I reviewed libva 2.22.0-3 as checked into plucky. This shouldn't be
considered a full audit but rather a quick gauge of maintainability.
libva is a Libva is an implementation for VA-API (Video Acceleration
API)
- CVE History
- Only one CVE appears to exist against this library
(CVE-2024-39929). The CVE does not go into many details. I believe
it was related to the usage of getenv in place of secure_getenv.
Appears to be fixed in version 2.20.
- Build-Depends
- debhelper-compat, libdrm-dev, libgl-dev, libwayland-dev,
libx11-dev, libx11-xcb-dev, libxcb-dri3-dev, libxcb1-dev,
libxext-dev, libxfixes-dev, meson, ninja-build, perl, pkgconf TODO
- No pre/post inst/rm scripts
- No init scripts
- No systemd units
- No dbus services
- No setuid binaries
- binaries in PATH
- /usr/bin/dh_libva
debhelper for packaging VA API drivers
- No sudo fragments
- No polkit files
- No udev rules
- unit tests / autopkgtests
- No tests are provided for this package, although the Desktop Team
seems to have a plan for it:
https://wiki.ubuntu.com/DesktopTeam/TestPlans/libva
- No cron jobs
- Build logs
- No significant build warnings
- No Processes spawned
- Memory management
- memory management seems to be performed properly. Return values
are properly checked and I did not see any low hanging fruit
anywhere.
- File IO
- The library performs file I/O operations in 2 different contexts:
- write tracing information in a specified file. It is possible to
force this behavior by setting the environment variable
LIBVA\_TRACE to a prefix of your choosing. A user may affect
the content of the data to be traced by the usage of various
other env variables, e.g. LIBVA\_MESSAGING\_LEVEL,
LIBVA\_TRACE\_SURFACE, etc.
- Loading specialized drivers via dlopen. This behaviour can be
controlled by the user setting the variables LIBVA\_DRIVERS\_PATH
and LIBVA\_DRIVER\_NAME.
In both cases, access to environment variables is mediated by the
usage of secure_getenv().
- Logging
- The library appears to correctly handle output, avoiding format
string attacks and such.
- Environment variable usage
- The library makes use of various environment variables for its
configuration. The parsing logic of such variables does not appear
to contain dangerous usage of string manipulation routines or
anything suspicious from a security analysis standpoint.
- Does not use any privileged function
- No use of cryptography / random number sources etc
- No use of temp files
- No use of networking
- No use of WebKit
- No use of PolicyKit
- No significant cppcheck results
- Coverity results:
- One harmless unchecked return value from fcntl while setting
FD\_CLOEXEC to an open file descriptor.
- One integer overflow in va/va.c:1088:14:
harmless because GCC uses two's complement integer arithmetic.
- A few type mismatches in format functions, e.g. printing long
long values as long and viceversa. Not a security issue.
- One TOCTOU issue (false positive).
- No significant shellcheck results
The library seems to be well written and quite easy to read.
Security team ACK for promoting libva to main, on the condition that
the tracing feature will be disabled. We suggest to provide a
trace-enabled libva as a separate package.
** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2024-39929
** Changed in: libva (Ubuntu)
Status: New => In Progress
** Changed in: libva (Ubuntu)
Assignee: Ubuntu Security Team (ubuntu-security) => (unassigned)
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/2097800
Title:
[MIR] libva
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/libva/+bug/2097800/+subscriptions
--
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
