Ubuntu
libyuv package

  1. Bug #2004516
  2. Comment #8

Comment 8 for bug 2004516

Revision history for this message
Mark Esler (eslerm) wrote :

I reviewed libyuv 0.0~git202401110.af6ac82-1 as checked into noble. This shouldn't be considered a full audit but rather a quick gauge of maintainability.

libyuv is an open source project that includes YUV scaling and conversion functionality.

- CVE History:
  - none
  - open bug reports are not a security concern
    - https://bugs.chromium.org/p/libyuv/issues/list
- Build-Depends?
  - googletest build depend
- pre/post inst/rm scripts?
  - none
- init scripts?
  - none
- systemd units?
  - none
- dbus services?
  - none
- setuid binaries?
  - none
- binaries in PATH?
  - from libyuv-utils
    - ./usr/bin/yuvconstants
    - ./usr/bin/yuvconvert
- sudo fragments?
  - none
- polkit files?
  - none
- udev rules?
  - none
- unit tests / autopkgtests?
  - from d/rules, it appears all tests on armel s390x powerpc ppc64 and sparc64 are disabled
  - on amd64, 40 disabled tests
  - 256 counts of -Wstringop-overflow in build logs due to tests
  - more bugs in test possible, see coverity section
  - rather thorough testing otherwise
- cron jobs?
  - none
- Build logs:
  - missing man pages for binaries
  - 256 counts of -Wstringop-overflow due to tests

- Processes spawned?
  - only in python, and in a script for maintaining upstream deps
    - not relevant
- Memory management?
  - tests cause string overflows with memtest
    - just a bug, not a security concern
  - see coverity section
  - moderate memcpy use outside of tests
    - looks okay
- File IO?
  - c++ fopen use appears safe
  - ignoring python upstream maintenance helper scripts
- Logging?
  - no logging outside of python
  - Python uses logging.debug and logging.error
- Environment variable usage?
  - only used for tests
- Use of privileged functions?
  - none
- Use of cryptography / random number sources etc?
  - none
- Use of temp files?
  - none
- Use of networking?
  - none
- Use of PolicyKit?
  - none

- Any significant cppcheck results?
  - not a concern
- Any significant Coverity results?
  - non-security bug reported
    - https://bugs.chromium.org/p/libyuv/issues/detail?id=979
  - many more non-relevant issues in tests
    - ignoring
    - upstream should improve unit tests.
  - ./tools_libyuv/ seems dangerous, but appears to only be for upstream maintenance
    - okay
  - unchecked return in ./util/yuconvert.cc:243
  - report of uninitialized scalar variabile in ./util/yuconvert.cc seems difficult to trigger
  - MJpegDecoder::MJpegDecoder() does not initialize buf_vec_.pos
    - this is set early in MJpegDecoder::LoadFrame(), so probably *fine*
- Any significant shellcheck results?
  - none
- Any significant bandit results?
  - none
  - only in irrelevant source code maintenance scripts

This was an expedited and less thorough review.

Security team ACK for promoting foot to main.