I reviewed openjpeg2 2.3.1-1 as checked into focal. This shouldn't be considered a full audit but rather a quick gauge of maintainability. openjpeg2 is a library to encode and decode JPEG 2000 images. JPEG 2000 is an image compression standard and coding system. OpenJPEG dates back from 2005 and has become the JPEG 2000 reference software in 2015. - CVE History: - openjpeg has been assigned CVEs every year since 2012. For Xenial we still have some 2016 CVEs that we are unaware of the fix. There are also a couple of CVEs that don't have fix or we are unsure if they were solved: CVE-2018-16376, CVE-2018-20846, CVE-2019-6988 - Upstream is responsive and willing to fix security issues, but they still need to improve on how to communicate about the fixes. - Build-Depends: - cmake - debhelper - default-jdk - dh-apache2 - help2man - javahelper - libcurl4-gnutls-dev or libcurl-ssl-dev - libfcgi-dev - liblcms2-dev - libpng-dev - libtiff-dev - libxerces2-java - zlib1g-dev - postinst, prerm and postrm scripts automatically added - No init scripts - No systemd units - No dbus services - No setuid binaries - binaries in PATH - /usr/bin/opj_compress - This program reads in an image of a certain type and converts it to a JPEG2000 file. - /usr/bin/opj_decompress - This program reads in a JPEG2000 image and converts it to another image type. - /usr/bin/opj_dump - This program reads in a JPEG2000 image and dumps the contents to stdout. - /usr/bin/opj_jp3d_compress - compress into JP3D volume. - /usr/bin/opj_jp3d_decompress - decompress JP3D volume. - /usr/bin/opj_dec_server - server to decode JPT/JPP-stream and communicate locally with JPIP client, which is coded in java. - /usr/bin/opj_jpip_addxml - embed metadata into JP2 file. - /usr/bin/opj_jpip_test - test index code format of a JP2 file. - /usr/bin/opj_jpip_transcode - convert JPT/JPP-stream to JP2 or J2K. - /usr/bin/opj_server - JPIP server supporting HTTP connection and JPT/JPP-stream. - /usr/bin/opj_jpip_viewer - No sudo fragments - No udev rules - openjpeg2 has 1478 tests under tests/, including Google's oss-fuzzers setup. - some of those tests are CVEs reproducers. - No cron jobs - Build logs: - Multiple compiler warnings: /<>/src/lib/openjp2/openjpeg.c:1041:30: warning: cast between incompatible function types from int (*)(FILE *) {aka int (*)(struct _IO_FILE *)} to void (*)(void *) [-Wcast-function-type] /<>/src/bin/jp3d/opj_jp3d_decompress.c:488:5: warning: ignoring return value of fread, declared with attribute warn_unused_result [-Wunused-result] /<>/src/bin/jp3d/convert.c:111:5: warning: ignoring return value of fread, declared with attribute warn_unused_result [-Wunused-result] /<>/src/bin/jp3d/convert.c:118:5: warning: ignoring return value of fread, declared with attribute warn_unused_result [-Wunused-result] /<>/src/bin/jp3d/convert.c:119:5: warning: ignoring return value of fread, declared with attribute warn_unused_result [-Wunused-result] /<>/src/bin/jp3d/convert.c:130:5: warning: ignoring return value of fread, declared with attribute warn_unused_result [-Wunused-result] /<>/src/bin/jp3d/convert.c:131:5: warning: ignoring return value of fread, declared with attribute warn_unused_result [-Wunused-result] /<>/src/bin/jp3d/convert.c:132:5: warning: ignoring return value of fread, declared with attribute warn_unused_result [-Wunused-result] /<>/src/bin/jp3d/convert.c:133:5: warning: ignoring return value of fread, declared with attribute warn_unused_result [-Wunused-result] /<>/src/bin/jp3d/convert.c:300:9: warning: ignoring return value of fscanf, declared with attribute warn_unused_result [-Wunused-result] /<>/src/bin/jp3d/convert.c:529:9: warning: ignoring return value of fgets, declared with attribute warn_unused_result [-Wunused-result] /<>/src/bin/jp3d/convert.c:851:9: warning: ignoring return value of fgets, declared with attribute warn_unused_result [-Wunused-result] /<>/src/bin/jp3d/convert.c:111:5: warning: ignoring return value of fread, declared with attribute warn_unused_result [-Wunused-result] /<>/src/bin/jp3d/convert.c:118:5: warning: ignoring return value of fread, declared with attribute warn_unused_result [-Wunused-result] /<>/src/bin/jp3d/convert.c:119:5: warning: ignoring return value of fread, declared with attribute warn_unused_result [-Wunused-result] /<>/src/bin/jp3d/convert.c:130:5: warning: ignoring return value of fread, declared with attribute warn_unused_result [-Wunused-result] /<>/src/bin/jp3d/convert.c:131:5: warning: ignoring return value of fread, declared with attribute warn_unused_result [-Wunused-result] /<>/src/bin/jp3d/convert.c:132:5: warning: ignoring return value of fread, declared with attribute warn_unused_result [-Wunused-result] /<>/src/bin/jp3d/convert.c:133:5: warning: ignoring return value of fread, declared with attribute warn_unused_result [-Wunused-result] /<>/src/bin/jp3d/convert.c:300:9: warning: ignoring return value of fscanf, declared with attribute warn_unused_result [-Wunused-result] /<>/src/bin/jp3d/convert.c:529:9: warning: ignoring return value of fgets, declared with attribute warn_unused_result [-Wunused-result] /<>/src/bin/jp3d/convert.c:851:9: warning: ignoring return value of fgets, declared with attribute warn_unused_result [-Wunused-result] /<>/src/bin/jp2/opj_decompress.c:482:36: warning: . directive writing 1 byte into a region of size between 0 and 4095 [-Wformat-overflow=] /<>/src/bin/jp2/opj_compress.c:543:31: warning: __builtin___sprintf_chk may write a terminating nul past the end of the destination [-Wformat-overflow=] /<>/src/bin/jp2/opj_compress.c:556:36: warning: . directive writing 1 byte into a region of size between 0 and 4095 [-Wformat-overflow=] /usr/include/x86_64-linux-gnu/bits/string_fortified.h:106:10: warning: __builtin_strncpy specified bound 4 equals destination size [-Wstringop-truncation] /usr/include/x86_64-linux-gnu/bits/string_fortified.h:106:10: warning: __builtin_strncpy specified bound depends on the length of the source argument [-Wstringop-overflow=] /usr/include/x86_64-linux-gnu/bits/string_fortified.h:106:10: warning: __builtin_strncpy specified bound depends on the length of the source argument [-Wstringop-overflow=] /usr/include/x86_64-linux-gnu/bits/string_fortified.h:106:10: warning: __builtin_strncpy specified bound depends on the length of the source argument [-Wstringop-overflow=] /usr/include/x86_64-linux-gnu/bits/string_fortified.h:106:10: warning: __builtin_strncpy specified bound depends on the length of the source argument [-Wstringop-overflow=] /usr/include/x86_64-linux-gnu/bits/string_fortified.h:106:10: warning: __builtin_strncpy specified bound depends on the length of the source argument [-Wstringop-overflow=] /usr/include/x86_64-linux-gnu/bits/string_fortified.h:106:10: warning: __builtin_strncpy specified bound depends on the length of the source argument [-Wstringop-overflow=] /<>/src/bin/jp2/convertpng.c:78:16: warning: variable rows might be clobbered by longjmp or vfork [-Wclobbered] /<>/src/bin/jp2/convertpng.c:79:16: warning: variable row32s might be clobbered by longjmp or vfork [-Wclobbered] /<>/src/bin/jp2/convertpng.c:81:18: warning: variable image might be clobbered by longjmp or vfork [-Wclobbered] /<>/src/bin/jp2/convertpng.c:78:16: warning: variable rows might be clobbered by longjmp or vfork [-Wclobbered] /<>/src/bin/jp2/convertpng.c:79:16: warning: variable row32s might be clobbered by longjmp or vfork [-Wclobbered] /<>/src/bin/jp2/convertpng.c:81:18: warning: variable image might be clobbered by longjmp or vfork [-Wclobbered] /<>/src/bin/jp2/convertpng.c:78:16: warning: variable rows might be clobbered by longjmp or vfork [-Wclobbered] /<>/src/bin/jp2/convertpng.c:79:16: warning: variable row32s might be clobbered by longjmp or vfork [-Wclobbered] /<>/src/bin/jp2/convertpng.c:81:18: warning: variable image might be clobbered by longjmp or vfork [-Wclobbered] /<>/src/lib/openjpip/jpipstream_manager.c:68:27: warning: %02d directive writing between 2 and 11 bytes into a region of size between 9 and 16 [-Wformat-overflow=] - Lintian failures ignoring dump failure dh_install: Please use dh_missing --list-missing/--fail-missing instead W: openjpeg2 source: file-without-copyright-information tools/travis-ci/knownfailures-Ubuntu14.04-gcc4.8.4-x86_64-Debug-3rdP.txt E: Lintian run failed (policy violation) Lintian: fail - No processes spawned - Memory management - openjpeg2 has plenty of memory operations and it is exactly where most of its CVEs come from: heap-buffer overflow, buffer overflow, excessive memory allocation, excessive iteration, just to name a few. - File IO - Contrary to the memory issues, openjpeg2 didn't have (I may be overlooking here) any CVEs related to files and passing PATHs that might give you rights to read or write from somewhere you couldn't. There're lots of file IO to look through but it appears that they are doing a good job on it. - No logging for itself, but it does logs errors and passes it to any calling library that is using openjpeg. - Environment variable usage - OPJ_NUM_THREADS - QUERY_STRING - USE_OPJ_SET_DECODED_RESOLUTION_FACTOR - SKIP_OPJ_SET_DECODE_AREA - Looks safe. - No use of privileged functions - No use of cryptography - No use of temp files - Use of networking - JPIP stream - No use of WebKit - No use of PolicyKit - cppcheck showed a few resource leaks that can be easily patched, but also shows common programming mistakes - Coverity also points to resource leaks. - We decided to contribute to the upstream project since some of the issues cppcheck and coverity pointed are quite simple to fix, so a PR was sent, still no reply yet. We will continue to contribute on a best effort since the code quality can still be improved. Security team ACK for promoting openjpeg2 to main as long as the following binaries reside in universe: - libopenjp2-tools - libopenjp3d-tools - libopenjpip-viewer - libopenjpip-dec-server - libopenjpip-server Those binaries contain the command-line utilities mentioned previously and most of the flaws relate to this commands.