[MIR] libyuv (transitive dependency of libheif)

Review for Package: libyuv

[Summary]
MIR team ACK under the constraint to resolve the below listed
required TODOs and as much as possible having a look at the
recommended TODOs.
This does need a security review, so I'll assign ubuntu-security once required TODOs
are resolved.
List of specific binary packages to be promoted to main: libyuv0, libyuv-dev, libyuv-utils

Notes:
TODO: - add todos, issues or special cases to discuss
Required TODOs:
1. Please add autopkgtests, the test running at build time can be used for this.
2. Ubuntu current release is behind debian by 8 versions, please sync.
   In newer versions debian has disabled lto because of some tests failing.
Recommended TODOs:
3. Not sure this is a problem wrt MIR but I'll mention it to take a look at just in case.
   I was not able to build the package because it would complain:
   "dpkg-source: error: Version number suggests Ubuntu changes, but Maintainer: does not have Ubuntu address".
   Looking at d/control
   "Maintainer: Debian Multimedia Maintainers <email address hidden>".
   This does not seem to be a problem when building on launchpad.

- The package should get a team bug subscriber before being promoted

[Duplication]
This package is required in main as a dependency of libheif package.

[Dependencies]
OK:
- no other Dependencies to MIR due to this
  - libuyv checked with `check-mir`
  - all dependencies can be found in `seeded-in-ubuntu` (already in main)
  - none of the (potentially auto-generated) dependencies (Depends
    and Recommends) that are present after build are not in main
- no -dev/-debug/-doc packages that need exclusion
- No dependencies in main that are only superficially tested requiring
  more tests now.

Problems: None

[Embedded sources and static linking]
OK:
- no embedded source present
- no static linking
- does not have unexpected Built-Using entries
- not a go package, no extra constraints to consider in that regard
- not a rust package, no extra constraints to consider in that regard
- Does not include vendored code

Problems: None

[Security]
OK:
- history of CVEs does not look concerning
- does not run a daemon as root
- does not use webkit1,2
- does not use lib*v8 directly
- does not open a port/socket
- does not process arbitrary web content
- does not use centralized online accounts
- does not integrate arbitrary javascript into the desktop
- does not deal with system authentication (eg, pam), etc)
- does not deal with security attestation (secure boot, tpm, signatures)
- does not deal with cryptography (en-/decryption, certificates, signing, ...)

Problems:
- does parse data formats (files [images, video, audio,
  xml, json, asn.1], network packets, structures, ...) from
  an untrusted source.

[Common blockers]
OK:
- does not FTBFS currently
- does have a test suite that runs at build time
  - test suite fails will fail the build upon error.
- This does not need special HW for build or test
- no new python2 dependency

Problems:
- does not have a non-trivial test suite that runs as autopkgtest

[Packaging red flags]
OK:
- Ubuntu does carry a delta, but it is reasonable and maintenance under
  control
- symbols tracking is in...

UPDATE:

I see the latest version 0.0~git202401110.af6ac82-1 is a sync from Debian and also provides some non-superficial autopkgtests. So the required MIR TODOs seems to be solved. I subscribed ~foundations-bugs and moving it into the security queue.

Hello, the MIR process says any MIRs assigned to the security team after
the Beta Freeze deadline need to be discussed with the Director of
Security Engineering:

    For a MIR to be considered for a release, it must be assigned to the
    Security team (by the MIR team) before Beta Freeze. This does not
    guarantee that a security review can be completed by Final Release.
    Ask the director of Security for exceptions.

https://github.com/canonical/ubuntu-mir?tab=readme-ov-file#security-reviews

Please find a few minutes on Alex Burrage's calendar and schedule
a meeting.

Thanks

ravi-sharma> I sent a message to Alex to request an exception.

Alex has granted the exception with a note advising against last minute security reviews in the future.

When is Security review absolutely needed by? Is April 17th, the day before Final Freeze okay? Would that give Foundation's enough time to promote to main?

There may not be enough time for Security to complete a review by Final Freeze, but we are looking for someone to take this asap.

I reviewed libyuv 0.0~git202401110.af6ac82-1 as checked into noble. This shouldn't be considered a full audit but rather a quick gauge of maintainability.

libyuv is an open source project that includes YUV scaling and conversion functionality.

- CVE History:
  - none
  - open bug reports are not a security concern
    - https://bugs.chromium.org/p/libyuv/issues/list
- Build-Depends?
  - googletest build depend
- pre/post inst/rm scripts?
  - none
- init scripts?
  - none
- systemd units?
  - none
- dbus services?
  - none
- setuid binaries?
  - none
- binaries in PATH?
  - from libyuv-utils
    - ./usr/bin/yuvconstants
    - ./usr/bin/yuvconvert
- sudo fragments?
  - none
- polkit files?
  - none
- udev rules?
  - none
- unit tests / autopkgtests?
  - from d/rules, it appears all tests on armel s390x powerpc ppc64 and sparc64 are disabled
  - on amd64, 40 disabled tests
  - 256 counts of -Wstringop-overflow in build logs due to tests
  - more bugs in test possible, see coverity section
  - rather thorough testing otherwise
- cron jobs?
  - none
- Build logs:
  - missing man pages for binaries
  - 256 counts of -Wstringop-overflow due to tests

- Processes spawned?
  - only in python, and in a script for maintaining upstream deps
    - not relevant
- Memory management?
  - tests cause string overflows with memtest
    - just a bug, not a security concern
  - see coverity section
  - moderate memcpy use outside of tests
    - looks okay
- File IO?
  - c++ fopen use appears safe
  - ignoring python upstream maintenance helper scripts
- Logging?
  - no logging outside of python
  - Python uses logging.debug and logging.error
- Environment variable usage?
  - only used for tests
- Use of privileged functions?
  - none
- Use of cryptography / random number sources etc?
  - none
- Use of temp files?
  - none
- Use of networking?
  - none
- Use of PolicyKit?
  - none

- Any significant cppcheck results?
  - not a concern
- Any significant Coverity results?
  - non-security bug reported
    - https://bugs.chromium.org/p/libyuv/issues/detail?id=979
  - many more non-relevant issues in tests
    - ignoring
    - upstream should improve unit tests.
  - ./tools_libyuv/ seems dangerous, but appears to only be for upstream maintenance
    - okay
  - unchecked return in ./util/yuconvert.cc:243
  - report of uninitialized scalar variabile in ./util/yuconvert.cc seems difficult to trigger
  - MJpegDecoder::MJpegDecoder() does not initialize buf_vec_.pos
    - this is set early in MJpegDecoder::LoadFrame(), so probably *fine*
- Any significant shellcheck results?
  - none
- Any significant bandit results?
  - none
  - only in irrelevant source code maintenance scripts

This was an expedited and less thorough review.

Security team ACK for promoting foot to main.

This is now ready and can be promoted with the rest of the libgd2 -> libheif -> PLUGINS -> CODECS chain

Slight change here - this isn't needed for libaom3.

Due to the good use of non-embedded libs we now have correct dependency tracking.
That shows that only aom-tools would needed it, which isn't pulled in from libheif.

We could promote it, but if you want that you'd need to seed aom-tools (if it is serving a good purpose) in one of the -supported seeds I guess.

A bit more detail in https://bugs.launchpad.net/ubuntu/+source/libheif/+bug/1827442/comments/55

Thanks for the investigation of the new dependency tracking!
I missed that previously. Sorry for all the extra work involved for getting this landed in time!

I'll unsubscribe ~foundations-bugs and move it to "In Progress", as the MIR still passed. So it has the correct state, should it be needed by any team in the future.