I reviewed libyuv 0.0~git202401110.af6ac82-1 as checked into noble. This shouldn't be considered a full audit but rather a quick gauge of maintainability.
libyuv is an open source project that includes YUV scaling and conversion functionality.
- CVE History:
- none
- open bug reports are not a security concern
- https://bugs.chromium.org/p/libyuv/issues/list
- Build-Depends?
- googletest build depend
- pre/post inst/rm scripts?
- none
- init scripts?
- none
- systemd units?
- none
- dbus services?
- none
- setuid binaries?
- none
- binaries in PATH?
- from libyuv-utils
- ./usr/bin/yuvconstants
- ./usr/bin/yuvconvert
- sudo fragments?
- none
- polkit files?
- none
- udev rules?
- none
- unit tests / autopkgtests?
- from d/rules, it appears all tests on armel s390x powerpc ppc64 and sparc64 are disabled
- on amd64, 40 disabled tests
- 256 counts of -Wstringop-overflow in build logs due to tests
- more bugs in test possible, see coverity section
- rather thorough testing otherwise
- cron jobs?
- none
- Build logs:
- missing man pages for binaries
- 256 counts of -Wstringop-overflow due to tests
- Processes spawned?
- only in python, and in a script for maintaining upstream deps
- not relevant
- Memory management?
- tests cause string overflows with memtest
- just a bug, not a security concern
- see coverity section
- moderate memcpy use outside of tests
- looks okay
- File IO?
- c++ fopen use appears safe
- ignoring python upstream maintenance helper scripts
- Logging?
- no logging outside of python
- Python uses logging.debug and logging.error
- Environment variable usage?
- only used for tests
- Use of privileged functions?
- none
- Use of cryptography / random number sources etc?
- none
- Use of temp files?
- none
- Use of networking?
- none
- Use of PolicyKit?
- none
- Any significant cppcheck results?
- not a concern
- Any significant Coverity results?
- non-security bug reported
- https://bugs.chromium.org/p/libyuv/issues/detail?id=979
- many more non-relevant issues in tests
- ignoring
- upstream should improve unit tests.
- ./tools_libyuv/ seems dangerous, but appears to only be for upstream maintenance
- okay
- unchecked return in ./util/yuconvert.cc:243
- report of uninitialized scalar variabile in ./util/yuconvert.cc seems difficult to trigger
- MJpegDecoder::MJpegDecoder() does not initialize buf_vec_.pos
- this is set early in MJpegDecoder::LoadFrame(), so probably *fine*
- Any significant shellcheck results?
- none
- Any significant bandit results?
- none
- only in irrelevant source code maintenance scripts
I reviewed libyuv 0.0~git20240111 0.af6ac82- 1 as checked into noble. This shouldn't be considered a full audit but rather a quick gauge of maintainability.
libyuv is an open source project that includes YUV scaling and conversion functionality.
- CVE History: /bugs.chromium. org/p/libyuv/ issues/ list yuvconstants yuvconvert
- none
- open bug reports are not a security concern
- https:/
- Build-Depends?
- googletest build depend
- pre/post inst/rm scripts?
- none
- init scripts?
- none
- systemd units?
- none
- dbus services?
- none
- setuid binaries?
- none
- binaries in PATH?
- from libyuv-utils
- ./usr/bin/
- ./usr/bin/
- sudo fragments?
- none
- polkit files?
- none
- udev rules?
- none
- unit tests / autopkgtests?
- from d/rules, it appears all tests on armel s390x powerpc ppc64 and sparc64 are disabled
- on amd64, 40 disabled tests
- 256 counts of -Wstringop-overflow in build logs due to tests
- more bugs in test possible, see coverity section
- rather thorough testing otherwise
- cron jobs?
- none
- Build logs:
- missing man pages for binaries
- 256 counts of -Wstringop-overflow due to tests
- Processes spawned?
- only in python, and in a script for maintaining upstream deps
- not relevant
- Memory management?
- tests cause string overflows with memtest
- just a bug, not a security concern
- see coverity section
- moderate memcpy use outside of tests
- looks okay
- File IO?
- c++ fopen use appears safe
- ignoring python upstream maintenance helper scripts
- Logging?
- no logging outside of python
- Python uses logging.debug and logging.error
- Environment variable usage?
- only used for tests
- Use of privileged functions?
- none
- Use of cryptography / random number sources etc?
- none
- Use of temp files?
- none
- Use of networking?
- none
- Use of PolicyKit?
- none
- Any significant cppcheck results? /bugs.chromium. org/p/libyuv/ issues/ detail? id=979 yuconvert. cc:243 :MJpegDecoder( ) does not initialize buf_vec_.pos :LoadFrame( ), so probably *fine*
- not a concern
- Any significant Coverity results?
- non-security bug reported
- https:/
- many more non-relevant issues in tests
- ignoring
- upstream should improve unit tests.
- ./tools_libyuv/ seems dangerous, but appears to only be for upstream maintenance
- okay
- unchecked return in ./util/
- report of uninitialized scalar variabile in ./util/yuconvert.cc seems difficult to trigger
- MJpegDecoder:
- this is set early in MJpegDecoder:
- Any significant shellcheck results?
- none
- Any significant bandit results?
- none
- only in irrelevant source code maintenance scripts
This was an expedited and less thorough review.
Security team ACK for promoting foot to main.