Review for Package: libcupsfilters [Summary] MIR team ACK under the constraint to resolve the below listed required TODOs and as much as possible having a look at the recommended TODOs. This package parse many formats from untrusted sources in many formats and use LD_LIBRARY_PATH. As the code within the package this is originated from has greatly changed over the years and when it entered main, we even didn’t have a MIR process, I suggest that this package is audited by our security team. Assigning to them, but let’s not that block the required and recommended todos that you can work in parallel to the security review. List of specific binary packages to be promoted to main: - libcupsfilters2 - libcupsfilters2-common Required TODOs: - The autopkgtests is marked as superficial, and indeed, when looking at what is done, it builds the lib and call a logging function in it. For packages in main, we need non trivial autopkgtests. As this package is doing quite a lot, we need to get to a higher standard and improve the autopkgtests suite. - Remember to subscribe the desktop-packages team as I think it will be the official team owning the packages so that list of criticals bugs can be adressed. Recommended TODOs: - There are a lot of warnings during the build. This makes the build process hard to read if a new error occur and it’s a nice opportunity to fix them upstream and downstream. [Duplication] This is a transition from some older package, no package will duplicate this functionality. [Dependencies] OK: - no other Dependencies to MIR due to this - libcupsfilter checked with `check-mir` - no -dev/-debug/-doc packages that need exclusion - No dependencies in main that are only superficially tested requiring more tests now. [Embedded sources and static linking] OK: - no embedded source present - no static linking - does not have unexpected Built-Using entries - not a go package, no extra constraints to consider in that regard - not a rust package, no extra constraints to consider in that regard [Security] OK: - history of CVEs does not look concerning - does not run a daemon as root - does not use webkit1,2 - does not use lib*v8 directly - does not open a port/socket - does not process arbitrary web content - does not use centralized online accounts - does not integrate arbitrary javascript into the desktop - does not deal with system authentication (eg, pam), etc) - does not deal with security attestation (secure boot, tpm, signatures) - does not deal with cryptography (en-/decryption, certificates, signing, ...) Problems: - Does parse many formats from untrusted sources. As the code within the package this is originated from has greatly changed over the years and when it entered main, we even didn’t have a MIR process, I suggest that this package is audited by our security team. [Common blockers] OK: - does not FTBFS currently - does have a test suite that runs at build time - test suite fails will fail the build upon error. - no new python2 dependency Problems: - the autopkgtests is marked as superficial, and indeed, when looking at what is done, it builds the lib and call a logging function in it. For packages in main, we need non trivial autopkgtests. As this package is doing quite a lot, we need to get to a higher standard and improve the autopkgtests suite. [Packaging red flags] OK: - See the rationale on the presence of the package in Debian. It will be in sync as the rest of the cups stack. - d/watch is present and looks ok (if needed, e.g. non-native) - symbols tracking is in place - Upstream update history is good - Debian/Ubuntu update history is good - the current release is packaged - promoting this does not seem to cause issues for MOTUs that so far - no massive Lintian warnings - d/rules is rather clean - It is not on the lto-disabled list [Upstream red flags] OK: - no incautious use of malloc/sprintf (as far as we can check it, but quite hard due to image parsing, hence the security review needed) - no use of sudo, gksu, pkexec - no use of user nobody TODO: - no use of setuid - no important open bugs (crashers, etc) in Debian or Ubuntu - no dependency on webkit, qtwebkit, seed or libgoa-* : - not part of the UI for extra checks - no translation present, but none needed for this case Problems: - There are a lot of warnings during the build. This makes the build process hard to read if a new error occur and it’s a nice opportunity to fix them upstream and downstream. - Some use of LD_LIBRARY_PATH inside ghostscript.c, outside tests. Hence the security review request.