[MIR] libwebp

Bug #1186553 reported by Jeremy Bícha
12
This bug affects 1 person
Affects Status Importance Assigned to Milestone
libwebp (Ubuntu)
Fix Released
Undecided
Unassigned

Bug Description

1. Availability: The latest version is available in Saucy
2. Rationale: Required build-dependency of webkitgtk 2.0 and I think webkitgtk 2.0 should be in 13.10:
http://trac.webkit.org/browser/trunk/Source/autotools/FindDependencies.m4#L57

webp is Google's new format for compressed lossy or lossless images with fairly significant size savings. Support for the format is built into Chromium.

3. Security: LP: #1166556
https://cve.mitre.org/cgi-bin/cvekey.cgi?keyword=webp
https://secunia.com/advisories/search/?search=webp&sort_by=date
https://security-tracker.debian.org/tracker/source-package/libwebp

4. QA: No open Debian bugs
http://bugs.debian.org/cgi-bin/pkgreport.cgi?src=libwebp
https://bugs.launchpad.net/ubuntu/+source/libwebp
5. UI standards: N/A
6. Dependencies: All in main
https://bazaar.launchpad.net/~ubuntu-branches/ubuntu/saucy/libwebp/saucy/view/head:/debian/control
7. Standards Compliance: 3.9.3
8. Maintenance: In sync with Debian

http://packages.qa.debian.org/libwebp
https://developers.google.com/speed/webp/
git.chromium.org/gitweb/?p=webm/libwebp.git (site is down today though)

ProblemType: Bug
DistroRelease: Ubuntu 13.10
Package: libwebp4 0.3.0-3
ProcVersionSignature: Ubuntu 3.9.0-2.7-generic 3.9.3
Uname: Linux 3.9.0-2-generic x86_64
ApportVersion: 2.10.2-0ubuntu1
Architecture: amd64
Date: Sat Jun 1 09:40:55 2013
MarkForUpload: True
SourcePackage: libwebp
UpgradeStatus: Upgraded to saucy on 2013-05-07 (24 days ago)

Revision history for this message
Jeremy Bícha (jbicha) wrote :
description: updated
Revision history for this message
Michael Terry (mterry) wrote :

As this is a format parser, especially a web-oriented one, we'll need a security review. Assigning the MIR to Jamie.

Changed in libwebp (Ubuntu):
assignee: nobody → Jamie Strandboge (jdstrand)
Revision history for this message
Sebastien Bacher (seb128) wrote :

Jamie, do you have an estimate on when you will be able to do that review? The new webkit is mostly ready for upload to saucy...

Changed in libwebp (Ubuntu):
assignee: Jamie Strandboge (jdstrand) → Seth Arnold (seth-arnold)
Revision history for this message
Seth Arnold (seth-arnold) wrote :

I reviewed libwebp version 0.3.0-3 from saucy. This should not be
considered a full security audit, but rather a quick gauge of code
cleanliness.

- Package provides routines for lossy and lossless image encoding / decoding
- Build-deps are image processing libraries
- No daemons, no networking itself, no initscripts, no dbus services,
  no setuid, no sudo, no cron
- Two unprivileged binaries in /usr/bin, dwebp and cwebp, to encode and
  decode images
- Clean buildlogs
- No spawned subprocesses
- Careful memory management
- Very few file open()s, all in examples/, looked safe
- Logging looked safe, most is library code without logging
- No environment use
- No encryption
- No privileged portions of code
- No /tmp/ files
- No webkit, no JS

This code is extremely complicated in portions; depending upon the nature of
potential security issues, we may be heavily reliant upon upstream for fixes.
That said, the code is careful and well-written.

Security team ACK for including in main.

Thanks.

Changed in libwebp (Ubuntu):
assignee: Seth Arnold (seth-arnold) → nobody
Revision history for this message
Michael Terry (mterry) wrote :

I reviewed the packaging and maintainability, looks fine. Except that it's missing an Ubuntu team bug subscriber. What team is going to look after this?

Changed in libwebp (Ubuntu):
status: New → Incomplete
Revision history for this message
Launchpad Janitor (janitor) wrote :

[Expired for libwebp (Ubuntu) because there has been no activity for 60 days.]

Changed in libwebp (Ubuntu):
status: Incomplete → Expired
Iain Lane (laney)
Changed in libwebp (Ubuntu):
status: Expired → New
Revision history for this message
Iain Lane (laney) wrote :

Desktop team will look after it. The desktop-bugs team is now subscribed. Mike, could you take another look at this request?

Revision history for this message
Dimitri John Ledkov (xnox) wrote :

imagemagick will be possible to compile against libwebp, and convert will gain functionality to convert to/from webp images.

Michael Terry (mterry)
Changed in libwebp (Ubuntu):
status: New → Fix Committed
Revision history for this message
Iain Lane (laney) wrote :

seb128 promoted this

Changed in libwebp (Ubuntu):
status: Fix Committed → Fix Released
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.