[MIR] libmysofa

TODO: Review for Package: libmysofa

[Summary]
MIR team ACK
Due to the history of unresolved CVE, this does need a security review, so I'll assign ubuntu-security
List of specific binary packages to be promoted to main: libmysofa1

[Duplication]
There is no other package in main providing the same functionality.

[Dependencies]
OK:
- no other Dependencies to MIR due to this
- SRCPKG checked with `check-mir`
- all dependencies can be found in `seeded-in-ubuntu` (already in main)
- none of the (potentially auto-generated) dependencies (Depends
  and Recommends) that are present after build are not in main
- no -dev/-debug/-doc packages that need exclusion
- No dependencies in main that are only superficially tested requiring
  more tests now.

[Embedded sources and static linking]
OK:
- no embedded source present
- no static linking
- does not have unexpected Built-Using entries

OK:
- not a go package, no extra constraints to consider in that regard
- not a rust package, no extra constraints to consider in that regard

[Security]
OK:
- does not run a daemon as root
- does not use webkit1,2
- does not use lib*v8 directly
- does not open a port/socket
- does not process arbitrary web content
- does not use centralized online accounts
- does not integrate arbitrary javascript into the desktop
- does not deal with system authentication (eg, pam), etc)
- does not deal with security attestation (secure boot, tpm, signatures)
- does not deal with cryptography (en-/decryption, certificates, signing, ...)

Problems:
- history of CVEs does look concerning, especially the non triaged ones.
- does not parse data formats (files audio) from an untrusted source.
For both those reasons,

[Common blockers]
OK:
- does not FTBFS currently
- does have a test suite that runs at build time
- test suite fails will fail the build upon error.
- does have a non-trivial test suite that runs as autopkgtest
- This does not need special HW for build or test
- no new python2 dependency

[Packaging red flags]
OK:
- Ubuntu does carry a delta, but it is reasonable and maintenance under control
- symbols tracking is in place
- debian/watch is present and looks ok
- Upstream update history is good
- Debian/Ubuntu update history is good
- the current release is packaged
- promoting this does not seem to cause issues for MOTUs that so far
- no massive Lintian warnings
- debian/rules is rather clean
- It is not on the lto-disabled list

[Upstream red flags]
OK:
- no Errors/warnings during the build
- no incautious use of malloc/sprintf (as far as we can check it)
- no use of sudo, gksu, pkexec, or LD_LIBRARY_PATH (usage is OK inside tests)
- no use of user nobody
- no use of setuid
- no important open bugs (crashers, etc) in Debian or Ubuntu
- no dependency on webkit, qtwebkit, seed or libgoa-*
- not part of the UI for extra checks
- no translation present, but none needed for this case

@seb128, is libmysofa-utils required in main?

@Mark, I don't think it is required no

Because libmysofa is now stuck in the security backlog, and I am the reviewer, I wanted to let you know about recent events.

Meanwhile, I've sent two emails to the upstream: one soon after starting the review, containing a piece of exposed sensitive information, and another after finishing the study, containing recommendations to improve the security posture of the package. I have not received a response to any of these emails. Furthermore, there has been no activity in the repository since July.

Because I am not prepared to complete this review, I suggest deferring the decision until the following cycle. This will also give upstream more time to respond to our observation and, eventually, work on the recommended security best practices.

@George-Andrei, thanks for the status update. It's too late in the mantic cycle to enable that feature now anyway so next cycle is fine for us

I do not get it. All CVEs have been address in short time in the past. To my understanding, no know security issues is open.

I've updated the description, it seems the CVEs are indeed addressed in the current version/Ubuntu serie.

Upstream seems to be also somewhat active, there has been some recent activity and a new release in octobre.

@George-Andrei, did you get any reply to your emails?

@seb128, I mentioned in #4 that I sent two emails to Christian. Those were sent via the Canonical email address. As I received no response, I sent another email from a personal email address on 6 December. Christian mentioned in an email from 11 December that he didn't receive the two initial emails, so I sent those again from the personal email address. He said that he would take care of my proposals in the following weeks, but I got no response in the meantime.

I reviewed `libmysofa` `1.3.1~dfsg0-1ubuntu2` as checked into mantic. This
shouldn't be considered a full audit but rather a quick gauge of
maintainability.

`libmysofa` is a C library for reading files in the Spatially Oriented Format
for Acoustics (SOFA) format, if they embed head-related transfer functions
(HRTF) stored according to the AES69-2015 standard. In addition, it verifies
compliance with SimpleFreeFieldHRIR and provides functions to look up and
interpolate filters and normalize HRTFs.

`libmysofa` is the official C recommendation from www.sofaconventions.org. It
has a minimal number of dependencies, which makes it suitable for embedded
devices.

- CVE History
  - There were 15 CVEs assigned for vulnerabilities in `libmysofa`.
    - The most prevalent categories of vulnerabilities are:
      - Out-of-bound heap write;
      - Out-of-bound heap read;
      - Stack buffer overflow; and
      - NULL pointer dereferences.
    - Their CVSS v3 scores were:
      - 4 critical;
      - 6 high;
      - 5 medium
    - Multiple CVEs affects `mysofa2json`, a program that is owned by `root`
after installing the package. The vulnerabilities seem to be mostly discovered
by fuzzers as the fuzzing environment is easy to set (the program takes as an
argument the SOFA file to be processed).
  - A vulnerability was reported through huntr.dev, a bug bounty platform for
OSS projects. The rest of 4 vulnerabilities there were patched, but they didn't
get a CVE ID (a response from the main maintainer stated that "Sorry, I do not
have time to take care of CVE numbers."). This means that UST doesn't have a
notification mechanism.
  - Before 2021, the vulnerabilities received a patch in a couple of days (from
one to five) or months (e.g., issue #135 from GitHub). Starting from the moment
when the security policy was updated (with a template one, present in multiple
OSS projects), no vulnerabilities were reported so that we could validate the
statements in the policy (e.g., that the response time is usually measured in
days).
  - Another worrying aspect is that the GitHub issues are not tagged. In this
way, downstreams will know if there is a security issue by monitoring the
GitHub issues tagged with a security-related tag.
- Build-Depends
  - `cmake` as a make system
  - `debhelper-compat` for automating tasks related to Debian packaging
  - `libcunit1-dev` for unit testing
  - `nodejs` for autopkgtests, where two JavaScript programs are run for
comparing JSON files (e.g., `json-diff.js`)
  - `zlib1g-dev` or `libz-dev` for implementing deflate compression with gzip
in `hdf/gunzip.c`
- pre/post inst/rm scripts
  - N/A
- init scripts
  - TODO
- systemd units
  - N/A
- dbus services
  - N/A
- setuid binaries
  - N/A
- binaries in PATH
  - `/usr/bin/mysofa2json`, which will be owned by `root`
    - Have security mechanisms enabled, such as PIE, stack canaries, FORTIFY
and RELRO.
- sudo fragments
  - N/A
- polkit files
  - N/A
- udev rules
  - N/A
- unit tests / autopkgtests
  - CUnit tests are defined in `src/tests/*.c` and defined in `CMakeLists.txt`
for the "test" target.
  - autopkgtests are running JavaScript comparison script thro...

@desktop-packages, as you would have been the owning team for this package, could you please mention the impact of the NACK for you? Is this a blocker for further work?

@George-Andrei, thanks for the security review and the ping! The Nack isn't a real problem for us, the depends is optional for the pipewire package and so far 3D audio isn't something our users have been nagging us about.

Thanks for the confirmation, Sebastien!