.0~b4-0ubuntu3 in lunar ppc64el: universe/libdevel/optional/100% -> main
libppd-dev 2:2.0~b4-0ubuntu3 in lunar riscv64: universe/libdevel/optional/100% -> main
libppd-dev 2:2.0~b4-0ubuntu3 in lunar s390x: universe/libdevel/optional/100% -> main
libppd2 2:2.0~b4-0ubuntu3 in lunar amd64: universe/libs/optional/100% -> main
libppd2 2:2.0~b4-0ubuntu3 in lunar arm64: universe/libs/optional/100% -> main
libppd2 2:2.0~b4-0ubuntu3 in lunar armhf: universe/libs/optional/100% -> main
libppd2 2:2.0~b4-0ubuntu3 in lunar ppc64el: universe/libs/optional/100% -> main
libppd2 2:2.0~b4-0ubuntu3 in lunar riscv64: universe/libs/optional/100% -> main
libppd2 2:2.0~b4-0ubuntu3 in lunar s390x: universe/libs/optional/100% -> main
libppd2-common 2:2.0~b4-0ubuntu3 in lunar amd64: universe/libs/optional/100% -> main
libppd2-common 2:2.0~b4-0ubuntu3 in lunar arm64: universe/libs/optional/100% -> main
libppd2-common 2:2.0~b4-0ubuntu3 in lunar armhf: universe/libs/optional/100% -> main
libppd2-common 2:2.0~b4-0ubuntu3 in lunar i386: universe/libs/optional/100% -> main
libppd2-common 2:2.0~b4-0ubuntu3 in lunar ppc64el: universe/libs/optional/100% -> main
libppd2-common 2:2.0~b4-0ubuntu3 in lunar riscv64: universe/libs/optional/100% -> main
libppd2-common 2:2.0~b4-0ubuntu3 in lunar s390x: universe/libs/optional/100% -> main
Override [y|N]? y
19 publications overridden.