Comment 7 for bug 2004523

I reviewed libwebm 1.0.0.30-6 as checked into mantic. This shouldn't be
considered a full audit but rather a quick gauge of maintainability.

libwebm is a library for processing the WebM container structure, an open
media file format designed for the web. The WebM structure is based on the
Matroska container and can contain video streams in VP8/VP9 format and audio
streams in Vorbis or Opus format. The project contains WebM and MKV parsers
and MKV muxer as library as well as auxiliary tools to process media files
and display information. It is developed as part of the Chromium project by Google.

- CVE History
    - No open vulnerabilities
    - CVE-2016-1621 CRITICAL (android)
    - CVE-2016-2464 HIGH (android)
    - CVE-2018-6406 HIGH (heap-based buffer overflow)
    - CVE-2018-6548 CRITICAL (use-after-free)
    - CVE-2018-19212 MEDIUM (abort)
    - CVE-2019-2126 HIGH (double-free)
    - CVE-2019-9371 MEDIUM (improper input validation)
    - CVE-2019-9746 HIGH (NULL pointer dereference, abort)
- Build-Depends
    - cmake,
    - libgmock-dev (>= 1.10),
    - libgtest-dev (>= 1.10),
    - pkg-config,
    - python
- pre/post inst/rm scripts
  - None
- init scripts
  - None
- systemd units
  - None
- dbus services
  - None
- setuid binaries
  - None
- binaries in PATH
  - dumpvtt
  - vttdemux
  - webm2pes
  - webm2ts
  - webm_info
- sudo fragments
  - None
- polkit files
  - None
- udev rules
  - None
- unit tests / autopkgtests
  - unit tests are existing and running during the build
  - autopkgtests are existing and passing for all archs
- cron jobs
  - None
- Build logs
  - some warnings about uninitialized variables (-Wmaybe-uninitialized)

- Processes spawned
  - None
- Memory management
  - None
- File IO
  - The command line utilities take file paths as argument from the user
- Logging
  - Logging is done in the utility programs mostly for unexpected error cases
- Environment variable usage
  - TEST_TMPDIR and LIBWEBM_TEST_DATA_PATH only for tests
- Use of privileged functions
  - None
- Use of cryptography / random number sources etc
  - Use of rand_r to generate uids for Track and Chapter classes
- Use of temp files
  - Creation of temp files only for tests using mkstemp
- Use of networking
  - None
- Use of WebKit
  - None
- Use of PolicyKit
  - None

- Any significant cppcheck results
  - None
- Any significant Coverity results
  - 171 coverity findings of different types, but a lot of them are duplicates or false positives.
- Any significant shellcheck results
  - Only minor findings in build scripts
- Any significant bandit results
  - None
- Any significant govulncheck results
  - None

Source code analysis:

After skimming through the source code, I've the impression that it is well written and formatted, it contains lots of comments, some TODO statements with improvement tasks what indicates its reviewed by more than one person.

The project contains simple fuzzer harnesses for the mkvparser and webm_parser respectively.
I used them to fuzz both components and additionally fuzzed the included command line based utilities.
I fuzzed all targets with recent AFL++ on instrumented builds with ASAN enabled and with the included sample files as seed inputs for over 5 hours. During this time, the coverage steadily increased and not a single crash occurred.

Security team ACK for promoting libwebm to main