I reviewed libsdl2 2.0.14+dfsg2-3 as checked into impish. This shouldn't be
considered a full audit but rather a quick gauge of maintainability.
libsdl2 is a replacement for libsdl1.2 and provides abstractions over
access to video devices, audio, and input devices, often used by games or
game engines and other applications wishing to provide user interfaces.
- CVE History:
- 16 historical CVEs over a large code-base written in C
- I expected more to be honest so this is encouraging
- Build-Depends
- Large list of depends, none out of the ordinary or sensitive
- No pre/post inst/rm scripts
- No init scripts
- No systemd units
- No dbus services
- No setuid binaries
- 1 binary in PATH from the libsdl2-dev package:
- -rwxr-xr-x root/root 1307 2021-01-19 01:05 ./usr/bin/sdl2-config
- this is equivalent of pkg-config and is used to get cflags/ldflags etc
when compliling and application against libsdl2
- No sudo fragments
- No polkit files
- No udev rules
- No cron jobs
- unit tests / autopkgtests
- No unit tests run during build that I could see but autopkgtests
include a basic test to ensure compiling against libsdl2-dev works via
both cmake and using pkg-config directly
- Build logs:
- Lots of doxygen related noise in the build logs but nothing of note.
- No Processes spawned
- Memory management is all manual
- libsdl2 is written in C so all memory management is done manually,
however looking over a sample of the code this looks relatively careful
and defensive. There were some instances where callers would not check
for a NULL return value on memory allocation (which could occur when no
memory is available), however this likely would only lead to a crash on
a NULL ptr dereference in subsequent code and hence a denial-of-service
but given these cases occur when low on memory anyway the impact is not
much different so they are not too concerning.
- File IO
- Open joystick device-files etc and these are names are detected by
walking sysfs etc so are safe from untrusted input
- Logging appears to be careful to avoid format string vulns etc
- Uses lots of environment variables to allow to specify various device
names or even location of configuration files etc. Whilst they might be
able to be abused by the user of the library, since libsdl2 is a library
it does not have elevated privileges to cause any effect as a result so
this is generally not likely to be an issue.
- Lots of use of privileged functions (e.g. ioctl()) but this is expected
and again not likely able to cross any security boundary
- No use of cryptography / random number sources etc
- No use of temp files
- No obvious use of networking
- No use of WebKit
- No use of PolicyKit
- No significant cppcheck results
- A large number of issues reported by Coverity, most are likely false
positives or perhaps of low impact, again since the use of libsdl2 does
not cross a privilege boundary
For a very large library written in C, libsdl2 is in better shape than I
had feared. The extensive use of manual memory management and the handling
of various APIs and devices means there would be a lot of scope for errors
but I did not see any evidence of anything that would give me significant
cause for concern.
I reviewed libsdl2 2.0.14+dfsg2-3 as checked into impish. This shouldn't be
considered a full audit but rather a quick gauge of maintainability.
libsdl2 is a replacement for libsdl1.2 and provides abstractions over
access to video devices, audio, and input devices, often used by games or
game engines and other applications wishing to provide user interfaces.
- CVE History: sdl2-config
- 16 historical CVEs over a large code-base written in C
- I expected more to be honest so this is encouraging
- Build-Depends
- Large list of depends, none out of the ordinary or sensitive
- No pre/post inst/rm scripts
- No init scripts
- No systemd units
- No dbus services
- No setuid binaries
- 1 binary in PATH from the libsdl2-dev package:
- -rwxr-xr-x root/root 1307 2021-01-19 01:05 ./usr/bin/
- this is equivalent of pkg-config and is used to get cflags/ldflags etc
when compliling and application against libsdl2
- No sudo fragments
- No polkit files
- No udev rules
- No cron jobs
- unit tests / autopkgtests
- No unit tests run during build that I could see but autopkgtests
include a basic test to ensure compiling against libsdl2-dev works via
both cmake and using pkg-config directly
- Build logs:
- Lots of doxygen related noise in the build logs but nothing of note.
- No Processes spawned
- Memory management is all manual
- libsdl2 is written in C so all memory management is done manually,
however looking over a sample of the code this looks relatively careful
and defensive. There were some instances where callers would not check
for a NULL return value on memory allocation (which could occur when no
memory is available), however this likely would only lead to a crash on
a NULL ptr dereference in subsequent code and hence a denial-of-service
but given these cases occur when low on memory anyway the impact is not
much different so they are not too concerning.
- File IO
- Open joystick device-files etc and these are names are detected by
walking sysfs etc so are safe from untrusted input
- Logging appears to be careful to avoid format string vulns etc
- Uses lots of environment variables to allow to specify various device
names or even location of configuration files etc. Whilst they might be
able to be abused by the user of the library, since libsdl2 is a library
it does not have elevated privileges to cause any effect as a result so
this is generally not likely to be an issue.
- Lots of use of privileged functions (e.g. ioctl()) but this is expected
and again not likely able to cross any security boundary
- No use of cryptography / random number sources etc
- No use of temp files
- No obvious use of networking
- No use of WebKit
- No use of PolicyKit
- No significant cppcheck results
- A large number of issues reported by Coverity, most are likely false
positives or perhaps of low impact, again since the use of libsdl2 does
not cross a privilege boundary
For a very large library written in C, libsdl2 is in better shape than I
had feared. The extensive use of manual memory management and the handling
of various APIs and devices means there would be a lot of scope for errors
but I did not see any evidence of anything that would give me significant
cause for concern.
Security team ACK for promoting libsdl2 to main.