I reviewed libwpe 1.12.0-1 as checked into kinetic. This shouldn't be considered a full audit but rather a quick gauge of maintainability. libwpe provides a common interface between WPE WebKit (and potentially any WebKit ports) and its rendering backends. - CVE History: - No CVEs - Build-Depends? - No encryption or networking build dependencies - pre/post inst/rm scripts? - No - init scripts? - No - systemd units? - No - dbus services? - No - setuid binaries? - No - binaries in PATH? - No - sudo fragments? - No - polkit files? - No - udev rules? - No - unit tests / autopkgtests? - No test suite or autopkgtests - There seem to be some higher level tests in webkit2gtk - cron jobs? - No - Build logs: - CMake Warning (dev) at /usr/share/cmake-3.23/Modules/FindPackageHandleStandardArgs.cmake:438 (message): The package name passed to `find_package_handle_standard_args` (LIBXKBCOMMON) does not match the name of the calling package (Libxkbcommon). This can lead to problems in calling code that expects `find_package` result variables (e.g., `_FOUND`) to follow a certain pattern. Call Stack (most recent call first): cmake/FindLibxkbcommon.cmake:63 (find_package_handle_standard_args) CMakeLists.txt:49 (find_package) This warning is for project developers. Use -Wno-dev to suppress it. - CMake Warning: Manually-specified variables were not used by the project: CMAKE_EXPORT_NO_PACKAGE_REGISTRY CMAKE_FIND_PACKAGE_NO_PACKAGE_REGISTRY FETCHCONTENT_FULLY_DISCONNECTED - No Lintian errors/warnings - Processes spawned? - No - Memory management? - src/pasteboard-generic.cpp:54: calloc second argument may overflow leading to a heap OOB write in line 60 - src/input.c:231: Original object may leak if realloc fails (also reported by cppcheck) - Both issues reported to upstream and are now fixed - File IO? - No other than the paths to the backend WPE libraries to be loaded with dlopen() - Logging? - No issues - Environment variable usage? - Uses WPE_BACKEND_LIBRARY but in debug builds only - Use of privileged functions? - No - Use of cryptography / random number sources etc? - No - Use of temp files? - No - Use of networking? - No - Use of WebKit? - No. Although related. - Use of PolicyKit? - No - Any significant cppcheck results? - src/input.c:231:29: error: Common realloc mistake: 'array' nulled but not freed upon failure [memleakOnRealloc] array = (struct wpe_input_xkb_keymap_entry*)realloc(array, array_allocated_size * sizeof(struct wpe_input_xkb_keymap_entry)); ^ - This issue is also now fixed - Any significant Coverity results? - No - Any significant shellcheck results? - No - Any significant bandit results? - No - Any significant flawfinder results? - No Development is active with frequent releases but it follows a release model similar to wpewebkit (and webkitgtk) which has been historically difficult to maintain, from the security team's point of view, due to their release model (minor version releases with limited information related to security only issues). Since this is a relatively small library and no major issues have been found during code review I am inclined to ACK it. The lack of a test suite (and autopkgtests) though is going to make testing difficult. The included pasteboard-generic implementation has some bugs and is untested (like the rest of the code). The bugs discovered during review were immediately fixed by the upstream project and now waiting for upstream's input on assigning CVEs to some of them. Security team ACK for promoting libwpe to main.