2019-05-02 23:17:38 |
Steve Langasek |
bug |
|
|
added bug |
2019-05-02 23:18:09 |
Steve Langasek |
description |
[Availability]
Available on all architectures in universe from bionic forward.
[Rationale]
This is a new build-dependency added to imagemagick in Debian unstable. It implements support for decoding ISO/IEC 23008-12:2017 HEIF files, which are not otherwise supported by any libraries in Ubuntu main.
[Security]
One vulnerability was reported this year against libheif 1.4.0 (http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-11471). Debian currently has libheif 1.3.2. According to the upstream issue at https://github.com/strukturag/libheif/issues/123 the vulnerability was first introduced in an unreleased, git-only version of libheif (post-1.4.0), and found and fixed by the upstream community prior to finding its way into a tagged release. It is not clear to me that the vulnerability in question applies to 1.3.2.
[Quality assurance]
Packaging is lintian-clean using modern dh(1) patterns and shows no problematic bug history in Debian or Ubuntu.
Package runs make check at build time (debhelper), but has no build-time tests or autopkgtests available.
[Dependencies]
Also depends on x265 and libde265 which are in universe.
[Maintenance]
Package would be maintained by Ubuntu Foundations Team. |
[Availability]
Available on all architectures in universe from bionic forward.
[Rationale]
This is a new build-dependency added to imagemagick in Debian unstable. It implements support for decoding ISO/IEC 23008-12:2017 HEIF files, which are not otherwise supported by any libraries in Ubuntu main.
[Security]
One vulnerability was reported this year against libheif 1.4.0 (http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-11471). Debian currently has libheif 1.3.2. According to the upstream issue at https://github.com/strukturag/libheif/issues/123 the vulnerability was first introduced in an unreleased, git-only version of libheif (post-1.4.0), and found and fixed by the upstream community prior to finding its way into a tagged release. It is not clear to me that the vulnerability in question applies to 1.3.2.
This is a media file parser, so is security-sensitive because it will be processing complex untrusted input.
[Quality assurance]
Packaging is lintian-clean using modern dh(1) patterns and shows no problematic bug history in Debian or Ubuntu.
Package runs make check at build time (debhelper), but has no build-time tests or autopkgtests available.
[Dependencies]
Also depends on x265 and libde265 which are in universe.
[Maintenance]
Package would be maintained by Ubuntu Foundations Team. |
|
2019-05-02 23:18:13 |
Steve Langasek |
libheif (Ubuntu): status |
Incomplete |
New |
|
2019-05-02 23:18:32 |
Steve Langasek |
bug |
|
|
added subscriber MIR approval team |
2019-05-03 20:38:17 |
Mathieu Trudel-Lapierre |
libheif (Ubuntu): assignee |
|
Ubuntu Security Team (ubuntu-security) |
|
2019-05-08 01:51:05 |
Seth Arnold |
bug watch added |
|
https://github.com/strukturag/libheif/issues/128 |
|
2019-05-09 21:00:57 |
Dylan Aïssi |
bug |
|
|
added subscriber Dylan Aïssi |
2019-07-12 08:06:30 |
Joachim Bauch |
bug |
|
|
added subscriber Joachim Bauch |
2019-07-18 22:10:54 |
Steve Langasek |
bug task added |
|
x265 (Ubuntu) |
|
2019-07-18 22:11:01 |
Steve Langasek |
bug task added |
|
libde265 (Ubuntu) |
|
2019-09-17 14:37:48 |
Balint Reczey |
bug task added |
|
imagemagick (Ubuntu) |
|
2019-09-17 14:38:03 |
Balint Reczey |
imagemagick (Ubuntu): status |
New |
Invalid |
|
2019-09-17 14:39:01 |
Balint Reczey |
tags |
eoan |
eoan update-excuse |
|
2019-09-18 12:11:53 |
Balint Reczey |
imagemagick (Ubuntu): status |
Invalid |
Fix Released |
|
2019-09-18 15:17:59 |
Balint Reczey |
imagemagick (Ubuntu): status |
Fix Released |
Won't Fix |
|
2019-09-18 15:21:27 |
Launchpad Janitor |
libde265 (Ubuntu): status |
New |
Confirmed |
|
2019-09-18 15:21:27 |
Launchpad Janitor |
libheif (Ubuntu): status |
New |
Confirmed |
|
2019-09-18 15:21:27 |
Launchpad Janitor |
x265 (Ubuntu): status |
New |
Confirmed |
|
2019-09-18 15:21:53 |
Balint Reczey |
bug task deleted |
imagemagick (Ubuntu) |
|
|
2019-09-19 12:30:17 |
Balint Reczey |
tags |
eoan update-excuse |
eoan |
|
2019-10-24 02:38:00 |
Seth Arnold |
attachment added |
|
Coverity results https://bugs.launchpad.net/ubuntu/+source/libheif/+bug/1827442/+attachment/5299625/+files/coverity.txt |
|
2020-02-26 14:01:59 |
Dylan Aïssi |
removed subscriber Dylan Aïssi |
|
|
|
2020-02-27 04:21:39 |
Seth Arnold |
cve linked |
|
2019-11471 |
|
2020-02-27 04:21:49 |
Seth Arnold |
bug |
|
|
added subscriber Seth Arnold |
2020-02-27 04:21:53 |
Seth Arnold |
libheif (Ubuntu): assignee |
Ubuntu Security Team (ubuntu-security) |
|
|
2020-02-27 07:43:41 |
Joachim Bauch |
bug |
|
|
added subscriber Dirk Farin |
2021-05-11 14:42:57 |
Christian Ehrhardt |
libheif (Ubuntu): status |
Confirmed |
In Progress |
|
2021-05-11 14:46:38 |
Christian Ehrhardt |
x265 (Ubuntu): status |
Confirmed |
Incomplete |
|
2021-05-11 14:46:40 |
Christian Ehrhardt |
libde265 (Ubuntu): status |
Confirmed |
Incomplete |
|
2022-05-23 21:38:22 |
Steve Langasek |
libde265 (Ubuntu): status |
Incomplete |
Won't Fix |
|
2022-05-23 21:38:29 |
Steve Langasek |
libheif (Ubuntu): status |
In Progress |
Won't Fix |
|
2022-05-23 21:38:31 |
Steve Langasek |
x265 (Ubuntu): status |
Incomplete |
Won't Fix |
|
2022-11-07 23:26:58 |
Steve Langasek |
libheif (Ubuntu): status |
Won't Fix |
In Progress |
|
2022-11-07 23:28:45 |
Steve Langasek |
libde265 (Ubuntu): status |
Won't Fix |
Incomplete |
|
2022-11-07 23:28:46 |
Steve Langasek |
x265 (Ubuntu): status |
Won't Fix |
New |
|
2022-11-07 23:28:56 |
Steve Langasek |
x265 (Ubuntu): status |
New |
Incomplete |
|
2022-11-08 15:51:26 |
Lukas Märdian |
libheif (Ubuntu): status |
In Progress |
New |
|
2022-11-15 15:48:55 |
Christian Ehrhardt |
libheif (Ubuntu): status |
New |
Incomplete |
|
2022-11-16 10:59:28 |
Lukas Märdian |
bug task added |
|
aom (Ubuntu) |
|
2022-11-16 10:59:34 |
Lukas Märdian |
aom (Ubuntu): status |
New |
Incomplete |
|
2022-11-16 10:59:46 |
Lukas Märdian |
bug task added |
|
dav1d (Ubuntu) |
|
2022-11-16 10:59:52 |
Lukas Märdian |
dav1d (Ubuntu): status |
New |
Incomplete |
|
2022-11-16 12:17:19 |
Jeremy Bícha |
bug |
|
|
added subscriber Jeremy Bicha |
2022-11-17 07:30:25 |
Christian Ehrhardt |
libheif (Ubuntu): status |
Incomplete |
In Progress |
|
2023-01-20 21:15:32 |
Joachim Bauch |
bug watch added |
|
https://github.com/strukturag/libheif/issues/745 |
|
2023-01-24 15:54:06 |
Lukas Märdian |
bug task added |
|
libgd2 (Ubuntu) |
|
2023-01-24 15:54:16 |
Lukas Märdian |
libgd2 (Ubuntu): assignee |
|
Canonical Foundations Team (canonical-foundations) |
|
2023-01-24 15:54:21 |
Lukas Märdian |
tags |
eoan |
eoan rls-ll-incoming |
|
2023-01-27 09:35:00 |
Vladimir Petko |
tags |
eoan rls-ll-incoming |
eoan fr-3316 rls-ll-incoming |
|
2023-01-31 02:09:35 |
Vladimir Petko |
description |
[Availability]
Available on all architectures in universe from bionic forward.
[Rationale]
This is a new build-dependency added to imagemagick in Debian unstable. It implements support for decoding ISO/IEC 23008-12:2017 HEIF files, which are not otherwise supported by any libraries in Ubuntu main.
[Security]
One vulnerability was reported this year against libheif 1.4.0 (http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-11471). Debian currently has libheif 1.3.2. According to the upstream issue at https://github.com/strukturag/libheif/issues/123 the vulnerability was first introduced in an unreleased, git-only version of libheif (post-1.4.0), and found and fixed by the upstream community prior to finding its way into a tagged release. It is not clear to me that the vulnerability in question applies to 1.3.2.
This is a media file parser, so is security-sensitive because it will be processing complex untrusted input.
[Quality assurance]
Packaging is lintian-clean using modern dh(1) patterns and shows no problematic bug history in Debian or Ubuntu.
Package runs make check at build time (debhelper), but has no build-time tests or autopkgtests available.
[Dependencies]
Also depends on x265 and libde265 which are in universe.
[Maintenance]
Package would be maintained by Ubuntu Foundations Team. |
[Availablity]
The package libheif is already in ubuntu/universe.
The package libheif build for the architectures it is designed to work on: https://launchpad.net/ubuntu/+source/libheif/1.14.2-1 .
It currently builds and works for architectures: amd64 arm64 armhf i386 ppc64el riscv64 s390x
Link to package: https://launchpad.net/ubuntu/+source/libheif
[Rationale]
- The package libheif is required in Ubuntu main for decoding ISO/IEC 23008-12:2017 HEIF files by libgd2 which is present in main.
- The package libheif will not generally be useful for a large part of our user base, but is important/helpful still because no other package in main supports decoding of ISO/IEC 23008-12:2017 HEIF files.
-The package libheif is a runtime dependency of package libgd2 that we already support.
- It would be great and useful to community/processes to have the package libheif in Ubuntu main, but there is no definitive deadline.
[Security]
libheif had security issues in the past:
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-23109: Buffer overflow vulnerability in function convert_colorspace in heif_colorconversion.cc in libheif v1.6.2, allows attackers to cause a denial of service and disclose sensitive information, via a crafted HEIF file. The github issue: https://github.com/strukturag/libheif/issues/207 is open, though developer comments that it was fixed in 1.7.0
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-19499: An issue was discovered in heif::Box_iref::get_references in libheif 1.4.0, allows attackers to cause a Denial of Service or possibly other unspecified impact due to an invalid memory read. The github issue: https://github.com/strukturag/libheif/issues/138 is closed, fixed in 1.5.0
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-19498: Floating point exception in function Fraction in libheif 1.4.0, allows attackers to cause a Denial of Service or possibly other unspecified impacts. The github issue: https://github.com/strukturag/libheif/issues/139 is closed, fixed in 1.5.0.
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-11471: libheif 1.4.0 has a use-after-free in heif::HeifContext::Image::set_alpha_channel in heif_context.h because heif_context.cc mishandles references to non-existing alpha images. The github issue: https://github.com/strukturag/libheif/issues/123 is closed, fixed in 1.5.0.
The vulnerable versions are libheif < 1.7.0, current version 1.14.2
Currently vulnerable packages (CVE-2020-23109) are deployed in focal and bionic. Jammy and up has no known vulnerabilitites.
[Quality assurance – function/usage]
- The package works well right after install
```
apt install imagemagick
wget https://filesamples.com/samples/image/heif/sample1.heif
convert -verbose sample1.heif test.gif
wget https://filesamples.com/samples/image/heic/sample1.heic
convert -verbose sample1.heic test1.gif
```
Notice, that libgd2 HEIF support is disabled. Compiling a sample that tries to save HEIF file produces following output
```
GD Warning: HEIF image support has been disabled
```
[Quality assurance - maintenance]
- The package has important open bugs, listing them:
- https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1014125 Confirm CVE-2020-23109 fix
- https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1029668 1.14.2 contains significant regression, HEIC can not be read using viewnoir package [confirmed in lunar]. Downgrading to 1.13.0-1 solves the issue.
[Quality assurance – testing]
- The package does not run a test at build time because no unit tests are present in the repository upstream:
https://launchpadlibrarian.net/646769183/buildlog_ubuntu-lunar-amd64.libheif_1.14.2-1_BUILDING.txt.gz
https://github.com/strukturag/libheif
- The package does not run an autopkgtest because no autopackage tests are present. Note: upstream contains a CI script that can be adapted for autopkgtests: https://github.com/strukturag/libheif/blob/master/scripts/run-ci.sh
- The package does have not failing autopkgtests right now
- [NOT COMPLETE]: The package can not be tested at build or autopktest time because no tests are presentto make up for that here [LINK] is a test plan/automation and example test runlogs/scripts)
[Quality assurance - packaging]
- debian/watch is present and works BUT also get-orig-head target is present in debian/rules that produces a different result. There is no specific documentation on which method to use.
- debian/control defines a correct Maintainer field
- This package does not yield massive lintian Warnings, Errors
- Please link to a recent build log of the package https://launchpadlibrarian.net/646769183/buildlog_ubuntu-lunar-amd64.libheif_1.14.2-1_BUILDING.txt.gz
- Please attach the full output you have got from `lintian --pedantic` as an extra post to this bug.
https://udd.debian.org/lintian/?packages=libheif
- Lintian overrides are not present
- This package relies on obsolete or about to be demoted packages (see https://udd.debian.org/lintian/?packages=libheif), consider using libgdk-pixbuf-2.0-dev instead of transitional libgdk-pixbuf2.0-dev
- This package has no python2 or GTK2 dependencies
- The package will not be installed by default
- Packaging and build is easy, link to d/rules : https://salsa.debian.org/multimedia-team/libheif/-/blob/master/debian/rules
[UI standards]
- Application is not end-user facing (does not need translation)
- End-user applications without desktop file, not needed because application does not provide GUI
[Dependencies]
- There are further dependencies that are not yet in main, the MIR process for them is handled as part of this bug here:
- aom
- dav1d
- libde265
- x265
[Standards compliance]
- This package correctly follows FHS and Debian Policy
[Maintenance/Owner]
- Owning Team will be Foundations team
- Team is already subscribed to the package
- This does not use static builds
- This does not use vendored code
- This package is not rust based
[Background information]
The Package description explains the package well
Upstream Name is libheif
Link to upstream project https://github.com/strukturag/libheif/ |
|
2023-01-31 02:11:14 |
Vladimir Petko |
description |
[Availablity]
The package libheif is already in ubuntu/universe.
The package libheif build for the architectures it is designed to work on: https://launchpad.net/ubuntu/+source/libheif/1.14.2-1 .
It currently builds and works for architectures: amd64 arm64 armhf i386 ppc64el riscv64 s390x
Link to package: https://launchpad.net/ubuntu/+source/libheif
[Rationale]
- The package libheif is required in Ubuntu main for decoding ISO/IEC 23008-12:2017 HEIF files by libgd2 which is present in main.
- The package libheif will not generally be useful for a large part of our user base, but is important/helpful still because no other package in main supports decoding of ISO/IEC 23008-12:2017 HEIF files.
-The package libheif is a runtime dependency of package libgd2 that we already support.
- It would be great and useful to community/processes to have the package libheif in Ubuntu main, but there is no definitive deadline.
[Security]
libheif had security issues in the past:
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-23109: Buffer overflow vulnerability in function convert_colorspace in heif_colorconversion.cc in libheif v1.6.2, allows attackers to cause a denial of service and disclose sensitive information, via a crafted HEIF file. The github issue: https://github.com/strukturag/libheif/issues/207 is open, though developer comments that it was fixed in 1.7.0
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-19499: An issue was discovered in heif::Box_iref::get_references in libheif 1.4.0, allows attackers to cause a Denial of Service or possibly other unspecified impact due to an invalid memory read. The github issue: https://github.com/strukturag/libheif/issues/138 is closed, fixed in 1.5.0
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-19498: Floating point exception in function Fraction in libheif 1.4.0, allows attackers to cause a Denial of Service or possibly other unspecified impacts. The github issue: https://github.com/strukturag/libheif/issues/139 is closed, fixed in 1.5.0.
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-11471: libheif 1.4.0 has a use-after-free in heif::HeifContext::Image::set_alpha_channel in heif_context.h because heif_context.cc mishandles references to non-existing alpha images. The github issue: https://github.com/strukturag/libheif/issues/123 is closed, fixed in 1.5.0.
The vulnerable versions are libheif < 1.7.0, current version 1.14.2
Currently vulnerable packages (CVE-2020-23109) are deployed in focal and bionic. Jammy and up has no known vulnerabilitites.
[Quality assurance – function/usage]
- The package works well right after install
```
apt install imagemagick
wget https://filesamples.com/samples/image/heif/sample1.heif
convert -verbose sample1.heif test.gif
wget https://filesamples.com/samples/image/heic/sample1.heic
convert -verbose sample1.heic test1.gif
```
Notice, that libgd2 HEIF support is disabled. Compiling a sample that tries to save HEIF file produces following output
```
GD Warning: HEIF image support has been disabled
```
[Quality assurance - maintenance]
- The package has important open bugs, listing them:
- https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1014125 Confirm CVE-2020-23109 fix
- https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1029668 1.14.2 contains significant regression, HEIC can not be read using viewnoir package [confirmed in lunar]. Downgrading to 1.13.0-1 solves the issue.
[Quality assurance – testing]
- The package does not run a test at build time because no unit tests are present in the repository upstream:
https://launchpadlibrarian.net/646769183/buildlog_ubuntu-lunar-amd64.libheif_1.14.2-1_BUILDING.txt.gz
https://github.com/strukturag/libheif
- The package does not run an autopkgtest because no autopackage tests are present. Note: upstream contains a CI script that can be adapted for autopkgtests: https://github.com/strukturag/libheif/blob/master/scripts/run-ci.sh
- The package does have not failing autopkgtests right now
- [NOT COMPLETE]: The package can not be tested at build or autopktest time because no tests are presentto make up for that here [LINK] is a test plan/automation and example test runlogs/scripts)
[Quality assurance - packaging]
- debian/watch is present and works BUT also get-orig-head target is present in debian/rules that produces a different result. There is no specific documentation on which method to use.
- debian/control defines a correct Maintainer field
- This package does not yield massive lintian Warnings, Errors
- Please link to a recent build log of the package https://launchpadlibrarian.net/646769183/buildlog_ubuntu-lunar-amd64.libheif_1.14.2-1_BUILDING.txt.gz
- Please attach the full output you have got from `lintian --pedantic` as an extra post to this bug.
https://udd.debian.org/lintian/?packages=libheif
- Lintian overrides are not present
- This package relies on obsolete or about to be demoted packages (see https://udd.debian.org/lintian/?packages=libheif), consider using libgdk-pixbuf-2.0-dev instead of transitional libgdk-pixbuf2.0-dev
- This package has no python2 or GTK2 dependencies
- The package will not be installed by default
- Packaging and build is easy, link to d/rules : https://salsa.debian.org/multimedia-team/libheif/-/blob/master/debian/rules
[UI standards]
- Application is not end-user facing (does not need translation)
- End-user applications without desktop file, not needed because application does not provide GUI
[Dependencies]
- There are further dependencies that are not yet in main, the MIR process for them is handled as part of this bug here:
- aom
- dav1d
- libde265
- x265
[Standards compliance]
- This package correctly follows FHS and Debian Policy
[Maintenance/Owner]
- Owning Team will be Foundations team
- Team is already subscribed to the package
- This does not use static builds
- This does not use vendored code
- This package is not rust based
[Background information]
The Package description explains the package well
Upstream Name is libheif
Link to upstream project https://github.com/strukturag/libheif/ |
[Availablity]
The package libheif is already in ubuntu/universe.
The package libheif build for the architectures it is designed to work on: https://launchpad.net/ubuntu/+source/libheif/1.14.2-1 .
It currently builds and works for architectures: amd64 arm64 armhf i386 ppc64el riscv64 s390x
Link to package: https://launchpad.net/ubuntu/+source/libheif
[Rationale]
- The package libheif is required in Ubuntu main for decoding ISO/IEC 23008-12:2017 HEIF files by libgd2 which is present in main.
- The package libheif will not generally be useful for a large part of our user base, but is important/helpful still because no other package in main supports decoding of ISO/IEC 23008-12:2017 HEIF files.
-The package libheif is a runtime dependency of package libgd2 that we already support.
- It would be great and useful to community/processes to have the package libheif in Ubuntu main, but there is no definitive deadline.
[Security]
libheif had security issues in the past:
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-23109: Buffer overflow vulnerability in function convert_colorspace in heif_colorconversion.cc in libheif v1.6.2, allows attackers to cause a denial of service and disclose sensitive information, via a crafted HEIF file. The github issue: https://github.com/strukturag/libheif/issues/207 is open, though developer comments that it was fixed in 1.7.0
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-19499: An issue was discovered in heif::Box_iref::get_references in libheif 1.4.0, allows attackers to cause a Denial of Service or possibly other unspecified impact due to an invalid memory read. The github issue: https://github.com/strukturag/libheif/issues/138 is closed, fixed in 1.5.0
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-19498: Floating point exception in function Fraction in libheif 1.4.0, allows attackers to cause a Denial of Service or possibly other unspecified impacts. The github issue: https://github.com/strukturag/libheif/issues/139 is closed, fixed in 1.5.0.
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-11471: libheif 1.4.0 has a use-after-free in heif::HeifContext::Image::set_alpha_channel in heif_context.h because heif_context.cc mishandles references to non-existing alpha images. The github issue: https://github.com/strukturag/libheif/issues/123 is closed, fixed in 1.5.0.
The vulnerable versions are libheif < 1.7.0, current version 1.14.2
Currently vulnerable packages (CVE-2020-23109) are deployed in focal and bionic. Jammy and up has no known vulnerabilitites.
[Quality assurance – function/usage]
- The package does not work well right after install
- Basic test cases pass:
```
apt install imagemagick
wget https://filesamples.com/samples/image/heif/sample1.heif
convert -verbose sample1.heif test.gif
wget https://filesamples.com/samples/image/heic/sample1.heic
convert -verbose sample1.heic test1.gif
```
Notice, that libgd2 HEIF support is disabled. Compiling a sample that tries to save HEIF file produces following output
```
GD Warning: HEIF image support has been disabled
```
There is a bug filed in debian: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1029668 1.14.2 contains significant regression, HEIC can not be read using viewnoir.
[Quality assurance - maintenance]
- The package has important open bugs, listing them:
- https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1014125 Confirm CVE-2020-23109 fix
- https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1029668 1.14.2 contains significant regression, HEIC can not be read using viewnoir package [confirmed in lunar]. Downgrading to 1.13.0-1 solves the issue.
[Quality assurance – testing]
- The package does not run a test at build time because no unit tests are present in the repository upstream:
https://launchpadlibrarian.net/646769183/buildlog_ubuntu-lunar-amd64.libheif_1.14.2-1_BUILDING.txt.gz
https://github.com/strukturag/libheif
- The package does not run an autopkgtest because no autopackage tests are present. Note: upstream contains a CI script that can be adapted for autopkgtests: https://github.com/strukturag/libheif/blob/master/scripts/run-ci.sh
- The package does have not failing autopkgtests right now
- [NOT COMPLETE]: The package can not be tested at build or autopktest time because no tests are presentto make up for that here [LINK] is a test plan/automation and example test runlogs/scripts)
[Quality assurance - packaging]
- debian/watch is present and works BUT also get-orig-head target is present in debian/rules that produces a different result. There is no specific documentation on which method to use.
- debian/control defines a correct Maintainer field
- This package does not yield massive lintian Warnings, Errors
- Please link to a recent build log of the package https://launchpadlibrarian.net/646769183/buildlog_ubuntu-lunar-amd64.libheif_1.14.2-1_BUILDING.txt.gz
- Please attach the full output you have got from `lintian --pedantic` as an extra post to this bug.
https://udd.debian.org/lintian/?packages=libheif
- Lintian overrides are not present
- This package relies on obsolete or about to be demoted packages (see https://udd.debian.org/lintian/?packages=libheif), consider using libgdk-pixbuf-2.0-dev instead of transitional libgdk-pixbuf2.0-dev
- This package has no python2 or GTK2 dependencies
- The package will not be installed by default
- Packaging and build is easy, link to d/rules : https://salsa.debian.org/multimedia-team/libheif/-/blob/master/debian/rules
[UI standards]
- Application is not end-user facing (does not need translation)
- End-user applications without desktop file, not needed because application does not provide GUI
[Dependencies]
- There are further dependencies that are not yet in main, the MIR process for them is handled as part of this bug here:
- aom
- dav1d
- libde265
- x265
[Standards compliance]
- This package correctly follows FHS and Debian Policy
[Maintenance/Owner]
- Owning Team will be Foundations team
- Team is already subscribed to the package
- This does not use static builds
- This does not use vendored code
- This package is not rust based
[Background information]
The Package description explains the package well
Upstream Name is libheif
Link to upstream project https://github.com/strukturag/libheif/ |
|
2023-01-31 02:12:05 |
Vladimir Petko |
attachment added |
|
make-target-to-uscan.diff https://bugs.launchpad.net/ubuntu/+source/libheif/+bug/1827442/+attachment/5644071/+files/make-target-to-uscan.diff |
|
2023-02-01 00:36:31 |
Vladimir Petko |
description |
[Availablity]
The package libheif is already in ubuntu/universe.
The package libheif build for the architectures it is designed to work on: https://launchpad.net/ubuntu/+source/libheif/1.14.2-1 .
It currently builds and works for architectures: amd64 arm64 armhf i386 ppc64el riscv64 s390x
Link to package: https://launchpad.net/ubuntu/+source/libheif
[Rationale]
- The package libheif is required in Ubuntu main for decoding ISO/IEC 23008-12:2017 HEIF files by libgd2 which is present in main.
- The package libheif will not generally be useful for a large part of our user base, but is important/helpful still because no other package in main supports decoding of ISO/IEC 23008-12:2017 HEIF files.
-The package libheif is a runtime dependency of package libgd2 that we already support.
- It would be great and useful to community/processes to have the package libheif in Ubuntu main, but there is no definitive deadline.
[Security]
libheif had security issues in the past:
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-23109: Buffer overflow vulnerability in function convert_colorspace in heif_colorconversion.cc in libheif v1.6.2, allows attackers to cause a denial of service and disclose sensitive information, via a crafted HEIF file. The github issue: https://github.com/strukturag/libheif/issues/207 is open, though developer comments that it was fixed in 1.7.0
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-19499: An issue was discovered in heif::Box_iref::get_references in libheif 1.4.0, allows attackers to cause a Denial of Service or possibly other unspecified impact due to an invalid memory read. The github issue: https://github.com/strukturag/libheif/issues/138 is closed, fixed in 1.5.0
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-19498: Floating point exception in function Fraction in libheif 1.4.0, allows attackers to cause a Denial of Service or possibly other unspecified impacts. The github issue: https://github.com/strukturag/libheif/issues/139 is closed, fixed in 1.5.0.
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-11471: libheif 1.4.0 has a use-after-free in heif::HeifContext::Image::set_alpha_channel in heif_context.h because heif_context.cc mishandles references to non-existing alpha images. The github issue: https://github.com/strukturag/libheif/issues/123 is closed, fixed in 1.5.0.
The vulnerable versions are libheif < 1.7.0, current version 1.14.2
Currently vulnerable packages (CVE-2020-23109) are deployed in focal and bionic. Jammy and up has no known vulnerabilitites.
[Quality assurance – function/usage]
- The package does not work well right after install
- Basic test cases pass:
```
apt install imagemagick
wget https://filesamples.com/samples/image/heif/sample1.heif
convert -verbose sample1.heif test.gif
wget https://filesamples.com/samples/image/heic/sample1.heic
convert -verbose sample1.heic test1.gif
```
Notice, that libgd2 HEIF support is disabled. Compiling a sample that tries to save HEIF file produces following output
```
GD Warning: HEIF image support has been disabled
```
There is a bug filed in debian: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1029668 1.14.2 contains significant regression, HEIC can not be read using viewnoir.
[Quality assurance - maintenance]
- The package has important open bugs, listing them:
- https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1014125 Confirm CVE-2020-23109 fix
- https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1029668 1.14.2 contains significant regression, HEIC can not be read using viewnoir package [confirmed in lunar]. Downgrading to 1.13.0-1 solves the issue.
[Quality assurance – testing]
- The package does not run a test at build time because no unit tests are present in the repository upstream:
https://launchpadlibrarian.net/646769183/buildlog_ubuntu-lunar-amd64.libheif_1.14.2-1_BUILDING.txt.gz
https://github.com/strukturag/libheif
- The package does not run an autopkgtest because no autopackage tests are present. Note: upstream contains a CI script that can be adapted for autopkgtests: https://github.com/strukturag/libheif/blob/master/scripts/run-ci.sh
- The package does have not failing autopkgtests right now
- [NOT COMPLETE]: The package can not be tested at build or autopktest time because no tests are presentto make up for that here [LINK] is a test plan/automation and example test runlogs/scripts)
[Quality assurance - packaging]
- debian/watch is present and works BUT also get-orig-head target is present in debian/rules that produces a different result. There is no specific documentation on which method to use.
- debian/control defines a correct Maintainer field
- This package does not yield massive lintian Warnings, Errors
- Please link to a recent build log of the package https://launchpadlibrarian.net/646769183/buildlog_ubuntu-lunar-amd64.libheif_1.14.2-1_BUILDING.txt.gz
- Please attach the full output you have got from `lintian --pedantic` as an extra post to this bug.
https://udd.debian.org/lintian/?packages=libheif
- Lintian overrides are not present
- This package relies on obsolete or about to be demoted packages (see https://udd.debian.org/lintian/?packages=libheif), consider using libgdk-pixbuf-2.0-dev instead of transitional libgdk-pixbuf2.0-dev
- This package has no python2 or GTK2 dependencies
- The package will not be installed by default
- Packaging and build is easy, link to d/rules : https://salsa.debian.org/multimedia-team/libheif/-/blob/master/debian/rules
[UI standards]
- Application is not end-user facing (does not need translation)
- End-user applications without desktop file, not needed because application does not provide GUI
[Dependencies]
- There are further dependencies that are not yet in main, the MIR process for them is handled as part of this bug here:
- aom
- dav1d
- libde265
- x265
[Standards compliance]
- This package correctly follows FHS and Debian Policy
[Maintenance/Owner]
- Owning Team will be Foundations team
- Team is already subscribed to the package
- This does not use static builds
- This does not use vendored code
- This package is not rust based
[Background information]
The Package description explains the package well
Upstream Name is libheif
Link to upstream project https://github.com/strukturag/libheif/ |
[Availablity]
The package libheif is already in ubuntu/universe.
The package libheif build for the architectures it is designed to work on: https://launchpad.net/ubuntu/+source/libheif/1.14.2-1 .
It currently builds and works for architectures: amd64 arm64 armhf i386 ppc64el riscv64 s390x
Link to package: https://launchpad.net/ubuntu/+source/libheif
[Rationale]
- The package libheif is required in Ubuntu main for decoding ISO/IEC 23008-12:2017 HEIF files by libgd2 which is present in main.
- The package libheif will not generally be useful for a large part of our user base, but is important/helpful still because no other package in main supports decoding of ISO/IEC 23008-12:2017 HEIF files.
-The package libheif is a runtime dependency of package libgd2 that we already support.
- It would be great and useful to community/processes to have the package libheif in Ubuntu main, but there is no definitive deadline.
[Security]
libheif had security issues in the past:
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-23109: Buffer overflow vulnerability in function convert_colorspace in heif_colorconversion.cc in libheif v1.6.2, allows attackers to cause a denial of service and disclose sensitive information, via a crafted HEIF file. The github issue: https://github.com/strukturag/libheif/issues/207 is open, though developer comments that it was fixed in 1.7.0
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-19499: An issue was discovered in heif::Box_iref::get_references in libheif 1.4.0, allows attackers to cause a Denial of Service or possibly other unspecified impact due to an invalid memory read. The github issue: https://github.com/strukturag/libheif/issues/138 is closed, fixed in 1.5.0
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-19498: Floating point exception in function Fraction in libheif 1.4.0, allows attackers to cause a Denial of Service or possibly other unspecified impacts. The github issue: https://github.com/strukturag/libheif/issues/139 is closed, fixed in 1.5.0.
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-11471: libheif 1.4.0 has a use-after-free in heif::HeifContext::Image::set_alpha_channel in heif_context.h because heif_context.cc mishandles references to non-existing alpha images. The github issue: https://github.com/strukturag/libheif/issues/123 is closed, fixed in 1.5.0.
The vulnerable versions are libheif < 1.7.0, current version 1.14.2
Currently vulnerable packages (CVE-2020-23109) are deployed in focal and bionic. Jammy and up has no known vulnerabilitites.
- no `suid` or `sgid` binaries
- no executables in `/sbin` and `/usr/sbin`
- Package does not install services, timers or recurring jobs
- Packages does not open privileged ports (ports < 1024)
- Packages does contain extensions to security-sensitive software: the package provides HEIF image plugin used by other software, e.g. imagemagick
[Quality assurance – function/usage]
- The package does not work well right after install
- Basic test cases pass:
```
apt install imagemagick
wget https://filesamples.com/samples/image/heif/sample1.heif
convert -verbose sample1.heif test.gif
wget https://filesamples.com/samples/image/heic/sample1.heic
convert -verbose sample1.heic test1.gif
```
Notice, that libgd2 HEIF support is disabled. Compiling a sample that tries to save HEIF file produces following output
```
GD Warning: HEIF image support has been disabled
```
There is a bug filed in debian: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1029668 1.14.2 contains significant regression, HEIC can not be read using viewnoir.
[Quality assurance - maintenance]
- The package has important open bugs, listing them:
- https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1014125 Confirm CVE-2020-23109 fix
- https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1029668 1.14.2 contains significant regression, HEIC can not be read using viewnoir package [confirmed in lunar]. Downgrading to 1.13.0-1 solves the issue.
[Quality assurance – testing]
- The package does not run a test at build time because no unit tests are present in the repository upstream:
https://launchpadlibrarian.net/646769183/buildlog_ubuntu-lunar-amd64.libheif_1.14.2-1_BUILDING.txt.gz
https://github.com/strukturag/libheif
- The package does not run an autopkgtest because no autopackage tests are present. Note: upstream contains a CI script that can be adapted for autopkgtests: https://github.com/strukturag/libheif/blob/master/scripts/run-ci.sh
- The package does have not failing autopkgtests right now
- [NOT COMPLETE]: The package can not be tested at build or autopktest time because no tests are presentto make up for that here [LINK] is a test plan/automation and example test runlogs/scripts)
[Quality assurance - packaging]
- debian/watch is present and works BUT also get-orig-head target is present in debian/rules that produces a different result. There is no specific documentation on which method to use.
- debian/control defines a correct Maintainer field
- This package does not yield massive lintian Warnings, Errors
- Please link to a recent build log of the package https://launchpadlibrarian.net/646769183/buildlog_ubuntu-lunar-amd64.libheif_1.14.2-1_BUILDING.txt.gz
- Please attach the full output you have got from `lintian --pedantic` as an extra post to this bug.
https://udd.debian.org/lintian/?packages=libheif
- Lintian overrides are not present
- This package relies on obsolete or about to be demoted packages (see https://udd.debian.org/lintian/?packages=libheif), consider using libgdk-pixbuf-2.0-dev instead of transitional libgdk-pixbuf2.0-dev
- This package has no python2 or GTK2 dependencies
- The package will not be installed by default
- Packaging and build is easy, link to d/rules : https://salsa.debian.org/multimedia-team/libheif/-/blob/master/debian/rules
[UI standards]
- Application is not end-user facing (does not need translation)
- End-user applications without desktop file, not needed because application does not provide GUI
[Dependencies]
- There are further dependencies that are not yet in main, the MIR process for them is handled as part of this bug here:
- aom
- dav1d
- libde265
- x265
[Standards compliance]
- This package correctly follows FHS and Debian Policy
[Maintenance/Owner]
- Owning Team will be Foundations team
- Team is already subscribed to the package
- This does not use static builds
- This does not use vendored code
- This package is not rust based
[Background information]
The Package description explains the package well
Upstream Name is libheif
Link to upstream project https://github.com/strukturag/libheif/ |
|
2023-02-01 02:13:29 |
Vladimir Petko |
description |
[Availablity]
The package libheif is already in ubuntu/universe.
The package libheif build for the architectures it is designed to work on: https://launchpad.net/ubuntu/+source/libheif/1.14.2-1 .
It currently builds and works for architectures: amd64 arm64 armhf i386 ppc64el riscv64 s390x
Link to package: https://launchpad.net/ubuntu/+source/libheif
[Rationale]
- The package libheif is required in Ubuntu main for decoding ISO/IEC 23008-12:2017 HEIF files by libgd2 which is present in main.
- The package libheif will not generally be useful for a large part of our user base, but is important/helpful still because no other package in main supports decoding of ISO/IEC 23008-12:2017 HEIF files.
-The package libheif is a runtime dependency of package libgd2 that we already support.
- It would be great and useful to community/processes to have the package libheif in Ubuntu main, but there is no definitive deadline.
[Security]
libheif had security issues in the past:
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-23109: Buffer overflow vulnerability in function convert_colorspace in heif_colorconversion.cc in libheif v1.6.2, allows attackers to cause a denial of service and disclose sensitive information, via a crafted HEIF file. The github issue: https://github.com/strukturag/libheif/issues/207 is open, though developer comments that it was fixed in 1.7.0
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-19499: An issue was discovered in heif::Box_iref::get_references in libheif 1.4.0, allows attackers to cause a Denial of Service or possibly other unspecified impact due to an invalid memory read. The github issue: https://github.com/strukturag/libheif/issues/138 is closed, fixed in 1.5.0
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-19498: Floating point exception in function Fraction in libheif 1.4.0, allows attackers to cause a Denial of Service or possibly other unspecified impacts. The github issue: https://github.com/strukturag/libheif/issues/139 is closed, fixed in 1.5.0.
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-11471: libheif 1.4.0 has a use-after-free in heif::HeifContext::Image::set_alpha_channel in heif_context.h because heif_context.cc mishandles references to non-existing alpha images. The github issue: https://github.com/strukturag/libheif/issues/123 is closed, fixed in 1.5.0.
The vulnerable versions are libheif < 1.7.0, current version 1.14.2
Currently vulnerable packages (CVE-2020-23109) are deployed in focal and bionic. Jammy and up has no known vulnerabilitites.
- no `suid` or `sgid` binaries
- no executables in `/sbin` and `/usr/sbin`
- Package does not install services, timers or recurring jobs
- Packages does not open privileged ports (ports < 1024)
- Packages does contain extensions to security-sensitive software: the package provides HEIF image plugin used by other software, e.g. imagemagick
[Quality assurance – function/usage]
- The package does not work well right after install
- Basic test cases pass:
```
apt install imagemagick
wget https://filesamples.com/samples/image/heif/sample1.heif
convert -verbose sample1.heif test.gif
wget https://filesamples.com/samples/image/heic/sample1.heic
convert -verbose sample1.heic test1.gif
```
Notice, that libgd2 HEIF support is disabled. Compiling a sample that tries to save HEIF file produces following output
```
GD Warning: HEIF image support has been disabled
```
There is a bug filed in debian: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1029668 1.14.2 contains significant regression, HEIC can not be read using viewnoir.
[Quality assurance - maintenance]
- The package has important open bugs, listing them:
- https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1014125 Confirm CVE-2020-23109 fix
- https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1029668 1.14.2 contains significant regression, HEIC can not be read using viewnoir package [confirmed in lunar]. Downgrading to 1.13.0-1 solves the issue.
[Quality assurance – testing]
- The package does not run a test at build time because no unit tests are present in the repository upstream:
https://launchpadlibrarian.net/646769183/buildlog_ubuntu-lunar-amd64.libheif_1.14.2-1_BUILDING.txt.gz
https://github.com/strukturag/libheif
- The package does not run an autopkgtest because no autopackage tests are present. Note: upstream contains a CI script that can be adapted for autopkgtests: https://github.com/strukturag/libheif/blob/master/scripts/run-ci.sh
- The package does have not failing autopkgtests right now
- [NOT COMPLETE]: The package can not be tested at build or autopktest time because no tests are presentto make up for that here [LINK] is a test plan/automation and example test runlogs/scripts)
[Quality assurance - packaging]
- debian/watch is present and works BUT also get-orig-head target is present in debian/rules that produces a different result. There is no specific documentation on which method to use.
- debian/control defines a correct Maintainer field
- This package does not yield massive lintian Warnings, Errors
- Please link to a recent build log of the package https://launchpadlibrarian.net/646769183/buildlog_ubuntu-lunar-amd64.libheif_1.14.2-1_BUILDING.txt.gz
- Please attach the full output you have got from `lintian --pedantic` as an extra post to this bug.
https://udd.debian.org/lintian/?packages=libheif
- Lintian overrides are not present
- This package relies on obsolete or about to be demoted packages (see https://udd.debian.org/lintian/?packages=libheif), consider using libgdk-pixbuf-2.0-dev instead of transitional libgdk-pixbuf2.0-dev
- This package has no python2 or GTK2 dependencies
- The package will not be installed by default
- Packaging and build is easy, link to d/rules : https://salsa.debian.org/multimedia-team/libheif/-/blob/master/debian/rules
[UI standards]
- Application is not end-user facing (does not need translation)
- End-user applications without desktop file, not needed because application does not provide GUI
[Dependencies]
- There are further dependencies that are not yet in main, the MIR process for them is handled as part of this bug here:
- aom
- dav1d
- libde265
- x265
[Standards compliance]
- This package correctly follows FHS and Debian Policy
[Maintenance/Owner]
- Owning Team will be Foundations team
- Team is already subscribed to the package
- This does not use static builds
- This does not use vendored code
- This package is not rust based
[Background information]
The Package description explains the package well
Upstream Name is libheif
Link to upstream project https://github.com/strukturag/libheif/ |
[Availablity]
The package libheif is already in ubuntu/universe.
The package libheif build for the architectures it is designed to work on: https://launchpad.net/ubuntu/+source/libheif/1.14.2-1 .
It currently builds and works for architectures: amd64 arm64 armhf i386 ppc64el riscv64 s390x
Link to package: https://launchpad.net/ubuntu/+source/libheif
[Rationale]
- The package libheif is required in Ubuntu main for decoding ISO/IEC 23008-12:2017 HEIF files by libgd2 which is present in main.
- The package libheif will not generally be useful for a large part of our user base, but is important/helpful still because no other package in main supports decoding of ISO/IEC 23008-12:2017 HEIF files.
-The package libheif is a runtime dependency of package libgd2 that we already support.
- It would be great and useful to community/processes to have the package libheif in Ubuntu main, but there is no definitive deadline.
[Security]
libheif had security issues in the past:
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-23109: Buffer overflow vulnerability in function convert_colorspace in heif_colorconversion.cc in libheif v1.6.2, allows attackers to cause a denial of service and disclose sensitive information, via a crafted HEIF file. The github issue: https://github.com/strukturag/libheif/issues/207 is open, though developer comments that it was fixed in 1.7.0
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-19499: An issue was discovered in heif::Box_iref::get_references in libheif 1.4.0, allows attackers to cause a Denial of Service or possibly other unspecified impact due to an invalid memory read. The github issue: https://github.com/strukturag/libheif/issues/138 is closed, fixed in 1.5.0
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-19498: Floating point exception in function Fraction in libheif 1.4.0, allows attackers to cause a Denial of Service or possibly other unspecified impacts. The github issue: https://github.com/strukturag/libheif/issues/139 is closed, fixed in 1.5.0.
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-11471: libheif 1.4.0 has a use-after-free in heif::HeifContext::Image::set_alpha_channel in heif_context.h because heif_context.cc mishandles references to non-existing alpha images. The github issue: https://github.com/strukturag/libheif/issues/123 is closed, fixed in 1.5.0.
The vulnerable versions are libheif < 1.7.0, current version 1.14.2
Currently vulnerable packages (CVE-2020-23109) are deployed in focal and bionic. Jammy and up has no known vulnerabilitites.
- no `suid` or `sgid` binaries
- no executables in `/sbin` and `/usr/sbin`
- Package does not install services, timers or recurring jobs
- Packages does not open privileged ports (ports < 1024)
- Packages does contain extensions to security-sensitive software: the package provides HEIF image plugin used by other software, e.g. imagemagick
[Quality assurance – function/usage]
- The package does not work well right after install
- Basic test cases pass:
```
apt install imagemagick
wget https://filesamples.com/samples/image/heif/sample1.heif
convert -verbose sample1.heif test.gif
wget https://filesamples.com/samples/image/heic/sample1.heic
convert -verbose sample1.heic test1.gif
```
Notice, that libgd2 HEIF support is disabled. Compiling a sample that tries to save HEIF file produces following output
```
GD Warning: HEIF image support has been disabled
```
There is a bug filed in debian: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1029668 1.14.2 contains significant regression, HEIC can not be read using viewnoir.
[Quality assurance - maintenance]
- The package has important open bugs, listing them:
- https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1014125 Confirm CVE-2020-23109 fix
- https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1029668 1.14.2 contains significant regression, HEIC can not be read using viewnoir package [confirmed in lunar]. Downgrading to 1.13.0-1 solves the issue.
[Quality assurance – testing]
- The package does not run a test at build time because no unit tests are present in the repository upstream:
https://launchpadlibrarian.net/646769183/buildlog_ubuntu-lunar-amd64.libheif_1.14.2-1_BUILDING.txt.gz
https://github.com/strukturag/libheif
- The package does not run an autopkgtest because no autopackage tests are present. Note: upstream contains a CI script that can be adapted for autopkgtests: https://github.com/strukturag/libheif/blob/master/scripts/run-ci.sh
- The package does have not failing autopkgtests right now
- [NOT COMPLETE]: The package can not be tested at build or autopktest time because no tests are presentto make up for that here [LINK] is a test plan/automation and example test runlogs/scripts)
[Quality assurance - packaging]
- debian/watch is present and works BUT also get-orig-head target is present in debian/rules that produces a different result. There is no specific documentation on which method to use.
- debian/control defines a correct Maintainer field
- This package does not yield massive lintian Warnings, Errors
- Please link to a recent build log of the package https://launchpadlibrarian.net/646769183/buildlog_ubuntu-lunar-amd64.libheif_1.14.2-1_BUILDING.txt.gz
- Please attach the full output you have got from `lintian --pedantic` as an extra post to this bug.
https://udd.debian.org/lintian/?packages=libheif
- Lintian overrides are not present
- This package relies on obsolete or about to be demoted packages (see https://udd.debian.org/lintian/?packages=libheif), consider using libgdk-pixbuf-2.0-dev instead of transitional libgdk-pixbuf2.0-dev
- This package has no python2 or GTK2 dependencies
- The package will not be installed by default
- Packaging and build is easy, link to d/rules : https://salsa.debian.org/multimedia-team/libheif/-/blob/master/debian/rules
[UI standards]
- Application is not end-user facing (does not need translation)
- End-user applications without desktop file, not needed because application does not provide GUI
[Dependencies]
- There are further dependencies that are not yet in main, MIR for them
is at:
- aom: LP: #2004442
- There are further dependencies that are not yet in main, the MIR process for them is handled as part of this bug here:
- dav1d
- libde265
- x265
[Standards compliance]
- This package correctly follows FHS and Debian Policy
[Maintenance/Owner]
- Owning Team will be Foundations team
- Team is already subscribed to the package
- This does not use static builds
- This does not use vendored code
- This package is not rust based
[Background information]
The Package description explains the package well
Upstream Name is libheif
Link to upstream project https://github.com/strukturag/libheif/ |
|
2023-02-01 06:11:34 |
Vladimir Petko |
description |
[Availablity]
The package libheif is already in ubuntu/universe.
The package libheif build for the architectures it is designed to work on: https://launchpad.net/ubuntu/+source/libheif/1.14.2-1 .
It currently builds and works for architectures: amd64 arm64 armhf i386 ppc64el riscv64 s390x
Link to package: https://launchpad.net/ubuntu/+source/libheif
[Rationale]
- The package libheif is required in Ubuntu main for decoding ISO/IEC 23008-12:2017 HEIF files by libgd2 which is present in main.
- The package libheif will not generally be useful for a large part of our user base, but is important/helpful still because no other package in main supports decoding of ISO/IEC 23008-12:2017 HEIF files.
-The package libheif is a runtime dependency of package libgd2 that we already support.
- It would be great and useful to community/processes to have the package libheif in Ubuntu main, but there is no definitive deadline.
[Security]
libheif had security issues in the past:
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-23109: Buffer overflow vulnerability in function convert_colorspace in heif_colorconversion.cc in libheif v1.6.2, allows attackers to cause a denial of service and disclose sensitive information, via a crafted HEIF file. The github issue: https://github.com/strukturag/libheif/issues/207 is open, though developer comments that it was fixed in 1.7.0
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-19499: An issue was discovered in heif::Box_iref::get_references in libheif 1.4.0, allows attackers to cause a Denial of Service or possibly other unspecified impact due to an invalid memory read. The github issue: https://github.com/strukturag/libheif/issues/138 is closed, fixed in 1.5.0
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-19498: Floating point exception in function Fraction in libheif 1.4.0, allows attackers to cause a Denial of Service or possibly other unspecified impacts. The github issue: https://github.com/strukturag/libheif/issues/139 is closed, fixed in 1.5.0.
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-11471: libheif 1.4.0 has a use-after-free in heif::HeifContext::Image::set_alpha_channel in heif_context.h because heif_context.cc mishandles references to non-existing alpha images. The github issue: https://github.com/strukturag/libheif/issues/123 is closed, fixed in 1.5.0.
The vulnerable versions are libheif < 1.7.0, current version 1.14.2
Currently vulnerable packages (CVE-2020-23109) are deployed in focal and bionic. Jammy and up has no known vulnerabilitites.
- no `suid` or `sgid` binaries
- no executables in `/sbin` and `/usr/sbin`
- Package does not install services, timers or recurring jobs
- Packages does not open privileged ports (ports < 1024)
- Packages does contain extensions to security-sensitive software: the package provides HEIF image plugin used by other software, e.g. imagemagick
[Quality assurance – function/usage]
- The package does not work well right after install
- Basic test cases pass:
```
apt install imagemagick
wget https://filesamples.com/samples/image/heif/sample1.heif
convert -verbose sample1.heif test.gif
wget https://filesamples.com/samples/image/heic/sample1.heic
convert -verbose sample1.heic test1.gif
```
Notice, that libgd2 HEIF support is disabled. Compiling a sample that tries to save HEIF file produces following output
```
GD Warning: HEIF image support has been disabled
```
There is a bug filed in debian: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1029668 1.14.2 contains significant regression, HEIC can not be read using viewnoir.
[Quality assurance - maintenance]
- The package has important open bugs, listing them:
- https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1014125 Confirm CVE-2020-23109 fix
- https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1029668 1.14.2 contains significant regression, HEIC can not be read using viewnoir package [confirmed in lunar]. Downgrading to 1.13.0-1 solves the issue.
[Quality assurance – testing]
- The package does not run a test at build time because no unit tests are present in the repository upstream:
https://launchpadlibrarian.net/646769183/buildlog_ubuntu-lunar-amd64.libheif_1.14.2-1_BUILDING.txt.gz
https://github.com/strukturag/libheif
- The package does not run an autopkgtest because no autopackage tests are present. Note: upstream contains a CI script that can be adapted for autopkgtests: https://github.com/strukturag/libheif/blob/master/scripts/run-ci.sh
- The package does have not failing autopkgtests right now
- [NOT COMPLETE]: The package can not be tested at build or autopktest time because no tests are presentto make up for that here [LINK] is a test plan/automation and example test runlogs/scripts)
[Quality assurance - packaging]
- debian/watch is present and works BUT also get-orig-head target is present in debian/rules that produces a different result. There is no specific documentation on which method to use.
- debian/control defines a correct Maintainer field
- This package does not yield massive lintian Warnings, Errors
- Please link to a recent build log of the package https://launchpadlibrarian.net/646769183/buildlog_ubuntu-lunar-amd64.libheif_1.14.2-1_BUILDING.txt.gz
- Please attach the full output you have got from `lintian --pedantic` as an extra post to this bug.
https://udd.debian.org/lintian/?packages=libheif
- Lintian overrides are not present
- This package relies on obsolete or about to be demoted packages (see https://udd.debian.org/lintian/?packages=libheif), consider using libgdk-pixbuf-2.0-dev instead of transitional libgdk-pixbuf2.0-dev
- This package has no python2 or GTK2 dependencies
- The package will not be installed by default
- Packaging and build is easy, link to d/rules : https://salsa.debian.org/multimedia-team/libheif/-/blob/master/debian/rules
[UI standards]
- Application is not end-user facing (does not need translation)
- End-user applications without desktop file, not needed because application does not provide GUI
[Dependencies]
- There are further dependencies that are not yet in main, MIR for them
is at:
- aom: LP: #2004442
- There are further dependencies that are not yet in main, the MIR process for them is handled as part of this bug here:
- dav1d
- libde265
- x265
[Standards compliance]
- This package correctly follows FHS and Debian Policy
[Maintenance/Owner]
- Owning Team will be Foundations team
- Team is already subscribed to the package
- This does not use static builds
- This does not use vendored code
- This package is not rust based
[Background information]
The Package description explains the package well
Upstream Name is libheif
Link to upstream project https://github.com/strukturag/libheif/ |
[Availablity]
The package libheif is already in ubuntu/universe.
The package libheif build for the architectures it is designed to work on.
It currently builds and works for architectures:
amd64 arm64 armhf i386 ppc64el riscv64 s390x
Link to package: https://launchpad.net/ubuntu/+source/libheif
[Rationale]
- The package libheif is required in Ubuntu main for decoding
ISO/IEC 23008-12:2017 HEIF files by libgd2 which is present in main.
- The package libheif will not generally be useful for a large part of our user
base, but is important/helpful still because no other package in main supports
decoding of ISO/IEC 23008-12:2017 HEIF files.
- The package libheif is a runtime dependency of package libgd2 that we already
support.
- It would be great and useful to community/processes to have the package
libheif in Ubuntu main, but there is no definitive deadline.
[Security]
- libheif had 4 security issues in the past:
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-23109
The github issue: https://github.com/strukturag/libheif/issues/207 is open,
though developer comments that it was fixed in 1.7.0
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-19499
Fixed in 1.5.0
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-19498
Fixed in 1.5.0.
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-11471
Fixed in 1.5.0.
The vulnerable versions are libheif < 1.7.0, current version 1.14.2
Currently vulnerable packages (CVE-2020-23109) are deployed in focal and
bionic. Jammy and up has no known vulnerabilitites.
- no `suid` or `sgid` binaries
- no executables in `/sbin` and `/usr/sbin`
- Package does not install services, timers or recurring jobs
- Packages does not open privileged ports (ports < 1024)
- Packages does contain extensions to security-sensitive software:
the package provides HEIF image plugin which processes untrusted input
[Quality assurance – function/usage]
- The package does not work well right after install. There is a bug filed in
debian: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1029668
1.14.2 contains significant regression, HEIC can not be read using viewnoir.
- Basic test cases pass:
apt install imagemagick
wget https://filesamples.com/samples/image/heif/sample1.heif
convert -verbose sample1.heif test.gif
wget https://filesamples.com/samples/image/heic/sample1.heic
convert -verbose sample1.heic test1.gif
Notice, that libgd2 HEIF support is disabled.
- Compiling a sample that tries to save HEIF file produces following output
"GD Warning: HEIF image support has been disabled"
[Quality assurance - maintenance]
- The package is maintained well in Debian/Ubuntu and has no bugs open
- Ubuntu https://bugs.launchpad.net/ubuntu/+source/libheif/+bug
- Debian https://bugs.debian.org/cgi-bin/pkgreport.cgi?src=libheif
- The package has important open bugs, listing them:
- https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1014125
Confirm CVE-2020-23109 fix
- https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1029668
1.14.2 contains significant regression, HEIC can not be read using
viewnoir package [confirmed in lunar].
Downgrading to 1.13.0-1 solves the issue.
- The package does not deal with exotic hardware we cannot support
[Quality assurance – testing]
- The package does not run a test at build time because no unit tests are
present in the repository upstream:
https://launchpadlibrarian.net/646769183/buildlog_ubuntu-lunar-amd64.libheif_1.14.2-1_BUILDING.txt.gz
https://github.com/strukturag/libheif
- The package does not run an autopkgtest because no autopackage tests are
present.
Note: upstream contains a CI script that can be adapted for autopkgtests:
https://github.com/strukturag/libheif/blob/master/scripts/run-ci.sh
This section is not complete, as the test plan/approach for developing
autopkgtests needs to be discussed.
TODO: - The package can not be tested at build or autopktest time because TBD
TODO: to make up for that here TBD is a test plan/automation and example
TODO: test TBD (logs/scripts)
[Quality assurance - packaging]
- debian/watch is present and works BUT also get-orig-head target is present
in debian/rules that produces a different result.
There is no specific documentation on which method to use.
- debian/control defines a correct Maintainer field
- This package does not yield massive lintian Warnings, Errors
https://udd.debian.org/lintian/?packages=libheif
- Please link to a recent build log of the package
https://launchpadlibrarian.net/646769183/buildlog_ubuntu-lunar-amd64.libheif_1.14.2-1_BUILDING.txt.gz
- Please attach the full output you have got from `lintian --pedantic` as an
extra post to this bug.
- Lintian overrides are not present
- This package relies on obsolete or about to be demoted packages
see https://udd.debian.org/lintian/?packages=libheif, consider using
libgdk-pixbuf-2.0-dev instead of transitional libgdk-pixbuf2.0-dev
- This package has no python2 or GTK2 dependencies
- The package will not be installed by default
- Packaging and build is easy, link to d/rules:
https://salsa.debian.org/multimedia-team/libheif/-/blob/master/debian/rules
[UI standards]
- Application is not end-user facing (does not need translation)
- End-user applications without desktop file, not needed because application
does not provide GUI
[Dependencies]
- There are further dependencies that are not yet in main, MIR for them
is at:
- aom: LP: #2004442
- dav1d: LP #2004446
- libde265: LP #2004449
- x265: LP #2004453
[Standards compliance]
- This package correctly follows FHS and Debian Policy
[Maintenance/Owner]
- Owning Team will be Foundations team
- Team is already subscribed to the package
- This does not use static builds
- This does not use vendored code
- This package is not rust based
[Background information]
The Package description explains the package well
Upstream Name is libheif
Link to upstream project https://github.com/strukturag/libheif/ |
|
2023-02-01 08:40:54 |
Lukas Märdian |
aom (Ubuntu): status |
Incomplete |
Invalid |
|
2023-02-01 08:40:55 |
Lukas Märdian |
dav1d (Ubuntu): status |
Incomplete |
Invalid |
|
2023-02-01 08:40:58 |
Lukas Märdian |
libde265 (Ubuntu): status |
Incomplete |
Invalid |
|
2023-02-01 08:41:07 |
Lukas Märdian |
x265 (Ubuntu): status |
Incomplete |
Invalid |
|
2023-02-01 08:41:33 |
Lukas Märdian |
bug task deleted |
libgd2 (Ubuntu) |
|
|
2023-02-01 08:56:08 |
Vladimir Petko |
description |
[Availablity]
The package libheif is already in ubuntu/universe.
The package libheif build for the architectures it is designed to work on.
It currently builds and works for architectures:
amd64 arm64 armhf i386 ppc64el riscv64 s390x
Link to package: https://launchpad.net/ubuntu/+source/libheif
[Rationale]
- The package libheif is required in Ubuntu main for decoding
ISO/IEC 23008-12:2017 HEIF files by libgd2 which is present in main.
- The package libheif will not generally be useful for a large part of our user
base, but is important/helpful still because no other package in main supports
decoding of ISO/IEC 23008-12:2017 HEIF files.
- The package libheif is a runtime dependency of package libgd2 that we already
support.
- It would be great and useful to community/processes to have the package
libheif in Ubuntu main, but there is no definitive deadline.
[Security]
- libheif had 4 security issues in the past:
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-23109
The github issue: https://github.com/strukturag/libheif/issues/207 is open,
though developer comments that it was fixed in 1.7.0
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-19499
Fixed in 1.5.0
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-19498
Fixed in 1.5.0.
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-11471
Fixed in 1.5.0.
The vulnerable versions are libheif < 1.7.0, current version 1.14.2
Currently vulnerable packages (CVE-2020-23109) are deployed in focal and
bionic. Jammy and up has no known vulnerabilitites.
- no `suid` or `sgid` binaries
- no executables in `/sbin` and `/usr/sbin`
- Package does not install services, timers or recurring jobs
- Packages does not open privileged ports (ports < 1024)
- Packages does contain extensions to security-sensitive software:
the package provides HEIF image plugin which processes untrusted input
[Quality assurance – function/usage]
- The package does not work well right after install. There is a bug filed in
debian: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1029668
1.14.2 contains significant regression, HEIC can not be read using viewnoir.
- Basic test cases pass:
apt install imagemagick
wget https://filesamples.com/samples/image/heif/sample1.heif
convert -verbose sample1.heif test.gif
wget https://filesamples.com/samples/image/heic/sample1.heic
convert -verbose sample1.heic test1.gif
Notice, that libgd2 HEIF support is disabled.
- Compiling a sample that tries to save HEIF file produces following output
"GD Warning: HEIF image support has been disabled"
[Quality assurance - maintenance]
- The package is maintained well in Debian/Ubuntu and has no bugs open
- Ubuntu https://bugs.launchpad.net/ubuntu/+source/libheif/+bug
- Debian https://bugs.debian.org/cgi-bin/pkgreport.cgi?src=libheif
- The package has important open bugs, listing them:
- https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1014125
Confirm CVE-2020-23109 fix
- https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1029668
1.14.2 contains significant regression, HEIC can not be read using
viewnoir package [confirmed in lunar].
Downgrading to 1.13.0-1 solves the issue.
- The package does not deal with exotic hardware we cannot support
[Quality assurance – testing]
- The package does not run a test at build time because no unit tests are
present in the repository upstream:
https://launchpadlibrarian.net/646769183/buildlog_ubuntu-lunar-amd64.libheif_1.14.2-1_BUILDING.txt.gz
https://github.com/strukturag/libheif
- The package does not run an autopkgtest because no autopackage tests are
present.
Note: upstream contains a CI script that can be adapted for autopkgtests:
https://github.com/strukturag/libheif/blob/master/scripts/run-ci.sh
This section is not complete, as the test plan/approach for developing
autopkgtests needs to be discussed.
TODO: - The package can not be tested at build or autopktest time because TBD
TODO: to make up for that here TBD is a test plan/automation and example
TODO: test TBD (logs/scripts)
[Quality assurance - packaging]
- debian/watch is present and works BUT also get-orig-head target is present
in debian/rules that produces a different result.
There is no specific documentation on which method to use.
- debian/control defines a correct Maintainer field
- This package does not yield massive lintian Warnings, Errors
https://udd.debian.org/lintian/?packages=libheif
- Please link to a recent build log of the package
https://launchpadlibrarian.net/646769183/buildlog_ubuntu-lunar-amd64.libheif_1.14.2-1_BUILDING.txt.gz
- Please attach the full output you have got from `lintian --pedantic` as an
extra post to this bug.
- Lintian overrides are not present
- This package relies on obsolete or about to be demoted packages
see https://udd.debian.org/lintian/?packages=libheif, consider using
libgdk-pixbuf-2.0-dev instead of transitional libgdk-pixbuf2.0-dev
- This package has no python2 or GTK2 dependencies
- The package will not be installed by default
- Packaging and build is easy, link to d/rules:
https://salsa.debian.org/multimedia-team/libheif/-/blob/master/debian/rules
[UI standards]
- Application is not end-user facing (does not need translation)
- End-user applications without desktop file, not needed because application
does not provide GUI
[Dependencies]
- There are further dependencies that are not yet in main, MIR for them
is at:
- aom: LP: #2004442
- dav1d: LP #2004446
- libde265: LP #2004449
- x265: LP #2004453
[Standards compliance]
- This package correctly follows FHS and Debian Policy
[Maintenance/Owner]
- Owning Team will be Foundations team
- Team is already subscribed to the package
- This does not use static builds
- This does not use vendored code
- This package is not rust based
[Background information]
The Package description explains the package well
Upstream Name is libheif
Link to upstream project https://github.com/strukturag/libheif/ |
[Availablity]
The package libheif is already in ubuntu/universe.
The package libheif build for the architectures it is designed to work on.
It currently builds and works for architectures:
amd64 arm64 armhf i386 ppc64el riscv64 s390x
Link to package: https://launchpad.net/ubuntu/+source/libheif
[Rationale]
- The package libheif is required in Ubuntu main for decoding
ISO/IEC 23008-12:2017 HEIF files by libgd2 which is present in main.
- The package libheif will not generally be useful for a large part of our user
base, but is important/helpful still because no other package in main supports
decoding of ISO/IEC 23008-12:2017 HEIF files.
- The package libheif is a runtime dependency of package libgd2 that we already
support.
- It would be great and useful to community/processes to have the package
libheif in Ubuntu main, but there is no definitive deadline.
[Security]
- libheif had 4 security issues in the past:
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-23109
The github issue: https://github.com/strukturag/libheif/issues/207 is open,
though developer comments that it was fixed in 1.7.0
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-19499
Fixed in 1.5.0
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-19498
Fixed in 1.5.0.
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-11471
Fixed in 1.5.0.
The vulnerable versions are libheif < 1.7.0, current version 1.14.2
Currently vulnerable packages (CVE-2020-23109) are deployed in focal and
bionic. Jammy and up has no known vulnerabilitites.
- no `suid` or `sgid` binaries
- no executables in `/sbin` and `/usr/sbin`
- Package does not install services, timers or recurring jobs
- Packages does not open privileged ports (ports < 1024)
- Packages does contain extensions to security-sensitive software:
the package provides HEIF image plugin which processes untrusted input
[Quality assurance – function/usage]
- The package does not work well right after install. There is a bug filed in
debian: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1029668
1.14.2 contains significant regression, HEIC can not be read using viewnoir.
- Basic test cases pass:
apt install imagemagick
wget https://filesamples.com/samples/image/heif/sample1.heif
convert -verbose sample1.heif test.gif
wget https://filesamples.com/samples/image/heic/sample1.heic
convert -verbose sample1.heic test1.gif
Notice, that libgd2 HEIF support is disabled.
- Compiling a sample that tries to save HEIF file produces following output
"GD Warning: HEIF image support has been disabled"
[Quality assurance - maintenance]
- The package is maintained well in Debian/Ubuntu and has no bugs open
- Ubuntu https://bugs.launchpad.net/ubuntu/+source/libheif/+bug
- Debian https://bugs.debian.org/cgi-bin/pkgreport.cgi?src=libheif
- The package has important open bugs, listing them:
- https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1014125
Confirm CVE-2020-23109 fix
- https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1029668
1.14.2 contains significant regression, HEIC can not be read using
viewnoir package [confirmed in lunar].
Downgrading to 1.13.0-1 solves the issue.
- The package does not deal with exotic hardware we cannot support
[Quality assurance – testing]
- The package does not run a test at build time because no unit tests are
present in the repository upstream:
https://launchpadlibrarian.net/646769183/buildlog_ubuntu-lunar-amd64.libheif_1.14.2-1_BUILDING.txt.gz
https://github.com/strukturag/libheif
- The package does not run an autopkgtest because no autopackage tests are
present.
Note: upstream contains a CI script that can be adapted for autopkgtests:
https://github.com/strukturag/libheif/blob/master/scripts/run-ci.sh
This section is not complete, as the test plan/approach for developing
autopkgtests needs to be discussed.
TODO: - The package can not be tested at build or autopktest time because TBD
TODO: to make up for that here TBD is a test plan/automation and example
TODO: test TBD (logs/scripts)
[Quality assurance - packaging]
- debian/watch is present and works BUT also get-orig-head target is present
in debian/rules that produces a different result.
There is no specific documentation on which method to use.
- debian/control defines a correct Maintainer field
- This package does not yield massive lintian Warnings, Errors
https://udd.debian.org/lintian/?packages=libheif
- Please link to a recent build log of the package
https://launchpadlibrarian.net/646769183/buildlog_ubuntu-lunar-amd64.libheif_1.14.2-1_BUILDING.txt.gz
- Please attach the full output you have got from `lintian --pedantic` as an
extra post to this bug.
- Lintian overrides are not present
- This package relies on obsolete or about to be demoted packages
see https://udd.debian.org/lintian/?packages=libheif, consider using
libgdk-pixbuf-2.0-dev instead of transitional libgdk-pixbuf2.0-dev
- This package has no python2 or GTK2 dependencies
- The package will not be installed by default
- Packaging and build is easy, link to d/rules:
https://salsa.debian.org/multimedia-team/libheif/-/blob/master/debian/rules
[UI standards]
- Application is not end-user facing (does not need translation)
- End-user applications without desktop file, not needed because application
does not provide GUI
[Dependencies]
- There are further dependencies that are not yet in main, MIR for them
is at:
- aom: LP: #2004442
- dav1d: LP: #2004446
- libde265: LP: #2004449
- x265: LP: #2004453
[Standards compliance]
- This package correctly follows FHS and Debian Policy
[Maintenance/Owner]
- Owning Team will be Foundations team
- Team is already subscribed to the package
- This does not use static builds
- This does not use vendored code
- This package is not rust based
[Background information]
The Package description explains the package well
Upstream Name is libheif
Link to upstream project https://github.com/strukturag/libheif/ |
|
2023-02-02 14:01:22 |
Lukas Märdian |
tags |
eoan fr-3316 rls-ll-incoming |
eoan fr-3316 |
|
2023-04-23 12:37:14 |
Marian Rainer-Harbach |
bug |
|
|
added subscriber Marian Rainer-Harbach |
2024-04-18 14:14:48 |
Lukas Märdian |
libheif (Ubuntu): status |
In Progress |
Fix Committed |
|
2024-04-19 06:19:36 |
Christian Ehrhardt |
libheif (Ubuntu): status |
Fix Committed |
Fix Released |
|