[MIR] libwebp

Bug #1186553 reported by Jeremy Bicha
This bug affects 1 person
Affects Status Importance Assigned to Milestone
libwebp (Ubuntu)
Fix Released

Bug Description

1. Availability: The latest version is available in Saucy
2. Rationale: Required build-dependency of webkitgtk 2.0 and I think webkitgtk 2.0 should be in 13.10:

webp is Google's new format for compressed lossy or lossless images with fairly significant size savings. Support for the format is built into Chromium.

3. Security: LP: #1166556

4. QA: No open Debian bugs
5. UI standards: N/A
6. Dependencies: All in main
7. Standards Compliance: 3.9.3
8. Maintenance: In sync with Debian

git.chromium.org/gitweb/?p=webm/libwebp.git (site is down today though)

ProblemType: Bug
DistroRelease: Ubuntu 13.10
Package: libwebp4 0.3.0-3
ProcVersionSignature: Ubuntu 3.9.0-2.7-generic 3.9.3
Uname: Linux 3.9.0-2-generic x86_64
ApportVersion: 2.10.2-0ubuntu1
Architecture: amd64
Date: Sat Jun 1 09:40:55 2013
MarkForUpload: True
SourcePackage: libwebp
UpgradeStatus: Upgraded to saucy on 2013-05-07 (24 days ago)

Revision history for this message
Jeremy Bicha (jbicha) wrote :
description: updated
Revision history for this message
Michael Terry (mterry) wrote :

As this is a format parser, especially a web-oriented one, we'll need a security review. Assigning the MIR to Jamie.

Changed in libwebp (Ubuntu):
assignee: nobody → Jamie Strandboge (jdstrand)
Revision history for this message
Sebastien Bacher (seb128) wrote :

Jamie, do you have an estimate on when you will be able to do that review? The new webkit is mostly ready for upload to saucy...

Changed in libwebp (Ubuntu):
assignee: Jamie Strandboge (jdstrand) → Seth Arnold (seth-arnold)
Revision history for this message
Seth Arnold (seth-arnold) wrote :

I reviewed libwebp version 0.3.0-3 from saucy. This should not be
considered a full security audit, but rather a quick gauge of code

- Package provides routines for lossy and lossless image encoding / decoding
- Build-deps are image processing libraries
- No daemons, no networking itself, no initscripts, no dbus services,
  no setuid, no sudo, no cron
- Two unprivileged binaries in /usr/bin, dwebp and cwebp, to encode and
  decode images
- Clean buildlogs
- No spawned subprocesses
- Careful memory management
- Very few file open()s, all in examples/, looked safe
- Logging looked safe, most is library code without logging
- No environment use
- No encryption
- No privileged portions of code
- No /tmp/ files
- No webkit, no JS

This code is extremely complicated in portions; depending upon the nature of
potential security issues, we may be heavily reliant upon upstream for fixes.
That said, the code is careful and well-written.

Security team ACK for including in main.


Changed in libwebp (Ubuntu):
assignee: Seth Arnold (seth-arnold) → nobody
Revision history for this message
Michael Terry (mterry) wrote :

I reviewed the packaging and maintainability, looks fine. Except that it's missing an Ubuntu team bug subscriber. What team is going to look after this?

Changed in libwebp (Ubuntu):
status: New → Incomplete
Revision history for this message
Launchpad Janitor (janitor) wrote :

[Expired for libwebp (Ubuntu) because there has been no activity for 60 days.]

Changed in libwebp (Ubuntu):
status: Incomplete → Expired
Iain Lane (laney)
Changed in libwebp (Ubuntu):
status: Expired → New
Revision history for this message
Iain Lane (laney) wrote :

Desktop team will look after it. The desktop-bugs team is now subscribed. Mike, could you take another look at this request?

Revision history for this message
Dimitri John Ledkov (xnox) wrote :

imagemagick will be possible to compile against libwebp, and convert will gain functionality to convert to/from webp images.

Michael Terry (mterry)
Changed in libwebp (Ubuntu):
status: New → Fix Committed
Revision history for this message
Iain Lane (laney) wrote :

seb128 promoted this

Changed in libwebp (Ubuntu):
status: Fix Committed → Fix Released
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.

Other bug subscribers