[Bug 1827442] Re: [MIR] libheif
Vladimir Petko
1827442 at bugs.launchpad.net
Tue Jan 31 02:12:05 UTC 2023
Differences between getting orig tar through rules vs uscan
** Description changed:
- [Availability]
- Available on all architectures in universe from bionic forward.
+ [Availablity]
+
+ The package libheif is already in ubuntu/universe.
+ The package libheif build for the architectures it is designed to work on: https://launchpad.net/ubuntu/+source/libheif/1.14.2-1 .
+ It currently builds and works for architectures: amd64 arm64 armhf i386 ppc64el riscv64 s390x
+ Link to package: https://launchpad.net/ubuntu/+source/libheif
[Rationale]
- This is a new build-dependency added to imagemagick in Debian unstable. It implements support for decoding ISO/IEC 23008-12:2017 HEIF files, which are not otherwise supported by any libraries in Ubuntu main.
+
+ - The package libheif is required in Ubuntu main for decoding ISO/IEC 23008-12:2017 HEIF files by libgd2 which is present in main.
+ - The package libheif will not generally be useful for a large part of our user base, but is important/helpful still because no other package in main supports decoding of ISO/IEC 23008-12:2017 HEIF files.
+ -The package libheif is a runtime dependency of package libgd2 that we already support.
+ - It would be great and useful to community/processes to have the package libheif in Ubuntu main, but there is no definitive deadline.
[Security]
- One vulnerability was reported this year against libheif 1.4.0 (http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-11471). Debian currently has libheif 1.3.2. According to the upstream issue at https://github.com/strukturag/libheif/issues/123 the vulnerability was first introduced in an unreleased, git-only version of libheif (post-1.4.0), and found and fixed by the upstream community prior to finding its way into a tagged release. It is not clear to me that the vulnerability in question applies to 1.3.2.
- This is a media file parser, so is security-sensitive because it will be
- processing complex untrusted input.
+ libheif had security issues in the past:
+ - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-23109: Buffer overflow vulnerability in function convert_colorspace in heif_colorconversion.cc in libheif v1.6.2, allows attackers to cause a denial of service and disclose sensitive information, via a crafted HEIF file. The github issue: https://github.com/strukturag/libheif/issues/207 is open, though developer comments that it was fixed in 1.7.0
+ - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-19499: An issue was discovered in heif::Box_iref::get_references in libheif 1.4.0, allows attackers to cause a Denial of Service or possibly other unspecified impact due to an invalid memory read. The github issue: https://github.com/strukturag/libheif/issues/138 is closed, fixed in 1.5.0
+ - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-19498: Floating point exception in function Fraction in libheif 1.4.0, allows attackers to cause a Denial of Service or possibly other unspecified impacts. The github issue: https://github.com/strukturag/libheif/issues/139 is closed, fixed in 1.5.0.
+ - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-11471: libheif 1.4.0 has a use-after-free in heif::HeifContext::Image::set_alpha_channel in heif_context.h because heif_context.cc mishandles references to non-existing alpha images. The github issue: https://github.com/strukturag/libheif/issues/123 is closed, fixed in 1.5.0.
+ The vulnerable versions are libheif < 1.7.0, current version 1.14.2
+ Currently vulnerable packages (CVE-2020-23109) are deployed in focal and bionic. Jammy and up has no known vulnerabilitites.
+ [Quality assurance – function/usage]
+ - The package works well right after install
+ ```
+ apt install imagemagick
+ wget https://filesamples.com/samples/image/heif/sample1.heif
+ convert -verbose sample1.heif test.gif
+ wget https://filesamples.com/samples/image/heic/sample1.heic
+ convert -verbose sample1.heic test1.gif
+ ```
- [Quality assurance]
- Packaging is lintian-clean using modern dh(1) patterns and shows no problematic bug history in Debian or Ubuntu.
+ Notice, that libgd2 HEIF support is disabled. Compiling a sample that tries to save HEIF file produces following output
+ ```
+ GD Warning: HEIF image support has been disabled
+ ```
- Package runs make check at build time (debhelper), but has no build-time
- tests or autopkgtests available.
+ [Quality assurance - maintenance]
+
+ - The package has important open bugs, listing them:
+ - https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1014125 Confirm CVE-2020-23109 fix
+ - https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1029668 1.14.2 contains significant regression, HEIC can not be read using viewnoir package [confirmed in lunar]. Downgrading to 1.13.0-1 solves the issue.
+
+ [Quality assurance – testing]
+
+ - The package does not run a test at build time because no unit tests are present in the repository upstream:
+ https://launchpadlibrarian.net/646769183/buildlog_ubuntu-lunar-amd64.libheif_1.14.2-1_BUILDING.txt.gz
+ https://github.com/strukturag/libheif
+ - The package does not run an autopkgtest because no autopackage tests are present. Note: upstream contains a CI script that can be adapted for autopkgtests: https://github.com/strukturag/libheif/blob/master/scripts/run-ci.sh
+ - The package does have not failing autopkgtests right now
+ - [NOT COMPLETE]: The package can not be tested at build or autopktest time because no tests are presentto make up for that here [LINK] is a test plan/automation and example test runlogs/scripts)
+
+ [Quality assurance - packaging]
+
+ - debian/watch is present and works BUT also get-orig-head target is present in debian/rules that produces a different result. There is no specific documentation on which method to use.
+ - debian/control defines a correct Maintainer field
+ - This package does not yield massive lintian Warnings, Errors
+ - Please link to a recent build log of the package https://launchpadlibrarian.net/646769183/buildlog_ubuntu-lunar-amd64.libheif_1.14.2-1_BUILDING.txt.gz
+ - Please attach the full output you have got from `lintian --pedantic` as an extra post to this bug.
+ https://udd.debian.org/lintian/?packages=libheif
+ - Lintian overrides are not present
+ - This package relies on obsolete or about to be demoted packages (see https://udd.debian.org/lintian/?packages=libheif), consider using libgdk-pixbuf-2.0-dev instead of transitional libgdk-pixbuf2.0-dev
+ - This package has no python2 or GTK2 dependencies
+ - The package will not be installed by default
+ - Packaging and build is easy, link to d/rules : https://salsa.debian.org/multimedia-team/libheif/-/blob/master/debian/rules
+
+ [UI standards]
+
+ - Application is not end-user facing (does not need translation)
+ - End-user applications without desktop file, not needed because application does not provide GUI
[Dependencies]
- Also depends on x265 and libde265 which are in universe.
- [Maintenance]
- Package would be maintained by Ubuntu Foundations Team.
+ - There are further dependencies that are not yet in main, the MIR process for them is handled as part of this bug here:
+ - aom
+ - dav1d
+ - libde265
+ - x265
+
+ [Standards compliance]
+
+ - This package correctly follows FHS and Debian Policy
+
+ [Maintenance/Owner]
+
+ - Owning Team will be Foundations team
+ - Team is already subscribed to the package
+ - This does not use static builds
+ - This does not use vendored code
+ - This package is not rust based
+
+ [Background information]
+
+ The Package description explains the package well
+ Upstream Name is libheif
+ Link to upstream project https://github.com/strukturag/libheif/
** Description changed:
[Availablity]
The package libheif is already in ubuntu/universe.
The package libheif build for the architectures it is designed to work on: https://launchpad.net/ubuntu/+source/libheif/1.14.2-1 .
It currently builds and works for architectures: amd64 arm64 armhf i386 ppc64el riscv64 s390x
Link to package: https://launchpad.net/ubuntu/+source/libheif
[Rationale]
- The package libheif is required in Ubuntu main for decoding ISO/IEC 23008-12:2017 HEIF files by libgd2 which is present in main.
- The package libheif will not generally be useful for a large part of our user base, but is important/helpful still because no other package in main supports decoding of ISO/IEC 23008-12:2017 HEIF files.
-The package libheif is a runtime dependency of package libgd2 that we already support.
- It would be great and useful to community/processes to have the package libheif in Ubuntu main, but there is no definitive deadline.
[Security]
libheif had security issues in the past:
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-23109: Buffer overflow vulnerability in function convert_colorspace in heif_colorconversion.cc in libheif v1.6.2, allows attackers to cause a denial of service and disclose sensitive information, via a crafted HEIF file. The github issue: https://github.com/strukturag/libheif/issues/207 is open, though developer comments that it was fixed in 1.7.0
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-19499: An issue was discovered in heif::Box_iref::get_references in libheif 1.4.0, allows attackers to cause a Denial of Service or possibly other unspecified impact due to an invalid memory read. The github issue: https://github.com/strukturag/libheif/issues/138 is closed, fixed in 1.5.0
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-19498: Floating point exception in function Fraction in libheif 1.4.0, allows attackers to cause a Denial of Service or possibly other unspecified impacts. The github issue: https://github.com/strukturag/libheif/issues/139 is closed, fixed in 1.5.0.
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-11471: libheif 1.4.0 has a use-after-free in heif::HeifContext::Image::set_alpha_channel in heif_context.h because heif_context.cc mishandles references to non-existing alpha images. The github issue: https://github.com/strukturag/libheif/issues/123 is closed, fixed in 1.5.0.
The vulnerable versions are libheif < 1.7.0, current version 1.14.2
Currently vulnerable packages (CVE-2020-23109) are deployed in focal and bionic. Jammy and up has no known vulnerabilitites.
+
[Quality assurance – function/usage]
- - The package works well right after install
+
+ - The package does not work well right after install
+ - Basic test cases pass:
```
apt install imagemagick
wget https://filesamples.com/samples/image/heif/sample1.heif
convert -verbose sample1.heif test.gif
wget https://filesamples.com/samples/image/heic/sample1.heic
convert -verbose sample1.heic test1.gif
```
Notice, that libgd2 HEIF support is disabled. Compiling a sample that tries to save HEIF file produces following output
```
GD Warning: HEIF image support has been disabled
```
+ There is a bug filed in debian: https://bugs.debian.org/cgi-
+ bin/bugreport.cgi?bug=1029668 1.14.2 contains significant regression,
+ HEIC can not be read using viewnoir.
+
[Quality assurance - maintenance]
- - The package has important open bugs, listing them:
- - https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1014125 Confirm CVE-2020-23109 fix
- - https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1029668 1.14.2 contains significant regression, HEIC can not be read using viewnoir package [confirmed in lunar]. Downgrading to 1.13.0-1 solves the issue.
+ - The package has important open bugs, listing them:
+ - https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1014125 Confirm CVE-2020-23109 fix
+ - https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1029668 1.14.2 contains significant regression, HEIC can not be read using viewnoir package [confirmed in lunar]. Downgrading to 1.13.0-1 solves the issue.
[Quality assurance – testing]
- The package does not run a test at build time because no unit tests are present in the repository upstream:
https://launchpadlibrarian.net/646769183/buildlog_ubuntu-lunar-amd64.libheif_1.14.2-1_BUILDING.txt.gz
https://github.com/strukturag/libheif
- The package does not run an autopkgtest because no autopackage tests are present. Note: upstream contains a CI script that can be adapted for autopkgtests: https://github.com/strukturag/libheif/blob/master/scripts/run-ci.sh
- The package does have not failing autopkgtests right now
- [NOT COMPLETE]: The package can not be tested at build or autopktest time because no tests are presentto make up for that here [LINK] is a test plan/automation and example test runlogs/scripts)
[Quality assurance - packaging]
- debian/watch is present and works BUT also get-orig-head target is present in debian/rules that produces a different result. There is no specific documentation on which method to use.
- debian/control defines a correct Maintainer field
- This package does not yield massive lintian Warnings, Errors
- Please link to a recent build log of the package https://launchpadlibrarian.net/646769183/buildlog_ubuntu-lunar-amd64.libheif_1.14.2-1_BUILDING.txt.gz
- Please attach the full output you have got from `lintian --pedantic` as an extra post to this bug.
https://udd.debian.org/lintian/?packages=libheif
- Lintian overrides are not present
- This package relies on obsolete or about to be demoted packages (see https://udd.debian.org/lintian/?packages=libheif), consider using libgdk-pixbuf-2.0-dev instead of transitional libgdk-pixbuf2.0-dev
- This package has no python2 or GTK2 dependencies
- The package will not be installed by default
- Packaging and build is easy, link to d/rules : https://salsa.debian.org/multimedia-team/libheif/-/blob/master/debian/rules
[UI standards]
- Application is not end-user facing (does not need translation)
- End-user applications without desktop file, not needed because application does not provide GUI
[Dependencies]
- There are further dependencies that are not yet in main, the MIR process for them is handled as part of this bug here:
- - aom
- - dav1d
- - libde265
- - x265
+ - aom
+ - dav1d
+ - libde265
+ - x265
[Standards compliance]
- - This package correctly follows FHS and Debian Policy
+ - This package correctly follows FHS and Debian Policy
[Maintenance/Owner]
- Owning Team will be Foundations team
- - Team is already subscribed to the package
+ - Team is already subscribed to the package
- This does not use static builds
- This does not use vendored code
- This package is not rust based
[Background information]
The Package description explains the package well
Upstream Name is libheif
Link to upstream project https://github.com/strukturag/libheif/
** Patch added: "make-target-to-uscan.diff"
https://bugs.launchpad.net/ubuntu/+source/libheif/+bug/1827442/+attachment/5644071/+files/make-target-to-uscan.diff
--
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to libgd2 in Ubuntu.
https://bugs.launchpad.net/bugs/1827442
Title:
[MIR] libheif
Status in aom package in Ubuntu:
Incomplete
Status in dav1d package in Ubuntu:
Incomplete
Status in libde265 package in Ubuntu:
Incomplete
Status in libgd2 package in Ubuntu:
New
Status in libheif package in Ubuntu:
In Progress
Status in x265 package in Ubuntu:
Incomplete
Bug description:
[Availablity]
The package libheif is already in ubuntu/universe.
The package libheif build for the architectures it is designed to work on: https://launchpad.net/ubuntu/+source/libheif/1.14.2-1 .
It currently builds and works for architectures: amd64 arm64 armhf i386 ppc64el riscv64 s390x
Link to package: https://launchpad.net/ubuntu/+source/libheif
[Rationale]
- The package libheif is required in Ubuntu main for decoding ISO/IEC 23008-12:2017 HEIF files by libgd2 which is present in main.
- The package libheif will not generally be useful for a large part of our user base, but is important/helpful still because no other package in main supports decoding of ISO/IEC 23008-12:2017 HEIF files.
-The package libheif is a runtime dependency of package libgd2 that we already support.
- It would be great and useful to community/processes to have the package libheif in Ubuntu main, but there is no definitive deadline.
[Security]
libheif had security issues in the past:
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-23109: Buffer overflow vulnerability in function convert_colorspace in heif_colorconversion.cc in libheif v1.6.2, allows attackers to cause a denial of service and disclose sensitive information, via a crafted HEIF file. The github issue: https://github.com/strukturag/libheif/issues/207 is open, though developer comments that it was fixed in 1.7.0
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-19499: An issue was discovered in heif::Box_iref::get_references in libheif 1.4.0, allows attackers to cause a Denial of Service or possibly other unspecified impact due to an invalid memory read. The github issue: https://github.com/strukturag/libheif/issues/138 is closed, fixed in 1.5.0
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-19498: Floating point exception in function Fraction in libheif 1.4.0, allows attackers to cause a Denial of Service or possibly other unspecified impacts. The github issue: https://github.com/strukturag/libheif/issues/139 is closed, fixed in 1.5.0.
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-11471: libheif 1.4.0 has a use-after-free in heif::HeifContext::Image::set_alpha_channel in heif_context.h because heif_context.cc mishandles references to non-existing alpha images. The github issue: https://github.com/strukturag/libheif/issues/123 is closed, fixed in 1.5.0.
The vulnerable versions are libheif < 1.7.0, current version 1.14.2
Currently vulnerable packages (CVE-2020-23109) are deployed in focal and bionic. Jammy and up has no known vulnerabilitites.
[Quality assurance – function/usage]
- The package does not work well right after install
- Basic test cases pass:
```
apt install imagemagick
wget https://filesamples.com/samples/image/heif/sample1.heif
convert -verbose sample1.heif test.gif
wget https://filesamples.com/samples/image/heic/sample1.heic
convert -verbose sample1.heic test1.gif
```
Notice, that libgd2 HEIF support is disabled. Compiling a sample that tries to save HEIF file produces following output
```
GD Warning: HEIF image support has been disabled
```
There is a bug filed in debian: https://bugs.debian.org/cgi-
bin/bugreport.cgi?bug=1029668 1.14.2 contains significant regression,
HEIC can not be read using viewnoir.
[Quality assurance - maintenance]
- The package has important open bugs, listing them:
- https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1014125 Confirm CVE-2020-23109 fix
- https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1029668 1.14.2 contains significant regression, HEIC can not be read using viewnoir package [confirmed in lunar]. Downgrading to 1.13.0-1 solves the issue.
[Quality assurance – testing]
- The package does not run a test at build time because no unit tests are present in the repository upstream:
https://launchpadlibrarian.net/646769183/buildlog_ubuntu-lunar-amd64.libheif_1.14.2-1_BUILDING.txt.gz
https://github.com/strukturag/libheif
- The package does not run an autopkgtest because no autopackage tests are present. Note: upstream contains a CI script that can be adapted for autopkgtests: https://github.com/strukturag/libheif/blob/master/scripts/run-ci.sh
- The package does have not failing autopkgtests right now
- [NOT COMPLETE]: The package can not be tested at build or autopktest time because no tests are presentto make up for that here [LINK] is a test plan/automation and example test runlogs/scripts)
[Quality assurance - packaging]
- debian/watch is present and works BUT also get-orig-head target is present in debian/rules that produces a different result. There is no specific documentation on which method to use.
- debian/control defines a correct Maintainer field
- This package does not yield massive lintian Warnings, Errors
- Please link to a recent build log of the package https://launchpadlibrarian.net/646769183/buildlog_ubuntu-lunar-amd64.libheif_1.14.2-1_BUILDING.txt.gz
- Please attach the full output you have got from `lintian --pedantic` as an extra post to this bug.
https://udd.debian.org/lintian/?packages=libheif
- Lintian overrides are not present
- This package relies on obsolete or about to be demoted packages (see https://udd.debian.org/lintian/?packages=libheif), consider using libgdk-pixbuf-2.0-dev instead of transitional libgdk-pixbuf2.0-dev
- This package has no python2 or GTK2 dependencies
- The package will not be installed by default
- Packaging and build is easy, link to d/rules : https://salsa.debian.org/multimedia-team/libheif/-/blob/master/debian/rules
[UI standards]
- Application is not end-user facing (does not need translation)
- End-user applications without desktop file, not needed because application does not provide GUI
[Dependencies]
- There are further dependencies that are not yet in main, the MIR process for them is handled as part of this bug here:
- aom
- dav1d
- libde265
- x265
[Standards compliance]
- This package correctly follows FHS and Debian Policy
[Maintenance/Owner]
- Owning Team will be Foundations team
- Team is already subscribed to the package
- This does not use static builds
- This does not use vendored code
- This package is not rust based
[Background information]
The Package description explains the package well
Upstream Name is libheif
Link to upstream project https://github.com/strukturag/libheif/
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/aom/+bug/1827442/+subscriptions
More information about the foundations-bugs
mailing list