[Bug 1827442] Re: [MIR] libheif
Vladimir Petko
1827442 at bugs.launchpad.net
Wed Feb 1 00:36:31 UTC 2023
** Description changed:
[Availablity]
The package libheif is already in ubuntu/universe.
The package libheif build for the architectures it is designed to work on: https://launchpad.net/ubuntu/+source/libheif/1.14.2-1 .
It currently builds and works for architectures: amd64 arm64 armhf i386 ppc64el riscv64 s390x
Link to package: https://launchpad.net/ubuntu/+source/libheif
[Rationale]
- The package libheif is required in Ubuntu main for decoding ISO/IEC 23008-12:2017 HEIF files by libgd2 which is present in main.
- The package libheif will not generally be useful for a large part of our user base, but is important/helpful still because no other package in main supports decoding of ISO/IEC 23008-12:2017 HEIF files.
-The package libheif is a runtime dependency of package libgd2 that we already support.
- It would be great and useful to community/processes to have the package libheif in Ubuntu main, but there is no definitive deadline.
[Security]
libheif had security issues in the past:
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-23109: Buffer overflow vulnerability in function convert_colorspace in heif_colorconversion.cc in libheif v1.6.2, allows attackers to cause a denial of service and disclose sensitive information, via a crafted HEIF file. The github issue: https://github.com/strukturag/libheif/issues/207 is open, though developer comments that it was fixed in 1.7.0
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-19499: An issue was discovered in heif::Box_iref::get_references in libheif 1.4.0, allows attackers to cause a Denial of Service or possibly other unspecified impact due to an invalid memory read. The github issue: https://github.com/strukturag/libheif/issues/138 is closed, fixed in 1.5.0
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-19498: Floating point exception in function Fraction in libheif 1.4.0, allows attackers to cause a Denial of Service or possibly other unspecified impacts. The github issue: https://github.com/strukturag/libheif/issues/139 is closed, fixed in 1.5.0.
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-11471: libheif 1.4.0 has a use-after-free in heif::HeifContext::Image::set_alpha_channel in heif_context.h because heif_context.cc mishandles references to non-existing alpha images. The github issue: https://github.com/strukturag/libheif/issues/123 is closed, fixed in 1.5.0.
The vulnerable versions are libheif < 1.7.0, current version 1.14.2
Currently vulnerable packages (CVE-2020-23109) are deployed in focal and bionic. Jammy and up has no known vulnerabilitites.
+
+ - no `suid` or `sgid` binaries
+ - no executables in `/sbin` and `/usr/sbin`
+ - Package does not install services, timers or recurring jobs
+ - Packages does not open privileged ports (ports < 1024)
+ - Packages does contain extensions to security-sensitive software: the package provides HEIF image plugin used by other software, e.g. imagemagick
[Quality assurance – function/usage]
- The package does not work well right after install
- Basic test cases pass:
```
apt install imagemagick
wget https://filesamples.com/samples/image/heif/sample1.heif
convert -verbose sample1.heif test.gif
wget https://filesamples.com/samples/image/heic/sample1.heic
convert -verbose sample1.heic test1.gif
```
Notice, that libgd2 HEIF support is disabled. Compiling a sample that tries to save HEIF file produces following output
```
GD Warning: HEIF image support has been disabled
```
There is a bug filed in debian: https://bugs.debian.org/cgi-
bin/bugreport.cgi?bug=1029668 1.14.2 contains significant regression,
HEIC can not be read using viewnoir.
[Quality assurance - maintenance]
- The package has important open bugs, listing them:
- https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1014125 Confirm CVE-2020-23109 fix
- https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1029668 1.14.2 contains significant regression, HEIC can not be read using viewnoir package [confirmed in lunar]. Downgrading to 1.13.0-1 solves the issue.
[Quality assurance – testing]
- The package does not run a test at build time because no unit tests are present in the repository upstream:
https://launchpadlibrarian.net/646769183/buildlog_ubuntu-lunar-amd64.libheif_1.14.2-1_BUILDING.txt.gz
https://github.com/strukturag/libheif
- The package does not run an autopkgtest because no autopackage tests are present. Note: upstream contains a CI script that can be adapted for autopkgtests: https://github.com/strukturag/libheif/blob/master/scripts/run-ci.sh
- The package does have not failing autopkgtests right now
- [NOT COMPLETE]: The package can not be tested at build or autopktest time because no tests are presentto make up for that here [LINK] is a test plan/automation and example test runlogs/scripts)
[Quality assurance - packaging]
- debian/watch is present and works BUT also get-orig-head target is present in debian/rules that produces a different result. There is no specific documentation on which method to use.
- debian/control defines a correct Maintainer field
- This package does not yield massive lintian Warnings, Errors
- Please link to a recent build log of the package https://launchpadlibrarian.net/646769183/buildlog_ubuntu-lunar-amd64.libheif_1.14.2-1_BUILDING.txt.gz
- Please attach the full output you have got from `lintian --pedantic` as an extra post to this bug.
https://udd.debian.org/lintian/?packages=libheif
- Lintian overrides are not present
- This package relies on obsolete or about to be demoted packages (see https://udd.debian.org/lintian/?packages=libheif), consider using libgdk-pixbuf-2.0-dev instead of transitional libgdk-pixbuf2.0-dev
- This package has no python2 or GTK2 dependencies
- The package will not be installed by default
- Packaging and build is easy, link to d/rules : https://salsa.debian.org/multimedia-team/libheif/-/blob/master/debian/rules
[UI standards]
- Application is not end-user facing (does not need translation)
- End-user applications without desktop file, not needed because application does not provide GUI
[Dependencies]
- There are further dependencies that are not yet in main, the MIR process for them is handled as part of this bug here:
- aom
- dav1d
- libde265
- x265
[Standards compliance]
- This package correctly follows FHS and Debian Policy
[Maintenance/Owner]
- Owning Team will be Foundations team
- Team is already subscribed to the package
- This does not use static builds
- This does not use vendored code
- This package is not rust based
[Background information]
The Package description explains the package well
Upstream Name is libheif
Link to upstream project https://github.com/strukturag/libheif/
--
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to libgd2 in Ubuntu.
https://bugs.launchpad.net/bugs/1827442
Title:
[MIR] libheif
Status in aom package in Ubuntu:
Incomplete
Status in dav1d package in Ubuntu:
Incomplete
Status in libde265 package in Ubuntu:
Incomplete
Status in libgd2 package in Ubuntu:
New
Status in libheif package in Ubuntu:
In Progress
Status in x265 package in Ubuntu:
Incomplete
Bug description:
[Availablity]
The package libheif is already in ubuntu/universe.
The package libheif build for the architectures it is designed to work on: https://launchpad.net/ubuntu/+source/libheif/1.14.2-1 .
It currently builds and works for architectures: amd64 arm64 armhf i386 ppc64el riscv64 s390x
Link to package: https://launchpad.net/ubuntu/+source/libheif
[Rationale]
- The package libheif is required in Ubuntu main for decoding ISO/IEC 23008-12:2017 HEIF files by libgd2 which is present in main.
- The package libheif will not generally be useful for a large part of our user base, but is important/helpful still because no other package in main supports decoding of ISO/IEC 23008-12:2017 HEIF files.
-The package libheif is a runtime dependency of package libgd2 that we already support.
- It would be great and useful to community/processes to have the package libheif in Ubuntu main, but there is no definitive deadline.
[Security]
libheif had security issues in the past:
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-23109: Buffer overflow vulnerability in function convert_colorspace in heif_colorconversion.cc in libheif v1.6.2, allows attackers to cause a denial of service and disclose sensitive information, via a crafted HEIF file. The github issue: https://github.com/strukturag/libheif/issues/207 is open, though developer comments that it was fixed in 1.7.0
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-19499: An issue was discovered in heif::Box_iref::get_references in libheif 1.4.0, allows attackers to cause a Denial of Service or possibly other unspecified impact due to an invalid memory read. The github issue: https://github.com/strukturag/libheif/issues/138 is closed, fixed in 1.5.0
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-19498: Floating point exception in function Fraction in libheif 1.4.0, allows attackers to cause a Denial of Service or possibly other unspecified impacts. The github issue: https://github.com/strukturag/libheif/issues/139 is closed, fixed in 1.5.0.
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-11471: libheif 1.4.0 has a use-after-free in heif::HeifContext::Image::set_alpha_channel in heif_context.h because heif_context.cc mishandles references to non-existing alpha images. The github issue: https://github.com/strukturag/libheif/issues/123 is closed, fixed in 1.5.0.
The vulnerable versions are libheif < 1.7.0, current version 1.14.2
Currently vulnerable packages (CVE-2020-23109) are deployed in focal and bionic. Jammy and up has no known vulnerabilitites.
- no `suid` or `sgid` binaries
- no executables in `/sbin` and `/usr/sbin`
- Package does not install services, timers or recurring jobs
- Packages does not open privileged ports (ports < 1024)
- Packages does contain extensions to security-sensitive software: the package provides HEIF image plugin used by other software, e.g. imagemagick
[Quality assurance – function/usage]
- The package does not work well right after install
- Basic test cases pass:
```
apt install imagemagick
wget https://filesamples.com/samples/image/heif/sample1.heif
convert -verbose sample1.heif test.gif
wget https://filesamples.com/samples/image/heic/sample1.heic
convert -verbose sample1.heic test1.gif
```
Notice, that libgd2 HEIF support is disabled. Compiling a sample that tries to save HEIF file produces following output
```
GD Warning: HEIF image support has been disabled
```
There is a bug filed in debian: https://bugs.debian.org/cgi-
bin/bugreport.cgi?bug=1029668 1.14.2 contains significant regression,
HEIC can not be read using viewnoir.
[Quality assurance - maintenance]
- The package has important open bugs, listing them:
- https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1014125 Confirm CVE-2020-23109 fix
- https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1029668 1.14.2 contains significant regression, HEIC can not be read using viewnoir package [confirmed in lunar]. Downgrading to 1.13.0-1 solves the issue.
[Quality assurance – testing]
- The package does not run a test at build time because no unit tests are present in the repository upstream:
https://launchpadlibrarian.net/646769183/buildlog_ubuntu-lunar-amd64.libheif_1.14.2-1_BUILDING.txt.gz
https://github.com/strukturag/libheif
- The package does not run an autopkgtest because no autopackage tests are present. Note: upstream contains a CI script that can be adapted for autopkgtests: https://github.com/strukturag/libheif/blob/master/scripts/run-ci.sh
- The package does have not failing autopkgtests right now
- [NOT COMPLETE]: The package can not be tested at build or autopktest time because no tests are presentto make up for that here [LINK] is a test plan/automation and example test runlogs/scripts)
[Quality assurance - packaging]
- debian/watch is present and works BUT also get-orig-head target is present in debian/rules that produces a different result. There is no specific documentation on which method to use.
- debian/control defines a correct Maintainer field
- This package does not yield massive lintian Warnings, Errors
- Please link to a recent build log of the package https://launchpadlibrarian.net/646769183/buildlog_ubuntu-lunar-amd64.libheif_1.14.2-1_BUILDING.txt.gz
- Please attach the full output you have got from `lintian --pedantic` as an extra post to this bug.
https://udd.debian.org/lintian/?packages=libheif
- Lintian overrides are not present
- This package relies on obsolete or about to be demoted packages (see https://udd.debian.org/lintian/?packages=libheif), consider using libgdk-pixbuf-2.0-dev instead of transitional libgdk-pixbuf2.0-dev
- This package has no python2 or GTK2 dependencies
- The package will not be installed by default
- Packaging and build is easy, link to d/rules : https://salsa.debian.org/multimedia-team/libheif/-/blob/master/debian/rules
[UI standards]
- Application is not end-user facing (does not need translation)
- End-user applications without desktop file, not needed because application does not provide GUI
[Dependencies]
- There are further dependencies that are not yet in main, the MIR process for them is handled as part of this bug here:
- aom
- dav1d
- libde265
- x265
[Standards compliance]
- This package correctly follows FHS and Debian Policy
[Maintenance/Owner]
- Owning Team will be Foundations team
- Team is already subscribed to the package
- This does not use static builds
- This does not use vendored code
- This package is not rust based
[Background information]
The Package description explains the package well
Upstream Name is libheif
Link to upstream project https://github.com/strukturag/libheif/
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/aom/+bug/1827442/+subscriptions
More information about the foundations-bugs
mailing list