Ubuntu
libheif package

Bug #1827442
Activity log

Activity log for bug #1827442

Date	Who	What changed	Old value	New value	Message
2019-05-02 23:17:38	Steve Langasek	bug			added bug
2019-05-02 23:18:09	Steve Langasek	description	[Availability] Available on all architectures in universe from bionic forward. [Rationale] This is a new build-dependency added to imagemagick in Debian unstable. It implements support for decoding ISO/IEC 23008-12:2017 HEIF files, which are not otherwise supported by any libraries in Ubuntu main. [Security] One vulnerability was reported this year against libheif 1.4.0 (http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-11471). Debian currently has libheif 1.3.2. According to the upstream issue at https://github.com/strukturag/libheif/issues/123 the vulnerability was first introduced in an unreleased, git-only version of libheif (post-1.4.0), and found and fixed by the upstream community prior to finding its way into a tagged release. It is not clear to me that the vulnerability in question applies to 1.3.2. [Quality assurance] Packaging is lintian-clean using modern dh(1) patterns and shows no problematic bug history in Debian or Ubuntu. Package runs make check at build time (debhelper), but has no build-time tests or autopkgtests available. [Dependencies] Also depends on x265 and libde265 which are in universe. [Maintenance] Package would be maintained by Ubuntu Foundations Team.	[Availability] Available on all architectures in universe from bionic forward. [Rationale] This is a new build-dependency added to imagemagick in Debian unstable. It implements support for decoding ISO/IEC 23008-12:2017 HEIF files, which are not otherwise supported by any libraries in Ubuntu main. [Security] One vulnerability was reported this year against libheif 1.4.0 (http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-11471). Debian currently has libheif 1.3.2. According to the upstream issue at https://github.com/strukturag/libheif/issues/123 the vulnerability was first introduced in an unreleased, git-only version of libheif (post-1.4.0), and found and fixed by the upstream community prior to finding its way into a tagged release. It is not clear to me that the vulnerability in question applies to 1.3.2. This is a media file parser, so is security-sensitive because it will be processing complex untrusted input. [Quality assurance] Packaging is lintian-clean using modern dh(1) patterns and shows no problematic bug history in Debian or Ubuntu. Package runs make check at build time (debhelper), but has no build-time tests or autopkgtests available. [Dependencies] Also depends on x265 and libde265 which are in universe. [Maintenance] Package would be maintained by Ubuntu Foundations Team.
2019-05-02 23:18:13	Steve Langasek	libheif (Ubuntu): status	Incomplete	New
2019-05-02 23:18:32	Steve Langasek	bug			added subscriber MIR approval team
2019-05-03 20:38:17	Mathieu Trudel-Lapierre	libheif (Ubuntu): assignee		Ubuntu Security Team (ubuntu-security)
2019-05-08 01:51:05	Seth Arnold	bug watch added		https://github.com/strukturag/libheif/issues/128
2019-05-09 21:00:57	Dylan Aïssi	bug			added subscriber Dylan Aïssi
2019-07-12 08:06:30	Joachim Bauch	bug			added subscriber Joachim Bauch
2019-07-18 22:10:54	Steve Langasek	bug task added		x265 (Ubuntu)
2019-07-18 22:11:01	Steve Langasek	bug task added		libde265 (Ubuntu)
2019-09-17 14:37:48	Balint Reczey	bug task added		imagemagick (Ubuntu)
2019-09-17 14:38:03	Balint Reczey	imagemagick (Ubuntu): status	New	Invalid
2019-09-17 14:39:01	Balint Reczey	tags	eoan	eoan update-excuse
2019-09-18 12:11:53	Balint Reczey	imagemagick (Ubuntu): status	Invalid	Fix Released
2019-09-18 15:17:59	Balint Reczey	imagemagick (Ubuntu): status	Fix Released	Won't Fix
2019-09-18 15:21:27	Launchpad Janitor	libde265 (Ubuntu): status	New	Confirmed
2019-09-18 15:21:27	Launchpad Janitor	libheif (Ubuntu): status	New	Confirmed
2019-09-18 15:21:27	Launchpad Janitor	x265 (Ubuntu): status	New	Confirmed
2019-09-18 15:21:53	Balint Reczey	bug task deleted	imagemagick (Ubuntu)
2019-09-19 12:30:17	Balint Reczey	tags	eoan update-excuse	eoan
2019-10-24 02:38:00	Seth Arnold	attachment added		Coverity results https://bugs.launchpad.net/ubuntu/+source/libheif/+bug/1827442/+attachment/5299625/+files/coverity.txt
2020-02-26 14:01:59	Dylan Aïssi	removed subscriber Dylan Aïssi
2020-02-27 04:21:39	Seth Arnold	cve linked		2019-11471
2020-02-27 04:21:49	Seth Arnold	bug			added subscriber Seth Arnold
2020-02-27 04:21:53	Seth Arnold	libheif (Ubuntu): assignee	Ubuntu Security Team (ubuntu-security)
2020-02-27 07:43:41	Joachim Bauch	bug			added subscriber Dirk Farin
2021-05-11 14:42:57	Christian Ehrhardt 	libheif (Ubuntu): status	Confirmed	In Progress
2021-05-11 14:46:38	Christian Ehrhardt 	x265 (Ubuntu): status	Confirmed	Incomplete
2021-05-11 14:46:40	Christian Ehrhardt 	libde265 (Ubuntu): status	Confirmed	Incomplete
2022-05-23 21:38:22	Steve Langasek	libde265 (Ubuntu): status	Incomplete	Won't Fix
2022-05-23 21:38:29	Steve Langasek	libheif (Ubuntu): status	In Progress	Won't Fix
2022-05-23 21:38:31	Steve Langasek	x265 (Ubuntu): status	Incomplete	Won't Fix
2022-11-07 23:26:58	Steve Langasek	libheif (Ubuntu): status	Won't Fix	In Progress
2022-11-07 23:28:45	Steve Langasek	libde265 (Ubuntu): status	Won't Fix	Incomplete
2022-11-07 23:28:46	Steve Langasek	x265 (Ubuntu): status	Won't Fix	New
2022-11-07 23:28:56	Steve Langasek	x265 (Ubuntu): status	New	Incomplete
2022-11-08 15:51:26	Lukas Märdian	libheif (Ubuntu): status	In Progress	New
2022-11-15 15:48:55	Christian Ehrhardt 	libheif (Ubuntu): status	New	Incomplete
2022-11-16 10:59:28	Lukas Märdian	bug task added		aom (Ubuntu)
2022-11-16 10:59:34	Lukas Märdian	aom (Ubuntu): status	New	Incomplete
2022-11-16 10:59:46	Lukas Märdian	bug task added		dav1d (Ubuntu)
2022-11-16 10:59:52	Lukas Märdian	dav1d (Ubuntu): status	New	Incomplete
2022-11-16 12:17:19	Jeremy Bícha	bug			added subscriber Jeremy Bicha
2022-11-17 07:30:25	Christian Ehrhardt 	libheif (Ubuntu): status	Incomplete	In Progress
2023-01-20 21:15:32	Joachim Bauch	bug watch added		https://github.com/strukturag/libheif/issues/745
2023-01-24 15:54:06	Lukas Märdian	bug task added		libgd2 (Ubuntu)
2023-01-24 15:54:16	Lukas Märdian	libgd2 (Ubuntu): assignee		Canonical Foundations Team (canonical-foundations)
2023-01-24 15:54:21	Lukas Märdian	tags	eoan	eoan rls-ll-incoming
2023-01-27 09:35:00	Vladimir Petko	tags	eoan rls-ll-incoming	eoan fr-3316 rls-ll-incoming
2023-01-31 02:09:35	Vladimir Petko	description	[Availability] Available on all architectures in universe from bionic forward. [Rationale] This is a new build-dependency added to imagemagick in Debian unstable. It implements support for decoding ISO/IEC 23008-12:2017 HEIF files, which are not otherwise supported by any libraries in Ubuntu main. [Security] One vulnerability was reported this year against libheif 1.4.0 (http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-11471). Debian currently has libheif 1.3.2. According to the upstream issue at https://github.com/strukturag/libheif/issues/123 the vulnerability was first introduced in an unreleased, git-only version of libheif (post-1.4.0), and found and fixed by the upstream community prior to finding its way into a tagged release. It is not clear to me that the vulnerability in question applies to 1.3.2. This is a media file parser, so is security-sensitive because it will be processing complex untrusted input. [Quality assurance] Packaging is lintian-clean using modern dh(1) patterns and shows no problematic bug history in Debian or Ubuntu. Package runs make check at build time (debhelper), but has no build-time tests or autopkgtests available. [Dependencies] Also depends on x265 and libde265 which are in universe. [Maintenance] Package would be maintained by Ubuntu Foundations Team.	[Availablity] The package libheif is already in ubuntu/universe. The package libheif build for the architectures it is designed to work on: https://launchpad.net/ubuntu/+source/libheif/1.14.2-1 . It currently builds and works for architectures: amd64 arm64 armhf i386 ppc64el riscv64 s390x Link to package: https://launchpad.net/ubuntu/+source/libheif [Rationale] - The package libheif is required in Ubuntu main for decoding ISO/IEC 23008-12:2017 HEIF files by libgd2 which is present in main. - The package libheif will not generally be useful for a large part of our user base, but is important/helpful still because no other package in main supports decoding of ISO/IEC 23008-12:2017 HEIF files. -The package libheif is a runtime dependency of package libgd2 that we already support. - It would be great and useful to community/processes to have the package libheif in Ubuntu main, but there is no definitive deadline. [Security] libheif had security issues in the past: - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-23109: Buffer overflow vulnerability in function convert_colorspace in heif_colorconversion.cc in libheif v1.6.2, allows attackers to cause a denial of service and disclose sensitive information, via a crafted HEIF file. The github issue: https://github.com/strukturag/libheif/issues/207 is open, though developer comments that it was fixed in 1.7.0 - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-19499: An issue was discovered in heif::Box_iref::get_references in libheif 1.4.0, allows attackers to cause a Denial of Service or possibly other unspecified impact due to an invalid memory read. The github issue: https://github.com/strukturag/libheif/issues/138 is closed, fixed in 1.5.0 - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-19498: Floating point exception in function Fraction in libheif 1.4.0, allows attackers to cause a Denial of Service or possibly other unspecified impacts. The github issue: https://github.com/strukturag/libheif/issues/139 is closed, fixed in 1.5.0. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-11471: libheif 1.4.0 has a use-after-free in heif::HeifContext::Image::set_alpha_channel in heif_context.h because heif_context.cc mishandles references to non-existing alpha images. The github issue: https://github.com/strukturag/libheif/issues/123 is closed, fixed in 1.5.0. The vulnerable versions are libheif < 1.7.0, current version 1.14.2 Currently vulnerable packages (CVE-2020-23109) are deployed in focal and bionic. Jammy and up has no known vulnerabilitites. [Quality assurance – function/usage] - The package works well right after install ``` apt install imagemagick wget https://filesamples.com/samples/image/heif/sample1.heif convert -verbose sample1.heif test.gif wget https://filesamples.com/samples/image/heic/sample1.heic convert -verbose sample1.heic test1.gif ``` Notice, that libgd2 HEIF support is disabled. Compiling a sample that tries to save HEIF file produces following output ``` GD Warning: HEIF image support has been disabled ``` [Quality assurance - maintenance] - The package has important open bugs, listing them: - https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1014125 Confirm CVE-2020-23109 fix - https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1029668 1.14.2 contains significant regression, HEIC can not be read using viewnoir package [confirmed in lunar]. Downgrading to 1.13.0-1 solves the issue. [Quality assurance – testing] - The package does not run a test at build time because no unit tests are present in the repository upstream: https://launchpadlibrarian.net/646769183/buildlog_ubuntu-lunar-amd64.libheif_1.14.2-1_BUILDING.txt.gz https://github.com/strukturag/libheif - The package does not run an autopkgtest because no autopackage tests are present. Note: upstream contains a CI script that can be adapted for autopkgtests: https://github.com/strukturag/libheif/blob/master/scripts/run-ci.sh - The package does have not failing autopkgtests right now - [NOT COMPLETE]: The package can not be tested at build or autopktest time because no tests are presentto make up for that here [LINK] is a test plan/automation and example test runlogs/scripts) [Quality assurance - packaging] - debian/watch is present and works BUT also get-orig-head target is present in debian/rules that produces a different result. There is no specific documentation on which method to use. - debian/control defines a correct Maintainer field - This package does not yield massive lintian Warnings, Errors - Please link to a recent build log of the package https://launchpadlibrarian.net/646769183/buildlog_ubuntu-lunar-amd64.libheif_1.14.2-1_BUILDING.txt.gz - Please attach the full output you have got from `lintian --pedantic` as an extra post to this bug. https://udd.debian.org/lintian/?packages=libheif - Lintian overrides are not present - This package relies on obsolete or about to be demoted packages (see https://udd.debian.org/lintian/?packages=libheif), consider using libgdk-pixbuf-2.0-dev instead of transitional libgdk-pixbuf2.0-dev - This package has no python2 or GTK2 dependencies - The package will not be installed by default - Packaging and build is easy, link to d/rules : https://salsa.debian.org/multimedia-team/libheif/-/blob/master/debian/rules [UI standards] - Application is not end-user facing (does not need translation) - End-user applications without desktop file, not needed because application does not provide GUI [Dependencies] - There are further dependencies that are not yet in main, the MIR process for them is handled as part of this bug here: - aom - dav1d - libde265 - x265 [Standards compliance] - This package correctly follows FHS and Debian Policy [Maintenance/Owner] - Owning Team will be Foundations team - Team is already subscribed to the package - This does not use static builds - This does not use vendored code - This package is not rust based [Background information] The Package description explains the package well Upstream Name is libheif Link to upstream project https://github.com/strukturag/libheif/
2023-01-31 02:11:14	Vladimir Petko	description	[Availablity] The package libheif is already in ubuntu/universe. The package libheif build for the architectures it is designed to work on: https://launchpad.net/ubuntu/+source/libheif/1.14.2-1 . It currently builds and works for architectures: amd64 arm64 armhf i386 ppc64el riscv64 s390x Link to package: https://launchpad.net/ubuntu/+source/libheif [Rationale] - The package libheif is required in Ubuntu main for decoding ISO/IEC 23008-12:2017 HEIF files by libgd2 which is present in main. - The package libheif will not generally be useful for a large part of our user base, but is important/helpful still because no other package in main supports decoding of ISO/IEC 23008-12:2017 HEIF files. -The package libheif is a runtime dependency of package libgd2 that we already support. - It would be great and useful to community/processes to have the package libheif in Ubuntu main, but there is no definitive deadline. [Security] libheif had security issues in the past: - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-23109: Buffer overflow vulnerability in function convert_colorspace in heif_colorconversion.cc in libheif v1.6.2, allows attackers to cause a denial of service and disclose sensitive information, via a crafted HEIF file. The github issue: https://github.com/strukturag/libheif/issues/207 is open, though developer comments that it was fixed in 1.7.0 - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-19499: An issue was discovered in heif::Box_iref::get_references in libheif 1.4.0, allows attackers to cause a Denial of Service or possibly other unspecified impact due to an invalid memory read. The github issue: https://github.com/strukturag/libheif/issues/138 is closed, fixed in 1.5.0 - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-19498: Floating point exception in function Fraction in libheif 1.4.0, allows attackers to cause a Denial of Service or possibly other unspecified impacts. The github issue: https://github.com/strukturag/libheif/issues/139 is closed, fixed in 1.5.0. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-11471: libheif 1.4.0 has a use-after-free in heif::HeifContext::Image::set_alpha_channel in heif_context.h because heif_context.cc mishandles references to non-existing alpha images. The github issue: https://github.com/strukturag/libheif/issues/123 is closed, fixed in 1.5.0. The vulnerable versions are libheif < 1.7.0, current version 1.14.2 Currently vulnerable packages (CVE-2020-23109) are deployed in focal and bionic. Jammy and up has no known vulnerabilitites. [Quality assurance – function/usage] - The package works well right after install ``` apt install imagemagick wget https://filesamples.com/samples/image/heif/sample1.heif convert -verbose sample1.heif test.gif wget https://filesamples.com/samples/image/heic/sample1.heic convert -verbose sample1.heic test1.gif ``` Notice, that libgd2 HEIF support is disabled. Compiling a sample that tries to save HEIF file produces following output ``` GD Warning: HEIF image support has been disabled ``` [Quality assurance - maintenance] - The package has important open bugs, listing them: - https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1014125 Confirm CVE-2020-23109 fix - https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1029668 1.14.2 contains significant regression, HEIC can not be read using viewnoir package [confirmed in lunar]. Downgrading to 1.13.0-1 solves the issue. [Quality assurance – testing] - The package does not run a test at build time because no unit tests are present in the repository upstream: https://launchpadlibrarian.net/646769183/buildlog_ubuntu-lunar-amd64.libheif_1.14.2-1_BUILDING.txt.gz https://github.com/strukturag/libheif - The package does not run an autopkgtest because no autopackage tests are present. Note: upstream contains a CI script that can be adapted for autopkgtests: https://github.com/strukturag/libheif/blob/master/scripts/run-ci.sh - The package does have not failing autopkgtests right now - [NOT COMPLETE]: The package can not be tested at build or autopktest time because no tests are presentto make up for that here [LINK] is a test plan/automation and example test runlogs/scripts) [Quality assurance - packaging] - debian/watch is present and works BUT also get-orig-head target is present in debian/rules that produces a different result. There is no specific documentation on which method to use. - debian/control defines a correct Maintainer field - This package does not yield massive lintian Warnings, Errors - Please link to a recent build log of the package https://launchpadlibrarian.net/646769183/buildlog_ubuntu-lunar-amd64.libheif_1.14.2-1_BUILDING.txt.gz - Please attach the full output you have got from `lintian --pedantic` as an extra post to this bug. https://udd.debian.org/lintian/?packages=libheif - Lintian overrides are not present - This package relies on obsolete or about to be demoted packages (see https://udd.debian.org/lintian/?packages=libheif), consider using libgdk-pixbuf-2.0-dev instead of transitional libgdk-pixbuf2.0-dev - This package has no python2 or GTK2 dependencies - The package will not be installed by default - Packaging and build is easy, link to d/rules : https://salsa.debian.org/multimedia-team/libheif/-/blob/master/debian/rules [UI standards] - Application is not end-user facing (does not need translation) - End-user applications without desktop file, not needed because application does not provide GUI [Dependencies] - There are further dependencies that are not yet in main, the MIR process for them is handled as part of this bug here: - aom - dav1d - libde265 - x265 [Standards compliance] - This package correctly follows FHS and Debian Policy [Maintenance/Owner] - Owning Team will be Foundations team - Team is already subscribed to the package - This does not use static builds - This does not use vendored code - This package is not rust based [Background information] The Package description explains the package well Upstream Name is libheif Link to upstream project https://github.com/strukturag/libheif/	[Availablity] The package libheif is already in ubuntu/universe. The package libheif build for the architectures it is designed to work on: https://launchpad.net/ubuntu/+source/libheif/1.14.2-1 . It currently builds and works for architectures: amd64 arm64 armhf i386 ppc64el riscv64 s390x Link to package: https://launchpad.net/ubuntu/+source/libheif [Rationale] - The package libheif is required in Ubuntu main for decoding ISO/IEC 23008-12:2017 HEIF files by libgd2 which is present in main. - The package libheif will not generally be useful for a large part of our user base, but is important/helpful still because no other package in main supports decoding of ISO/IEC 23008-12:2017 HEIF files. -The package libheif is a runtime dependency of package libgd2 that we already support. - It would be great and useful to community/processes to have the package libheif in Ubuntu main, but there is no definitive deadline. [Security] libheif had security issues in the past: - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-23109: Buffer overflow vulnerability in function convert_colorspace in heif_colorconversion.cc in libheif v1.6.2, allows attackers to cause a denial of service and disclose sensitive information, via a crafted HEIF file. The github issue: https://github.com/strukturag/libheif/issues/207 is open, though developer comments that it was fixed in 1.7.0 - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-19499: An issue was discovered in heif::Box_iref::get_references in libheif 1.4.0, allows attackers to cause a Denial of Service or possibly other unspecified impact due to an invalid memory read. The github issue: https://github.com/strukturag/libheif/issues/138 is closed, fixed in 1.5.0 - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-19498: Floating point exception in function Fraction in libheif 1.4.0, allows attackers to cause a Denial of Service or possibly other unspecified impacts. The github issue: https://github.com/strukturag/libheif/issues/139 is closed, fixed in 1.5.0. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-11471: libheif 1.4.0 has a use-after-free in heif::HeifContext::Image::set_alpha_channel in heif_context.h because heif_context.cc mishandles references to non-existing alpha images. The github issue: https://github.com/strukturag/libheif/issues/123 is closed, fixed in 1.5.0. The vulnerable versions are libheif < 1.7.0, current version 1.14.2 Currently vulnerable packages (CVE-2020-23109) are deployed in focal and bionic. Jammy and up has no known vulnerabilitites. [Quality assurance – function/usage] - The package does not work well right after install - Basic test cases pass: ``` apt install imagemagick wget https://filesamples.com/samples/image/heif/sample1.heif convert -verbose sample1.heif test.gif wget https://filesamples.com/samples/image/heic/sample1.heic convert -verbose sample1.heic test1.gif ``` Notice, that libgd2 HEIF support is disabled. Compiling a sample that tries to save HEIF file produces following output ``` GD Warning: HEIF image support has been disabled ``` There is a bug filed in debian: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1029668 1.14.2 contains significant regression, HEIC can not be read using viewnoir. [Quality assurance - maintenance] - The package has important open bugs, listing them: - https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1014125 Confirm CVE-2020-23109 fix - https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1029668 1.14.2 contains significant regression, HEIC can not be read using viewnoir package [confirmed in lunar]. Downgrading to 1.13.0-1 solves the issue. [Quality assurance – testing] - The package does not run a test at build time because no unit tests are present in the repository upstream: https://launchpadlibrarian.net/646769183/buildlog_ubuntu-lunar-amd64.libheif_1.14.2-1_BUILDING.txt.gz https://github.com/strukturag/libheif - The package does not run an autopkgtest because no autopackage tests are present. Note: upstream contains a CI script that can be adapted for autopkgtests: https://github.com/strukturag/libheif/blob/master/scripts/run-ci.sh - The package does have not failing autopkgtests right now - [NOT COMPLETE]: The package can not be tested at build or autopktest time because no tests are presentto make up for that here [LINK] is a test plan/automation and example test runlogs/scripts) [Quality assurance - packaging] - debian/watch is present and works BUT also get-orig-head target is present in debian/rules that produces a different result. There is no specific documentation on which method to use. - debian/control defines a correct Maintainer field - This package does not yield massive lintian Warnings, Errors - Please link to a recent build log of the package https://launchpadlibrarian.net/646769183/buildlog_ubuntu-lunar-amd64.libheif_1.14.2-1_BUILDING.txt.gz - Please attach the full output you have got from `lintian --pedantic` as an extra post to this bug. https://udd.debian.org/lintian/?packages=libheif - Lintian overrides are not present - This package relies on obsolete or about to be demoted packages (see https://udd.debian.org/lintian/?packages=libheif), consider using libgdk-pixbuf-2.0-dev instead of transitional libgdk-pixbuf2.0-dev - This package has no python2 or GTK2 dependencies - The package will not be installed by default - Packaging and build is easy, link to d/rules : https://salsa.debian.org/multimedia-team/libheif/-/blob/master/debian/rules [UI standards] - Application is not end-user facing (does not need translation) - End-user applications without desktop file, not needed because application does not provide GUI [Dependencies] - There are further dependencies that are not yet in main, the MIR process for them is handled as part of this bug here: - aom - dav1d - libde265 - x265 [Standards compliance] - This package correctly follows FHS and Debian Policy [Maintenance/Owner] - Owning Team will be Foundations team - Team is already subscribed to the package - This does not use static builds - This does not use vendored code - This package is not rust based [Background information] The Package description explains the package well Upstream Name is libheif Link to upstream project https://github.com/strukturag/libheif/
2023-01-31 02:12:05	Vladimir Petko	attachment added		make-target-to-uscan.diff https://bugs.launchpad.net/ubuntu/+source/libheif/+bug/1827442/+attachment/5644071/+files/make-target-to-uscan.diff
2023-02-01 00:36:31	Vladimir Petko	description	[Availablity] The package libheif is already in ubuntu/universe. The package libheif build for the architectures it is designed to work on: https://launchpad.net/ubuntu/+source/libheif/1.14.2-1 . It currently builds and works for architectures: amd64 arm64 armhf i386 ppc64el riscv64 s390x Link to package: https://launchpad.net/ubuntu/+source/libheif [Rationale] - The package libheif is required in Ubuntu main for decoding ISO/IEC 23008-12:2017 HEIF files by libgd2 which is present in main. - The package libheif will not generally be useful for a large part of our user base, but is important/helpful still because no other package in main supports decoding of ISO/IEC 23008-12:2017 HEIF files. -The package libheif is a runtime dependency of package libgd2 that we already support. - It would be great and useful to community/processes to have the package libheif in Ubuntu main, but there is no definitive deadline. [Security] libheif had security issues in the past: - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-23109: Buffer overflow vulnerability in function convert_colorspace in heif_colorconversion.cc in libheif v1.6.2, allows attackers to cause a denial of service and disclose sensitive information, via a crafted HEIF file. The github issue: https://github.com/strukturag/libheif/issues/207 is open, though developer comments that it was fixed in 1.7.0 - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-19499: An issue was discovered in heif::Box_iref::get_references in libheif 1.4.0, allows attackers to cause a Denial of Service or possibly other unspecified impact due to an invalid memory read. The github issue: https://github.com/strukturag/libheif/issues/138 is closed, fixed in 1.5.0 - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-19498: Floating point exception in function Fraction in libheif 1.4.0, allows attackers to cause a Denial of Service or possibly other unspecified impacts. The github issue: https://github.com/strukturag/libheif/issues/139 is closed, fixed in 1.5.0. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-11471: libheif 1.4.0 has a use-after-free in heif::HeifContext::Image::set_alpha_channel in heif_context.h because heif_context.cc mishandles references to non-existing alpha images. The github issue: https://github.com/strukturag/libheif/issues/123 is closed, fixed in 1.5.0. The vulnerable versions are libheif < 1.7.0, current version 1.14.2 Currently vulnerable packages (CVE-2020-23109) are deployed in focal and bionic. Jammy and up has no known vulnerabilitites. [Quality assurance – function/usage] - The package does not work well right after install - Basic test cases pass: ``` apt install imagemagick wget https://filesamples.com/samples/image/heif/sample1.heif convert -verbose sample1.heif test.gif wget https://filesamples.com/samples/image/heic/sample1.heic convert -verbose sample1.heic test1.gif ``` Notice, that libgd2 HEIF support is disabled. Compiling a sample that tries to save HEIF file produces following output ``` GD Warning: HEIF image support has been disabled ``` There is a bug filed in debian: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1029668 1.14.2 contains significant regression, HEIC can not be read using viewnoir. [Quality assurance - maintenance] - The package has important open bugs, listing them: - https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1014125 Confirm CVE-2020-23109 fix - https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1029668 1.14.2 contains significant regression, HEIC can not be read using viewnoir package [confirmed in lunar]. Downgrading to 1.13.0-1 solves the issue. [Quality assurance – testing] - The package does not run a test at build time because no unit tests are present in the repository upstream: https://launchpadlibrarian.net/646769183/buildlog_ubuntu-lunar-amd64.libheif_1.14.2-1_BUILDING.txt.gz https://github.com/strukturag/libheif - The package does not run an autopkgtest because no autopackage tests are present. Note: upstream contains a CI script that can be adapted for autopkgtests: https://github.com/strukturag/libheif/blob/master/scripts/run-ci.sh - The package does have not failing autopkgtests right now - [NOT COMPLETE]: The package can not be tested at build or autopktest time because no tests are presentto make up for that here [LINK] is a test plan/automation and example test runlogs/scripts) [Quality assurance - packaging] - debian/watch is present and works BUT also get-orig-head target is present in debian/rules that produces a different result. There is no specific documentation on which method to use. - debian/control defines a correct Maintainer field - This package does not yield massive lintian Warnings, Errors - Please link to a recent build log of the package https://launchpadlibrarian.net/646769183/buildlog_ubuntu-lunar-amd64.libheif_1.14.2-1_BUILDING.txt.gz - Please attach the full output you have got from `lintian --pedantic` as an extra post to this bug. https://udd.debian.org/lintian/?packages=libheif - Lintian overrides are not present - This package relies on obsolete or about to be demoted packages (see https://udd.debian.org/lintian/?packages=libheif), consider using libgdk-pixbuf-2.0-dev instead of transitional libgdk-pixbuf2.0-dev - This package has no python2 or GTK2 dependencies - The package will not be installed by default - Packaging and build is easy, link to d/rules : https://salsa.debian.org/multimedia-team/libheif/-/blob/master/debian/rules [UI standards] - Application is not end-user facing (does not need translation) - End-user applications without desktop file, not needed because application does not provide GUI [Dependencies] - There are further dependencies that are not yet in main, the MIR process for them is handled as part of this bug here: - aom - dav1d - libde265 - x265 [Standards compliance] - This package correctly follows FHS and Debian Policy [Maintenance/Owner] - Owning Team will be Foundations team - Team is already subscribed to the package - This does not use static builds - This does not use vendored code - This package is not rust based [Background information] The Package description explains the package well Upstream Name is libheif Link to upstream project https://github.com/strukturag/libheif/	[Availablity] The package libheif is already in ubuntu/universe. The package libheif build for the architectures it is designed to work on: https://launchpad.net/ubuntu/+source/libheif/1.14.2-1 . It currently builds and works for architectures: amd64 arm64 armhf i386 ppc64el riscv64 s390x Link to package: https://launchpad.net/ubuntu/+source/libheif [Rationale] - The package libheif is required in Ubuntu main for decoding ISO/IEC 23008-12:2017 HEIF files by libgd2 which is present in main. - The package libheif will not generally be useful for a large part of our user base, but is important/helpful still because no other package in main supports decoding of ISO/IEC 23008-12:2017 HEIF files. -The package libheif is a runtime dependency of package libgd2 that we already support. - It would be great and useful to community/processes to have the package libheif in Ubuntu main, but there is no definitive deadline. [Security] libheif had security issues in the past: - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-23109: Buffer overflow vulnerability in function convert_colorspace in heif_colorconversion.cc in libheif v1.6.2, allows attackers to cause a denial of service and disclose sensitive information, via a crafted HEIF file. The github issue: https://github.com/strukturag/libheif/issues/207 is open, though developer comments that it was fixed in 1.7.0 - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-19499: An issue was discovered in heif::Box_iref::get_references in libheif 1.4.0, allows attackers to cause a Denial of Service or possibly other unspecified impact due to an invalid memory read. The github issue: https://github.com/strukturag/libheif/issues/138 is closed, fixed in 1.5.0 - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-19498: Floating point exception in function Fraction in libheif 1.4.0, allows attackers to cause a Denial of Service or possibly other unspecified impacts. The github issue: https://github.com/strukturag/libheif/issues/139 is closed, fixed in 1.5.0. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-11471: libheif 1.4.0 has a use-after-free in heif::HeifContext::Image::set_alpha_channel in heif_context.h because heif_context.cc mishandles references to non-existing alpha images. The github issue: https://github.com/strukturag/libheif/issues/123 is closed, fixed in 1.5.0. The vulnerable versions are libheif < 1.7.0, current version 1.14.2 Currently vulnerable packages (CVE-2020-23109) are deployed in focal and bionic. Jammy and up has no known vulnerabilitites. - no `suid` or `sgid` binaries - no executables in `/sbin` and `/usr/sbin` - Package does not install services, timers or recurring jobs - Packages does not open privileged ports (ports < 1024) - Packages does contain extensions to security-sensitive software: the package provides HEIF image plugin used by other software, e.g. imagemagick [Quality assurance – function/usage] - The package does not work well right after install - Basic test cases pass: ``` apt install imagemagick wget https://filesamples.com/samples/image/heif/sample1.heif convert -verbose sample1.heif test.gif wget https://filesamples.com/samples/image/heic/sample1.heic convert -verbose sample1.heic test1.gif ``` Notice, that libgd2 HEIF support is disabled. Compiling a sample that tries to save HEIF file produces following output ``` GD Warning: HEIF image support has been disabled ``` There is a bug filed in debian: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1029668 1.14.2 contains significant regression, HEIC can not be read using viewnoir. [Quality assurance - maintenance] - The package has important open bugs, listing them: - https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1014125 Confirm CVE-2020-23109 fix - https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1029668 1.14.2 contains significant regression, HEIC can not be read using viewnoir package [confirmed in lunar]. Downgrading to 1.13.0-1 solves the issue. [Quality assurance – testing] - The package does not run a test at build time because no unit tests are present in the repository upstream: https://launchpadlibrarian.net/646769183/buildlog_ubuntu-lunar-amd64.libheif_1.14.2-1_BUILDING.txt.gz https://github.com/strukturag/libheif - The package does not run an autopkgtest because no autopackage tests are present. Note: upstream contains a CI script that can be adapted for autopkgtests: https://github.com/strukturag/libheif/blob/master/scripts/run-ci.sh - The package does have not failing autopkgtests right now - [NOT COMPLETE]: The package can not be tested at build or autopktest time because no tests are presentto make up for that here [LINK] is a test plan/automation and example test runlogs/scripts) [Quality assurance - packaging] - debian/watch is present and works BUT also get-orig-head target is present in debian/rules that produces a different result. There is no specific documentation on which method to use. - debian/control defines a correct Maintainer field - This package does not yield massive lintian Warnings, Errors - Please link to a recent build log of the package https://launchpadlibrarian.net/646769183/buildlog_ubuntu-lunar-amd64.libheif_1.14.2-1_BUILDING.txt.gz - Please attach the full output you have got from `lintian --pedantic` as an extra post to this bug. https://udd.debian.org/lintian/?packages=libheif - Lintian overrides are not present - This package relies on obsolete or about to be demoted packages (see https://udd.debian.org/lintian/?packages=libheif), consider using libgdk-pixbuf-2.0-dev instead of transitional libgdk-pixbuf2.0-dev - This package has no python2 or GTK2 dependencies - The package will not be installed by default - Packaging and build is easy, link to d/rules : https://salsa.debian.org/multimedia-team/libheif/-/blob/master/debian/rules [UI standards] - Application is not end-user facing (does not need translation) - End-user applications without desktop file, not needed because application does not provide GUI [Dependencies] - There are further dependencies that are not yet in main, the MIR process for them is handled as part of this bug here: - aom - dav1d - libde265 - x265 [Standards compliance] - This package correctly follows FHS and Debian Policy [Maintenance/Owner] - Owning Team will be Foundations team - Team is already subscribed to the package - This does not use static builds - This does not use vendored code - This package is not rust based [Background information] The Package description explains the package well Upstream Name is libheif Link to upstream project https://github.com/strukturag/libheif/
2023-02-01 02:13:29	Vladimir Petko	description	[Availablity] The package libheif is already in ubuntu/universe. The package libheif build for the architectures it is designed to work on: https://launchpad.net/ubuntu/+source/libheif/1.14.2-1 . It currently builds and works for architectures: amd64 arm64 armhf i386 ppc64el riscv64 s390x Link to package: https://launchpad.net/ubuntu/+source/libheif [Rationale] - The package libheif is required in Ubuntu main for decoding ISO/IEC 23008-12:2017 HEIF files by libgd2 which is present in main. - The package libheif will not generally be useful for a large part of our user base, but is important/helpful still because no other package in main supports decoding of ISO/IEC 23008-12:2017 HEIF files. -The package libheif is a runtime dependency of package libgd2 that we already support. - It would be great and useful to community/processes to have the package libheif in Ubuntu main, but there is no definitive deadline. [Security] libheif had security issues in the past: - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-23109: Buffer overflow vulnerability in function convert_colorspace in heif_colorconversion.cc in libheif v1.6.2, allows attackers to cause a denial of service and disclose sensitive information, via a crafted HEIF file. The github issue: https://github.com/strukturag/libheif/issues/207 is open, though developer comments that it was fixed in 1.7.0 - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-19499: An issue was discovered in heif::Box_iref::get_references in libheif 1.4.0, allows attackers to cause a Denial of Service or possibly other unspecified impact due to an invalid memory read. The github issue: https://github.com/strukturag/libheif/issues/138 is closed, fixed in 1.5.0 - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-19498: Floating point exception in function Fraction in libheif 1.4.0, allows attackers to cause a Denial of Service or possibly other unspecified impacts. The github issue: https://github.com/strukturag/libheif/issues/139 is closed, fixed in 1.5.0. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-11471: libheif 1.4.0 has a use-after-free in heif::HeifContext::Image::set_alpha_channel in heif_context.h because heif_context.cc mishandles references to non-existing alpha images. The github issue: https://github.com/strukturag/libheif/issues/123 is closed, fixed in 1.5.0. The vulnerable versions are libheif < 1.7.0, current version 1.14.2 Currently vulnerable packages (CVE-2020-23109) are deployed in focal and bionic. Jammy and up has no known vulnerabilitites. - no `suid` or `sgid` binaries - no executables in `/sbin` and `/usr/sbin` - Package does not install services, timers or recurring jobs - Packages does not open privileged ports (ports < 1024) - Packages does contain extensions to security-sensitive software: the package provides HEIF image plugin used by other software, e.g. imagemagick [Quality assurance – function/usage] - The package does not work well right after install - Basic test cases pass: ``` apt install imagemagick wget https://filesamples.com/samples/image/heif/sample1.heif convert -verbose sample1.heif test.gif wget https://filesamples.com/samples/image/heic/sample1.heic convert -verbose sample1.heic test1.gif ``` Notice, that libgd2 HEIF support is disabled. Compiling a sample that tries to save HEIF file produces following output ``` GD Warning: HEIF image support has been disabled ``` There is a bug filed in debian: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1029668 1.14.2 contains significant regression, HEIC can not be read using viewnoir. [Quality assurance - maintenance] - The package has important open bugs, listing them: - https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1014125 Confirm CVE-2020-23109 fix - https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1029668 1.14.2 contains significant regression, HEIC can not be read using viewnoir package [confirmed in lunar]. Downgrading to 1.13.0-1 solves the issue. [Quality assurance – testing] - The package does not run a test at build time because no unit tests are present in the repository upstream: https://launchpadlibrarian.net/646769183/buildlog_ubuntu-lunar-amd64.libheif_1.14.2-1_BUILDING.txt.gz https://github.com/strukturag/libheif - The package does not run an autopkgtest because no autopackage tests are present. Note: upstream contains a CI script that can be adapted for autopkgtests: https://github.com/strukturag/libheif/blob/master/scripts/run-ci.sh - The package does have not failing autopkgtests right now - [NOT COMPLETE]: The package can not be tested at build or autopktest time because no tests are presentto make up for that here [LINK] is a test plan/automation and example test runlogs/scripts) [Quality assurance - packaging] - debian/watch is present and works BUT also get-orig-head target is present in debian/rules that produces a different result. There is no specific documentation on which method to use. - debian/control defines a correct Maintainer field - This package does not yield massive lintian Warnings, Errors - Please link to a recent build log of the package https://launchpadlibrarian.net/646769183/buildlog_ubuntu-lunar-amd64.libheif_1.14.2-1_BUILDING.txt.gz - Please attach the full output you have got from `lintian --pedantic` as an extra post to this bug. https://udd.debian.org/lintian/?packages=libheif - Lintian overrides are not present - This package relies on obsolete or about to be demoted packages (see https://udd.debian.org/lintian/?packages=libheif), consider using libgdk-pixbuf-2.0-dev instead of transitional libgdk-pixbuf2.0-dev - This package has no python2 or GTK2 dependencies - The package will not be installed by default - Packaging and build is easy, link to d/rules : https://salsa.debian.org/multimedia-team/libheif/-/blob/master/debian/rules [UI standards] - Application is not end-user facing (does not need translation) - End-user applications without desktop file, not needed because application does not provide GUI [Dependencies] - There are further dependencies that are not yet in main, the MIR process for them is handled as part of this bug here: - aom - dav1d - libde265 - x265 [Standards compliance] - This package correctly follows FHS and Debian Policy [Maintenance/Owner] - Owning Team will be Foundations team - Team is already subscribed to the package - This does not use static builds - This does not use vendored code - This package is not rust based [Background information] The Package description explains the package well Upstream Name is libheif Link to upstream project https://github.com/strukturag/libheif/	[Availablity] The package libheif is already in ubuntu/universe. The package libheif build for the architectures it is designed to work on: https://launchpad.net/ubuntu/+source/libheif/1.14.2-1 . It currently builds and works for architectures: amd64 arm64 armhf i386 ppc64el riscv64 s390x Link to package: https://launchpad.net/ubuntu/+source/libheif [Rationale] - The package libheif is required in Ubuntu main for decoding ISO/IEC 23008-12:2017 HEIF files by libgd2 which is present in main. - The package libheif will not generally be useful for a large part of our user base, but is important/helpful still because no other package in main supports decoding of ISO/IEC 23008-12:2017 HEIF files. -The package libheif is a runtime dependency of package libgd2 that we already support. - It would be great and useful to community/processes to have the package libheif in Ubuntu main, but there is no definitive deadline. [Security] libheif had security issues in the past: - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-23109: Buffer overflow vulnerability in function convert_colorspace in heif_colorconversion.cc in libheif v1.6.2, allows attackers to cause a denial of service and disclose sensitive information, via a crafted HEIF file. The github issue: https://github.com/strukturag/libheif/issues/207 is open, though developer comments that it was fixed in 1.7.0 - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-19499: An issue was discovered in heif::Box_iref::get_references in libheif 1.4.0, allows attackers to cause a Denial of Service or possibly other unspecified impact due to an invalid memory read. The github issue: https://github.com/strukturag/libheif/issues/138 is closed, fixed in 1.5.0 - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-19498: Floating point exception in function Fraction in libheif 1.4.0, allows attackers to cause a Denial of Service or possibly other unspecified impacts. The github issue: https://github.com/strukturag/libheif/issues/139 is closed, fixed in 1.5.0. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-11471: libheif 1.4.0 has a use-after-free in heif::HeifContext::Image::set_alpha_channel in heif_context.h because heif_context.cc mishandles references to non-existing alpha images. The github issue: https://github.com/strukturag/libheif/issues/123 is closed, fixed in 1.5.0. The vulnerable versions are libheif < 1.7.0, current version 1.14.2 Currently vulnerable packages (CVE-2020-23109) are deployed in focal and bionic. Jammy and up has no known vulnerabilitites. - no `suid` or `sgid` binaries - no executables in `/sbin` and `/usr/sbin` - Package does not install services, timers or recurring jobs - Packages does not open privileged ports (ports < 1024) - Packages does contain extensions to security-sensitive software: the package provides HEIF image plugin used by other software, e.g. imagemagick [Quality assurance – function/usage] - The package does not work well right after install - Basic test cases pass: ``` apt install imagemagick wget https://filesamples.com/samples/image/heif/sample1.heif convert -verbose sample1.heif test.gif wget https://filesamples.com/samples/image/heic/sample1.heic convert -verbose sample1.heic test1.gif ``` Notice, that libgd2 HEIF support is disabled. Compiling a sample that tries to save HEIF file produces following output ``` GD Warning: HEIF image support has been disabled ``` There is a bug filed in debian: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1029668 1.14.2 contains significant regression, HEIC can not be read using viewnoir. [Quality assurance - maintenance] - The package has important open bugs, listing them: - https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1014125 Confirm CVE-2020-23109 fix - https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1029668 1.14.2 contains significant regression, HEIC can not be read using viewnoir package [confirmed in lunar]. Downgrading to 1.13.0-1 solves the issue. [Quality assurance – testing] - The package does not run a test at build time because no unit tests are present in the repository upstream: https://launchpadlibrarian.net/646769183/buildlog_ubuntu-lunar-amd64.libheif_1.14.2-1_BUILDING.txt.gz https://github.com/strukturag/libheif - The package does not run an autopkgtest because no autopackage tests are present. Note: upstream contains a CI script that can be adapted for autopkgtests: https://github.com/strukturag/libheif/blob/master/scripts/run-ci.sh - The package does have not failing autopkgtests right now - [NOT COMPLETE]: The package can not be tested at build or autopktest time because no tests are presentto make up for that here [LINK] is a test plan/automation and example test runlogs/scripts) [Quality assurance - packaging] - debian/watch is present and works BUT also get-orig-head target is present in debian/rules that produces a different result. There is no specific documentation on which method to use. - debian/control defines a correct Maintainer field - This package does not yield massive lintian Warnings, Errors - Please link to a recent build log of the package https://launchpadlibrarian.net/646769183/buildlog_ubuntu-lunar-amd64.libheif_1.14.2-1_BUILDING.txt.gz - Please attach the full output you have got from `lintian --pedantic` as an extra post to this bug. https://udd.debian.org/lintian/?packages=libheif - Lintian overrides are not present - This package relies on obsolete or about to be demoted packages (see https://udd.debian.org/lintian/?packages=libheif), consider using libgdk-pixbuf-2.0-dev instead of transitional libgdk-pixbuf2.0-dev - This package has no python2 or GTK2 dependencies - The package will not be installed by default - Packaging and build is easy, link to d/rules : https://salsa.debian.org/multimedia-team/libheif/-/blob/master/debian/rules [UI standards] - Application is not end-user facing (does not need translation) - End-user applications without desktop file, not needed because application does not provide GUI [Dependencies] - There are further dependencies that are not yet in main, MIR for them is at: - aom: LP: #2004442 - There are further dependencies that are not yet in main, the MIR process for them is handled as part of this bug here: - dav1d - libde265 - x265 [Standards compliance] - This package correctly follows FHS and Debian Policy [Maintenance/Owner] - Owning Team will be Foundations team - Team is already subscribed to the package - This does not use static builds - This does not use vendored code - This package is not rust based [Background information] The Package description explains the package well Upstream Name is libheif Link to upstream project https://github.com/strukturag/libheif/
2023-02-01 06:11:34	Vladimir Petko	description	[Availablity] The package libheif is already in ubuntu/universe. The package libheif build for the architectures it is designed to work on: https://launchpad.net/ubuntu/+source/libheif/1.14.2-1 . It currently builds and works for architectures: amd64 arm64 armhf i386 ppc64el riscv64 s390x Link to package: https://launchpad.net/ubuntu/+source/libheif [Rationale] - The package libheif is required in Ubuntu main for decoding ISO/IEC 23008-12:2017 HEIF files by libgd2 which is present in main. - The package libheif will not generally be useful for a large part of our user base, but is important/helpful still because no other package in main supports decoding of ISO/IEC 23008-12:2017 HEIF files. -The package libheif is a runtime dependency of package libgd2 that we already support. - It would be great and useful to community/processes to have the package libheif in Ubuntu main, but there is no definitive deadline. [Security] libheif had security issues in the past: - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-23109: Buffer overflow vulnerability in function convert_colorspace in heif_colorconversion.cc in libheif v1.6.2, allows attackers to cause a denial of service and disclose sensitive information, via a crafted HEIF file. The github issue: https://github.com/strukturag/libheif/issues/207 is open, though developer comments that it was fixed in 1.7.0 - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-19499: An issue was discovered in heif::Box_iref::get_references in libheif 1.4.0, allows attackers to cause a Denial of Service or possibly other unspecified impact due to an invalid memory read. The github issue: https://github.com/strukturag/libheif/issues/138 is closed, fixed in 1.5.0 - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-19498: Floating point exception in function Fraction in libheif 1.4.0, allows attackers to cause a Denial of Service or possibly other unspecified impacts. The github issue: https://github.com/strukturag/libheif/issues/139 is closed, fixed in 1.5.0. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-11471: libheif 1.4.0 has a use-after-free in heif::HeifContext::Image::set_alpha_channel in heif_context.h because heif_context.cc mishandles references to non-existing alpha images. The github issue: https://github.com/strukturag/libheif/issues/123 is closed, fixed in 1.5.0. The vulnerable versions are libheif < 1.7.0, current version 1.14.2 Currently vulnerable packages (CVE-2020-23109) are deployed in focal and bionic. Jammy and up has no known vulnerabilitites. - no `suid` or `sgid` binaries - no executables in `/sbin` and `/usr/sbin` - Package does not install services, timers or recurring jobs - Packages does not open privileged ports (ports < 1024) - Packages does contain extensions to security-sensitive software: the package provides HEIF image plugin used by other software, e.g. imagemagick [Quality assurance – function/usage] - The package does not work well right after install - Basic test cases pass: ``` apt install imagemagick wget https://filesamples.com/samples/image/heif/sample1.heif convert -verbose sample1.heif test.gif wget https://filesamples.com/samples/image/heic/sample1.heic convert -verbose sample1.heic test1.gif ``` Notice, that libgd2 HEIF support is disabled. Compiling a sample that tries to save HEIF file produces following output ``` GD Warning: HEIF image support has been disabled ``` There is a bug filed in debian: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1029668 1.14.2 contains significant regression, HEIC can not be read using viewnoir. [Quality assurance - maintenance] - The package has important open bugs, listing them: - https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1014125 Confirm CVE-2020-23109 fix - https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1029668 1.14.2 contains significant regression, HEIC can not be read using viewnoir package [confirmed in lunar]. Downgrading to 1.13.0-1 solves the issue. [Quality assurance – testing] - The package does not run a test at build time because no unit tests are present in the repository upstream: https://launchpadlibrarian.net/646769183/buildlog_ubuntu-lunar-amd64.libheif_1.14.2-1_BUILDING.txt.gz https://github.com/strukturag/libheif - The package does not run an autopkgtest because no autopackage tests are present. Note: upstream contains a CI script that can be adapted for autopkgtests: https://github.com/strukturag/libheif/blob/master/scripts/run-ci.sh - The package does have not failing autopkgtests right now - [NOT COMPLETE]: The package can not be tested at build or autopktest time because no tests are presentto make up for that here [LINK] is a test plan/automation and example test runlogs/scripts) [Quality assurance - packaging] - debian/watch is present and works BUT also get-orig-head target is present in debian/rules that produces a different result. There is no specific documentation on which method to use. - debian/control defines a correct Maintainer field - This package does not yield massive lintian Warnings, Errors - Please link to a recent build log of the package https://launchpadlibrarian.net/646769183/buildlog_ubuntu-lunar-amd64.libheif_1.14.2-1_BUILDING.txt.gz - Please attach the full output you have got from `lintian --pedantic` as an extra post to this bug. https://udd.debian.org/lintian/?packages=libheif - Lintian overrides are not present - This package relies on obsolete or about to be demoted packages (see https://udd.debian.org/lintian/?packages=libheif), consider using libgdk-pixbuf-2.0-dev instead of transitional libgdk-pixbuf2.0-dev - This package has no python2 or GTK2 dependencies - The package will not be installed by default - Packaging and build is easy, link to d/rules : https://salsa.debian.org/multimedia-team/libheif/-/blob/master/debian/rules [UI standards] - Application is not end-user facing (does not need translation) - End-user applications without desktop file, not needed because application does not provide GUI [Dependencies] - There are further dependencies that are not yet in main, MIR for them is at: - aom: LP: #2004442 - There are further dependencies that are not yet in main, the MIR process for them is handled as part of this bug here: - dav1d - libde265 - x265 [Standards compliance] - This package correctly follows FHS and Debian Policy [Maintenance/Owner] - Owning Team will be Foundations team - Team is already subscribed to the package - This does not use static builds - This does not use vendored code - This package is not rust based [Background information] The Package description explains the package well Upstream Name is libheif Link to upstream project https://github.com/strukturag/libheif/	[Availablity] The package libheif is already in ubuntu/universe. The package libheif build for the architectures it is designed to work on. It currently builds and works for architectures: amd64 arm64 armhf i386 ppc64el riscv64 s390x Link to package: https://launchpad.net/ubuntu/+source/libheif [Rationale] - The package libheif is required in Ubuntu main for decoding ISO/IEC 23008-12:2017 HEIF files by libgd2 which is present in main. - The package libheif will not generally be useful for a large part of our user base, but is important/helpful still because no other package in main supports decoding of ISO/IEC 23008-12:2017 HEIF files. - The package libheif is a runtime dependency of package libgd2 that we already support. - It would be great and useful to community/processes to have the package libheif in Ubuntu main, but there is no definitive deadline. [Security] - libheif had 4 security issues in the past: - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-23109 The github issue: https://github.com/strukturag/libheif/issues/207 is open, though developer comments that it was fixed in 1.7.0 - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-19499 Fixed in 1.5.0 - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-19498 Fixed in 1.5.0. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-11471 Fixed in 1.5.0. The vulnerable versions are libheif < 1.7.0, current version 1.14.2 Currently vulnerable packages (CVE-2020-23109) are deployed in focal and bionic. Jammy and up has no known vulnerabilitites. - no `suid` or `sgid` binaries - no executables in `/sbin` and `/usr/sbin` - Package does not install services, timers or recurring jobs - Packages does not open privileged ports (ports < 1024) - Packages does contain extensions to security-sensitive software: the package provides HEIF image plugin which processes untrusted input [Quality assurance – function/usage] - The package does not work well right after install. There is a bug filed in debian: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1029668 1.14.2 contains significant regression, HEIC can not be read using viewnoir. - Basic test cases pass: apt install imagemagick wget https://filesamples.com/samples/image/heif/sample1.heif convert -verbose sample1.heif test.gif wget https://filesamples.com/samples/image/heic/sample1.heic convert -verbose sample1.heic test1.gif Notice, that libgd2 HEIF support is disabled. - Compiling a sample that tries to save HEIF file produces following output "GD Warning: HEIF image support has been disabled" [Quality assurance - maintenance] - The package is maintained well in Debian/Ubuntu and has no bugs open - Ubuntu https://bugs.launchpad.net/ubuntu/+source/libheif/+bug - Debian https://bugs.debian.org/cgi-bin/pkgreport.cgi?src=libheif - The package has important open bugs, listing them: - https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1014125 Confirm CVE-2020-23109 fix - https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1029668 1.14.2 contains significant regression, HEIC can not be read using viewnoir package [confirmed in lunar]. Downgrading to 1.13.0-1 solves the issue. - The package does not deal with exotic hardware we cannot support [Quality assurance – testing] - The package does not run a test at build time because no unit tests are present in the repository upstream: https://launchpadlibrarian.net/646769183/buildlog_ubuntu-lunar-amd64.libheif_1.14.2-1_BUILDING.txt.gz https://github.com/strukturag/libheif - The package does not run an autopkgtest because no autopackage tests are present. Note: upstream contains a CI script that can be adapted for autopkgtests: https://github.com/strukturag/libheif/blob/master/scripts/run-ci.sh This section is not complete, as the test plan/approach for developing autopkgtests needs to be discussed. TODO: - The package can not be tested at build or autopktest time because TBD TODO: to make up for that here TBD is a test plan/automation and example TODO: test TBD (logs/scripts) [Quality assurance - packaging] - debian/watch is present and works BUT also get-orig-head target is present in debian/rules that produces a different result. There is no specific documentation on which method to use. - debian/control defines a correct Maintainer field - This package does not yield massive lintian Warnings, Errors https://udd.debian.org/lintian/?packages=libheif - Please link to a recent build log of the package https://launchpadlibrarian.net/646769183/buildlog_ubuntu-lunar-amd64.libheif_1.14.2-1_BUILDING.txt.gz - Please attach the full output you have got from `lintian --pedantic` as an extra post to this bug. - Lintian overrides are not present - This package relies on obsolete or about to be demoted packages see https://udd.debian.org/lintian/?packages=libheif, consider using libgdk-pixbuf-2.0-dev instead of transitional libgdk-pixbuf2.0-dev - This package has no python2 or GTK2 dependencies - The package will not be installed by default - Packaging and build is easy, link to d/rules: https://salsa.debian.org/multimedia-team/libheif/-/blob/master/debian/rules [UI standards] - Application is not end-user facing (does not need translation) - End-user applications without desktop file, not needed because application does not provide GUI [Dependencies] - There are further dependencies that are not yet in main, MIR for them is at: - aom: LP: #2004442 - dav1d: LP #2004446 - libde265: LP #2004449 - x265: LP #2004453 [Standards compliance] - This package correctly follows FHS and Debian Policy [Maintenance/Owner] - Owning Team will be Foundations team - Team is already subscribed to the package - This does not use static builds - This does not use vendored code - This package is not rust based [Background information] The Package description explains the package well Upstream Name is libheif Link to upstream project https://github.com/strukturag/libheif/
2023-02-01 08:40:54	Lukas Märdian	aom (Ubuntu): status	Incomplete	Invalid
2023-02-01 08:40:55	Lukas Märdian	dav1d (Ubuntu): status	Incomplete	Invalid
2023-02-01 08:40:58	Lukas Märdian	libde265 (Ubuntu): status	Incomplete	Invalid
2023-02-01 08:41:07	Lukas Märdian	x265 (Ubuntu): status	Incomplete	Invalid
2023-02-01 08:41:33	Lukas Märdian	bug task deleted	libgd2 (Ubuntu)
2023-02-01 08:56:08	Vladimir Petko	description	[Availablity] The package libheif is already in ubuntu/universe. The package libheif build for the architectures it is designed to work on. It currently builds and works for architectures: amd64 arm64 armhf i386 ppc64el riscv64 s390x Link to package: https://launchpad.net/ubuntu/+source/libheif [Rationale] - The package libheif is required in Ubuntu main for decoding ISO/IEC 23008-12:2017 HEIF files by libgd2 which is present in main. - The package libheif will not generally be useful for a large part of our user base, but is important/helpful still because no other package in main supports decoding of ISO/IEC 23008-12:2017 HEIF files. - The package libheif is a runtime dependency of package libgd2 that we already support. - It would be great and useful to community/processes to have the package libheif in Ubuntu main, but there is no definitive deadline. [Security] - libheif had 4 security issues in the past: - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-23109 The github issue: https://github.com/strukturag/libheif/issues/207 is open, though developer comments that it was fixed in 1.7.0 - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-19499 Fixed in 1.5.0 - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-19498 Fixed in 1.5.0. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-11471 Fixed in 1.5.0. The vulnerable versions are libheif < 1.7.0, current version 1.14.2 Currently vulnerable packages (CVE-2020-23109) are deployed in focal and bionic. Jammy and up has no known vulnerabilitites. - no `suid` or `sgid` binaries - no executables in `/sbin` and `/usr/sbin` - Package does not install services, timers or recurring jobs - Packages does not open privileged ports (ports < 1024) - Packages does contain extensions to security-sensitive software: the package provides HEIF image plugin which processes untrusted input [Quality assurance – function/usage] - The package does not work well right after install. There is a bug filed in debian: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1029668 1.14.2 contains significant regression, HEIC can not be read using viewnoir. - Basic test cases pass: apt install imagemagick wget https://filesamples.com/samples/image/heif/sample1.heif convert -verbose sample1.heif test.gif wget https://filesamples.com/samples/image/heic/sample1.heic convert -verbose sample1.heic test1.gif Notice, that libgd2 HEIF support is disabled. - Compiling a sample that tries to save HEIF file produces following output "GD Warning: HEIF image support has been disabled" [Quality assurance - maintenance] - The package is maintained well in Debian/Ubuntu and has no bugs open - Ubuntu https://bugs.launchpad.net/ubuntu/+source/libheif/+bug - Debian https://bugs.debian.org/cgi-bin/pkgreport.cgi?src=libheif - The package has important open bugs, listing them: - https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1014125 Confirm CVE-2020-23109 fix - https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1029668 1.14.2 contains significant regression, HEIC can not be read using viewnoir package [confirmed in lunar]. Downgrading to 1.13.0-1 solves the issue. - The package does not deal with exotic hardware we cannot support [Quality assurance – testing] - The package does not run a test at build time because no unit tests are present in the repository upstream: https://launchpadlibrarian.net/646769183/buildlog_ubuntu-lunar-amd64.libheif_1.14.2-1_BUILDING.txt.gz https://github.com/strukturag/libheif - The package does not run an autopkgtest because no autopackage tests are present. Note: upstream contains a CI script that can be adapted for autopkgtests: https://github.com/strukturag/libheif/blob/master/scripts/run-ci.sh This section is not complete, as the test plan/approach for developing autopkgtests needs to be discussed. TODO: - The package can not be tested at build or autopktest time because TBD TODO: to make up for that here TBD is a test plan/automation and example TODO: test TBD (logs/scripts) [Quality assurance - packaging] - debian/watch is present and works BUT also get-orig-head target is present in debian/rules that produces a different result. There is no specific documentation on which method to use. - debian/control defines a correct Maintainer field - This package does not yield massive lintian Warnings, Errors https://udd.debian.org/lintian/?packages=libheif - Please link to a recent build log of the package https://launchpadlibrarian.net/646769183/buildlog_ubuntu-lunar-amd64.libheif_1.14.2-1_BUILDING.txt.gz - Please attach the full output you have got from `lintian --pedantic` as an extra post to this bug. - Lintian overrides are not present - This package relies on obsolete or about to be demoted packages see https://udd.debian.org/lintian/?packages=libheif, consider using libgdk-pixbuf-2.0-dev instead of transitional libgdk-pixbuf2.0-dev - This package has no python2 or GTK2 dependencies - The package will not be installed by default - Packaging and build is easy, link to d/rules: https://salsa.debian.org/multimedia-team/libheif/-/blob/master/debian/rules [UI standards] - Application is not end-user facing (does not need translation) - End-user applications without desktop file, not needed because application does not provide GUI [Dependencies] - There are further dependencies that are not yet in main, MIR for them is at: - aom: LP: #2004442 - dav1d: LP #2004446 - libde265: LP #2004449 - x265: LP #2004453 [Standards compliance] - This package correctly follows FHS and Debian Policy [Maintenance/Owner] - Owning Team will be Foundations team - Team is already subscribed to the package - This does not use static builds - This does not use vendored code - This package is not rust based [Background information] The Package description explains the package well Upstream Name is libheif Link to upstream project https://github.com/strukturag/libheif/	[Availablity] The package libheif is already in ubuntu/universe. The package libheif build for the architectures it is designed to work on. It currently builds and works for architectures: amd64 arm64 armhf i386 ppc64el riscv64 s390x Link to package: https://launchpad.net/ubuntu/+source/libheif [Rationale] - The package libheif is required in Ubuntu main for decoding ISO/IEC 23008-12:2017 HEIF files by libgd2 which is present in main. - The package libheif will not generally be useful for a large part of our user base, but is important/helpful still because no other package in main supports decoding of ISO/IEC 23008-12:2017 HEIF files. - The package libheif is a runtime dependency of package libgd2 that we already support. - It would be great and useful to community/processes to have the package libheif in Ubuntu main, but there is no definitive deadline. [Security] - libheif had 4 security issues in the past: - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-23109 The github issue: https://github.com/strukturag/libheif/issues/207 is open, though developer comments that it was fixed in 1.7.0 - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-19499 Fixed in 1.5.0 - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-19498 Fixed in 1.5.0. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-11471 Fixed in 1.5.0. The vulnerable versions are libheif < 1.7.0, current version 1.14.2 Currently vulnerable packages (CVE-2020-23109) are deployed in focal and bionic. Jammy and up has no known vulnerabilitites. - no `suid` or `sgid` binaries - no executables in `/sbin` and `/usr/sbin` - Package does not install services, timers or recurring jobs - Packages does not open privileged ports (ports < 1024) - Packages does contain extensions to security-sensitive software: the package provides HEIF image plugin which processes untrusted input [Quality assurance – function/usage] - The package does not work well right after install. There is a bug filed in debian: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1029668 1.14.2 contains significant regression, HEIC can not be read using viewnoir. - Basic test cases pass: apt install imagemagick wget https://filesamples.com/samples/image/heif/sample1.heif convert -verbose sample1.heif test.gif wget https://filesamples.com/samples/image/heic/sample1.heic convert -verbose sample1.heic test1.gif Notice, that libgd2 HEIF support is disabled. - Compiling a sample that tries to save HEIF file produces following output "GD Warning: HEIF image support has been disabled" [Quality assurance - maintenance] - The package is maintained well in Debian/Ubuntu and has no bugs open - Ubuntu https://bugs.launchpad.net/ubuntu/+source/libheif/+bug - Debian https://bugs.debian.org/cgi-bin/pkgreport.cgi?src=libheif - The package has important open bugs, listing them: - https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1014125 Confirm CVE-2020-23109 fix - https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1029668 1.14.2 contains significant regression, HEIC can not be read using viewnoir package [confirmed in lunar]. Downgrading to 1.13.0-1 solves the issue. - The package does not deal with exotic hardware we cannot support [Quality assurance – testing] - The package does not run a test at build time because no unit tests are present in the repository upstream: https://launchpadlibrarian.net/646769183/buildlog_ubuntu-lunar-amd64.libheif_1.14.2-1_BUILDING.txt.gz https://github.com/strukturag/libheif - The package does not run an autopkgtest because no autopackage tests are present. Note: upstream contains a CI script that can be adapted for autopkgtests: https://github.com/strukturag/libheif/blob/master/scripts/run-ci.sh This section is not complete, as the test plan/approach for developing autopkgtests needs to be discussed. TODO: - The package can not be tested at build or autopktest time because TBD TODO: to make up for that here TBD is a test plan/automation and example TODO: test TBD (logs/scripts) [Quality assurance - packaging] - debian/watch is present and works BUT also get-orig-head target is present in debian/rules that produces a different result. There is no specific documentation on which method to use. - debian/control defines a correct Maintainer field - This package does not yield massive lintian Warnings, Errors https://udd.debian.org/lintian/?packages=libheif - Please link to a recent build log of the package https://launchpadlibrarian.net/646769183/buildlog_ubuntu-lunar-amd64.libheif_1.14.2-1_BUILDING.txt.gz - Please attach the full output you have got from `lintian --pedantic` as an extra post to this bug. - Lintian overrides are not present - This package relies on obsolete or about to be demoted packages see https://udd.debian.org/lintian/?packages=libheif, consider using libgdk-pixbuf-2.0-dev instead of transitional libgdk-pixbuf2.0-dev - This package has no python2 or GTK2 dependencies - The package will not be installed by default - Packaging and build is easy, link to d/rules: https://salsa.debian.org/multimedia-team/libheif/-/blob/master/debian/rules [UI standards] - Application is not end-user facing (does not need translation) - End-user applications without desktop file, not needed because application does not provide GUI [Dependencies] - There are further dependencies that are not yet in main, MIR for them is at: - aom: LP: #2004442 - dav1d: LP: #2004446 - libde265: LP: #2004449 - x265: LP: #2004453 [Standards compliance] - This package correctly follows FHS and Debian Policy [Maintenance/Owner] - Owning Team will be Foundations team - Team is already subscribed to the package - This does not use static builds - This does not use vendored code - This package is not rust based [Background information] The Package description explains the package well Upstream Name is libheif Link to upstream project https://github.com/strukturag/libheif/
2023-02-02 14:01:22	Lukas Märdian	tags	eoan fr-3316 rls-ll-incoming	eoan fr-3316
2023-04-23 12:37:14	Marian Rainer-Harbach	bug			added subscriber Marian Rainer-Harbach
2024-04-18 14:14:48	Lukas Märdian	libheif (Ubuntu): status	In Progress	Fix Committed
2024-04-19 06:19:36	Christian Ehrhardt 	libheif (Ubuntu): status	Fix Committed	Fix Released

Ubuntulibheif package

Activity log for bug #1827442

Ubuntu
libheif package