Review for Source Package: src:libgav1
[Summary]
libgav1 is Google's reference, decoder-only codec for the AV1 image format.
The upstream project and the Debian package are both well-maintained. There
is no CVE history against libgav1.
MIR team ACK. Please look, as much as possible, at the recommended TODO.
Though there are no CVEs reported against libgav1 yet, and the codec is built
with hardening flags, it would help to have the Security team to do a
lightweight
review of the package before promoting it to main. So, I'll assign
ubuntu-security.
List of specific binary packages to be promoted to main: libgav1-2
Specific binary packages built, but NOT to be promoted to main: libgav1-dev,
libgav1-bin
Notes:
#0 - The libavif16 package needs libgav1 in main, MIR for the former is being
reviewed through
https://bugs.launchpad.net/ubuntu/+source/libavif/+bug/2130005
#1 - The dav1d package in main, is also a decoder-only av1 codec like libgav1.
So, there
will be duplication of functionality in main.
Required TODOs:
None.
Recommended TODOs:
#2 - Please address the build-warnings noted in the [Upstream red flags]
section.
[Rationale, Duplication and Ownership]
- There is no other package in main providing the same functionality.
=> python3-pillow, in main, needs libavif16 for AVIF image format support,
and libavif16 links against various av1f codec backends. libgav1 is
a decoder-only codec. Though it provides the same functionality as dav1d,
libavif16 needs both in main.
- A team is committed to own long term maintenance of this package.
=> Debcrafters
- The rationale given in the report seems valid and useful for Ubuntu
=> This will be useful for libavif16/python3-pillow alone for now.
[Dependencies]
OK:
- no other runtime Dependencies to MIR due to this
- no other build-time Dependencies with active code in the final binaries to
MIR due to this
- no -dev/-debug/-doc packages that need exclusion
=> libgav1-dev and libgav1-bin need exclusion
- No dependencies in main that are only superficially tested requiring more
tests now.
Problems: None
[Embedded sources and static linking]
OK:
- no embedded source present
- no static linking
- does not have unexpected Built-Using entries
- not a go package, no extra constraints to consider in that regard
- not a rust package, no extra constraints to consider in that regard
Problems: None
[Security]
OK:
- history of CVEs does not look concerning
=> no CVE history
- does not run a daemon as root
- does not use webkit1,2
- does not use lib*v8 directly
- does not parse data formats (files [images, video, audio,
xml, json, asn.1], network packets, structures, ...) from
an untrusted source.
=> It parses image formats but the source trust must be
validated by the consuming application.
- does not expose any external endpoint (port/socket/... or similar)
- does not process arbitrary web content
- does not use centralized online accounts
- does not integrate arbitrary javascript into the desktop
- does not deal with system authentication (eg, pam), etc)
- does not deal with security attestation (secure boot, tpm, signatures)
- does not deal with cryptography (en-/decryption, certificates,signing, ...)
- this makes appropriate (for its exposure) use of established risk
mitigation features (dropping permissions, using temporary environments,
restricted users/groups, seccomp, systemd isolation features,
apparmor, ...)
=> not relevant for a codec
Problems: None
[Common blockers]
OK:
- does not FTBFS currently
=> Does not build on s390x because big-endian archs are unsupported. This is
expected.
- does have a test suite that runs at build time
- test suite fails will fail the build upon error.
- does have a non-trivial test suite that runs as autopkgtest
- This does not need special HW for build or test
- no new python2 dependency
Problems: None
[Packaging red flags]
OK:
- Ubuntu does carry a delta, but it is reasonable and maintenance under control
=> there is a recent delta that adds an autopkgtest
- symbols tracking is in place.
- debian/watch is present and looks ok
- Upstream update history is slow
- Debian/Ubuntu update history is slow
- the current release is packaged
- promoting this does not seem to cause issues for MOTUs that so far maintained
the package
- no massive Lintian warnings
- debian/rules is rather clean
- It is not on the lto-disabled list
Problems: None
[Upstream red flags]
OK:
- no incautious use of malloc/sprintf (as far as we can check it)
- no use of sudo, gksu, pkexec, or LD_LIBRARY_PATH (usage is OK inside tests)
- no use of user 'nobody' outside of tests
- no use of setuid / setgid
- no important open bugs (crashers, etc) in Debian or Ubuntu
- no dependency on webkit, qtwebkit or libseed
- not part of the UI for extra checks
- no translation present, but none needed for this case (user visible)?
Problems:
- There are a couple types of warnings in the build logs.
1. Deprecations:
/<<PKGBUILDDIR>>/src/utils/threadpool.h: In member function ‘void
libgav1::ThreadPool::LockMutex()’:
/<<PKGBUILDDIR>>/src/utils/threadpool.h:139:70: warning: ‘void
absl::debian9::Mutex::Lock()’ is deprecated [-Wdeprecated-declarations]
139 | void LockMutex() ABSL_EXCLUSIVE_LOCK_FUNCTION() {
queue_mutex_.Lock(); }
| ~~~~~~~~~~~~~~~~~^
/<<PKGBUILDDIR>>/src/utils/threadpool.h: In member function ‘void
libgav1::ThreadPool::UnlockMutex()’:
/<<PKGBUILDDIR>>/src/utils/threadpool.h:140:66: warning: ‘void
absl::debian9::Mutex::Unlock()’ is deprecated [-Wdeprecated-declarations]
140 | void UnlockMutex() ABSL_UNLOCK_FUNCTION() { queue_mutex_.Unlock(); }
| ~~~~~~~~~~~~~~~~~~~^~
2. Allocations exceeding gcc's max object size:
warning: argument 1 value ‘18446744073709551615’ exceeds maximum object size
9223372036854775807
** Changed in: libgav1 (Ubuntu)
Assignee: Pushkar Kulkarni (pushkarnk) => Ubuntu Security Team
(ubuntu-security)
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/2158712
Title:
[MIR] libgav1 (libavif dependency)
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/libgav1/+bug/2158712/+subscriptions
--
ubuntu-bugs mailing list
[email protected]
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs