I reviewed webp-pixbuf-loader 0.0.5-5 as checked into kinetic. This shouldn't be
considered a full audit but rather a quick gauge of maintainability.
webp-pixbuf-loader is a loadable gdk-pixbuf module that contains the necessary
functions to load and save images in webp format.
- CVE History:
- No history of CVEs.
- Build-Depends?
- No direct dependency on encryption or networking libraries.
- pre/post inst/rm scripts?
- No.
- init scripts?
- No.
- systemd units?
- No.
- dbus services?
- No.
- setuid binaries?
- No.
- binaries in PATH?
- No.
- sudo fragments?
- No.
- polkit files?
- No.
- udev rules?
- No.
- unit tests / autopkgtests?
- Unit tests and some trivial determinism autopkgtests included and successfully run.
- cron jobs?
- No.
- Build logs:
- A couple of deprecation warnings in the test files like:
[4/16] cc -Itests/t3.p -Itests -I../tests -I/usr/include/gdk-pixbuf-2.0 -I/usr/include/libpng16 -I/usr/include/x86_64-linux-gnu -I/usr/include/libmount -I/usr/include/blkid -I/usr/include/glib-2.0 -I/usr/lib/x86_64-linux-gnu/glib-2.0/include -fdiagnostics-color=always -D_FILE_OFFSET_BITS=64 -Wall -Winvalid-pch -O0 -g -O2 -ffile-prefix-map=/<<PKGBUILDDIR>>=. -flto=auto -ffat-lto-objects -flto=auto -ffat-lto-objects -fstack-protector-strong -Wformat -Werror=format-security -Wdate-time -D_FORTIFY_SOURCE=2 -pthread -MD -MQ tests/t3.p/t3.c.o -MF tests/t3.p/t3.c.o.d -o tests/t3.p/t3.c.o -c ../tests/t3.c
../tests/t3.c: In function ‘main’:
../tests/t3.c:17:17: warning: ‘GTimeVal’ is deprecated: Use 'GDateTime' instead [-Wdeprecated-declarations]
17 | GTimeVal curTime;
| ^~~~~~~~
- No Lintian failures.
- Processes spawned?
- No.
- Memory management?
- Uses glib wrappers for memory management. Several resource leaks as reported by coverity and also verified with code review.
- io-webp.c:173 core_used_len + size could wrap although impossible for size_t even for 32-bit systems.
- File IO?
- io-webp-anim.c:467 get_data_from_file receives a pointer to FILE and reads raw data from it. No filepath handling.
- io-webp.c:48 gdk_pixbuf__webp_image_load receives a pointer to FILE and reads raw data from it. No filepath handling.
- Logging?
- Uses mostly g_set_error from glib. No format strings or other issues found.
- Environment variable usage?
- No.
- Use of privileged functions?
- No.
- Use of cryptography / random number sources etc?
- No.
- Use of temp files?
- No.
- Use of networking?
- No.
- Use of WebKit?
- No
- Use of PolicyKit?
- No
- Any significant cppcheck results?
- No.
- Any significant Coverity results?
- SEE coverity.txt. A couple of resource leaks were reported as well as missing check when using ftell's return value (which can be -1) as a malloc argument.
- Any significant shellcheck results?
- No
Security team ACK for promoting webp-pixbuf-loader to main.
I reviewed webp-pixbuf-loader 0.0.5-5 as checked into kinetic. This shouldn't be
considered a full audit but rather a quick gauge of maintainability.
webp-pixbuf-loader is a loadable gdk-pixbuf module that contains the necessary
functions to load and save images in webp format.
- CVE History: include/ gdk-pixbuf- 2.0 -I/usr/ include/ libpng16 -I/usr/ include/ x86_64- linux-gnu -I/usr/ include/ libmount -I/usr/ include/ blkid -I/usr/ include/ glib-2. 0 -I/usr/ lib/x86_ 64-linux- gnu/glib- 2.0/include -fdiagnostics- color=always -D_FILE_ OFFSET_ BITS=64 -Wall -Winvalid-pch -O0 -g -O2 -ffile- prefix- map=/<< PKGBUILDDIR> >=. -flto=auto -ffat-lto-objects -flto=auto -ffat-lto-objects -fstack- protector- strong -Wformat -Werror= format- security -Wdate-time -D_FORTIFY_SOURCE=2 -pthread -MD -MQ tests/t3.p/t3.c.o -MF tests/t3.p/t3.c.o.d -o tests/t3.p/t3.c.o -c ../tests/t3.c tests/t3. c:17:17: warning: ‘GTimeVal’ is deprecated: Use 'GDateTime' instead [-Wdeprecated- declarations] _webp_image_ load receives a pointer to FILE and reads raw data from it. No filepath handling.
- No history of CVEs.
- Build-Depends?
- No direct dependency on encryption or networking libraries.
- pre/post inst/rm scripts?
- No.
- init scripts?
- No.
- systemd units?
- No.
- dbus services?
- No.
- setuid binaries?
- No.
- binaries in PATH?
- No.
- sudo fragments?
- No.
- polkit files?
- No.
- udev rules?
- No.
- unit tests / autopkgtests?
- Unit tests and some trivial determinism autopkgtests included and successfully run.
- cron jobs?
- No.
- Build logs:
- A couple of deprecation warnings in the test files like:
[4/16] cc -Itests/t3.p -Itests -I../tests -I/usr/
../tests/t3.c: In function ‘main’:
../
17 | GTimeVal curTime;
| ^~~~~~~~
- No Lintian failures.
- Processes spawned?
- No.
- Memory management?
- Uses glib wrappers for memory management. Several resource leaks as reported by coverity and also verified with code review.
- io-webp.c:173 core_used_len + size could wrap although impossible for size_t even for 32-bit systems.
- File IO?
- io-webp-anim.c:467 get_data_from_file receives a pointer to FILE and reads raw data from it. No filepath handling.
- io-webp.c:48 gdk_pixbuf_
- Logging?
- Uses mostly g_set_error from glib. No format strings or other issues found.
- Environment variable usage?
- No.
- Use of privileged functions?
- No.
- Use of cryptography / random number sources etc?
- No.
- Use of temp files?
- No.
- Use of networking?
- No.
- Use of WebKit?
- No
- Use of PolicyKit?
- No
- Any significant cppcheck results?
- No.
- Any significant Coverity results?
- SEE coverity.txt. A couple of resource leaks were reported as well as missing check when using ftell's return value (which can be -1) as a malloc argument.
- Any significant shellcheck results?
- No
Security team ACK for promoting webp-pixbuf-loader to main.