Ubuntu
librevenge package

[MIR] librevenge

Bug #1328194 reported by Rico Tzschichholz
16
This bug affects 1 person
Affects Status Importance Assigned to Milestone
librevenge (Ubuntu)
Fix Released
Undecided
Unassigned

Bug Description

Rationale: newly needed by LibreOffice 4.3, a core app,
and several of its dependencies which are in main already like
* libcdr 0.1.0
* libmspub 0.1.0
* libvisio 0.1.0
* libwpd 0.10.1
* libwpg 0.3.0
* libwps 0.3.0

Revision history for this message
Rico Tzschichholz (ricotz) wrote :

This blocks:
https://bugs.launchpad.net/ubuntu/+source/libcdr/+bug/1327821
https://bugs.launchpad.net/ubuntu/+source/libmspub/+bug/1327709
https://bugs.launchpad.net/ubuntu/+source/libvisio/+bug/1327713
https://bugs.launchpad.net/ubuntu/+source/libwpd/+bug/1327717
https://bugs.launchpad.net/ubuntu/+source/libwpg/+bug/1327718
https://bugs.launchpad.net/ubuntu/+source/libwps/+bug/1327719

Revision history for this message
Michael Terry (mterry) wrote :

Blockers:
- No team bug subscriber, for whomever will look after this in Ubuntu
- This appears to be a document parser as well as a document writer, so should probably have a quick security check. Subscribing ubuntu-security

Other comments:
- No symbols file, boo! Please consider adding one
- In sync with Debian, yay!
- Has tests and runs them during build, yay!
- No bugs in Debian or Ubuntu
- Builds cleanly
- All dependencies are in main already

Changed in librevenge (Ubuntu):
assignee: nobody → Ubuntu Security Team (ubuntu-security)
status: New → Incomplete
Revision history for this message
Colin Watson (cjwatson) wrote :

seb128 subscribed desktop-bugs to this, so the remaining blocker is just a security check.

Jamie Strandboge (jdstrand)
Changed in librevenge (Ubuntu):
assignee: Ubuntu Security Team (ubuntu-security) → Seth Arnold (seth-arnold)
Revision history for this message
Seth Arnold (seth-arnold) wrote :

I reviewed librevenge version 0.0.1-1 as checked into utopic. This
shouldn't be considered a full security audit, rather a quick gauge of
code quality.

- librevenge provides interfaces for document import filters
- Build-Depends: autotools-dev, dh-autoreconf, debhelper, libboost-dev,
  libboost-filesystem-dev, libcppunit-dev, pkg-config, zlib1g-dev
- No networking
- No cryptography
- Does not daemonize
- No maintainer scripts
- No initscripts
- No dbus
- No setuid
- No binaries in bin/
- No udev rules
- Test suite run during build
- No cronjobs
- Build logs clean

- No subprocesses spawned
- Memory management is mixed; some C, some 'new' and 'delete'
- File IO is under control of callers
- No logging
- No environment variables
- No privileged portions of code
- No cryptography
- No networking
- No temporary files
- No webkit
- Clean cppcheck
- No PolicyKit

librevenge's code quality is mixed; most looks average, but obvious
opportunities for code cleanup have been overlooked and there are more
type casts than usual. The library seems to lack a clear vision of what
primitive data types it uses and why it uses them.

I suspect as this library matures we'll have a potentially larger
maintenance burden than usual as a result of code cleanups.

Security team ACK for promoting librevenge to main.

Thanks

Changed in librevenge (Ubuntu):
assignee: Seth Arnold (seth-arnold) → nobody
Revision history for this message
Colin Watson (cjwatson) wrote :

Thanks! Rico, if there's anything you can do to relay concerns upstream, please do.

Changed in librevenge (Ubuntu):
status: Incomplete → Fix Committed
Revision history for this message
Colin Watson (cjwatson) wrote :

Moved to main.

Changed in librevenge (Ubuntu):
status: Fix Committed → Fix Released
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.