[Bug 2004449] Re: [MIR] libde265 (dependency of libheif)
Christian Ehrhardt
2004449 at bugs.launchpad.net
Fri Apr 19 06:17:06 UTC 2024
In noble we only have one version atm:
libde265 | 1.0.15-1build3 | noble/universe | source
To promote src:libde265 bin:libde265-0
Override component to main
libde265 1.0.15-1build3 in noble: universe/misc -> main
Override [y|N]? y
1 publication overridden.
Override component to main
libde265-0 1.0.15-1build3 in noble amd64: universe/libs/optional/100% -> main
libde265-0 1.0.15-1build3 in noble arm64: universe/libs/optional/100% -> main
libde265-0 1.0.15-1build3 in noble armhf: universe/libs/optional/100% -> main
libde265-0 1.0.15-1build3 in noble i386: universe/libs/optional/100% -> main
libde265-0 1.0.15-1build3 in noble ppc64el: universe/libs/optional/100% -> main
libde265-0 1.0.15-1build3 in noble riscv64: universe/libs/optional/100% -> main
libde265-0 1.0.15-1build3 in noble s390x: universe/libs/optional/100% -> main
Override [y|N]? y
7 publications overridden.
** Changed in: libde265 (Ubuntu)
Status: Fix Committed => Fix Released
--
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to libde265 in Ubuntu.
https://bugs.launchpad.net/bugs/2004449
Title:
[MIR] libde265 (dependency of libheif)
Status in libde265 package in Ubuntu:
Fix Released
Bug description:
[Availability]
The package libde265 is already in Ubuntu universe.
The package libde265 build for the architectures it is designed to work on.
It currently builds and works for architetcures: amd64 arm64 armhf i386 ppc64el
riscv64 s390x
Link to package https://launchpad.net/ubuntu/+source/libde265
[Rationale]
- The package libde265 is required in Ubuntu main for libheif
- The package libde265 will generally be useful for a large part of our
user base as it provides a widely used H.265 video codec.
- The package libde265 is a new runtime dependency of package libheif that
we will support
- It would be great and useful to community/processes to have the package
libde265 in Ubuntu main, but there is no definitive deadline.
[Security]
- Had 33 security issues in the past:
- https://security-tracker.debian.org/tracker/source-package/libde265
- Current version (1.0.9-1.1) has open issues:
- https://security-tracker.debian.org/tracker/CVE-2022-43249
Buffer overflow, Denial of service via crafted input file
- https://security-tracker.debian.org/tracker/CVE-2022-43245
Segmentation violation, Denial of service via crafted input file
- https://security-tracker.debian.org/tracker/CVE-2020-21596
Buffer overflow
- no executables in `/sbin` and `/usr/sbin`
- Package does not install services, timers or recurring jobs
- Packages does not open privileged ports (ports < 1024)
- Packages does contain extensions to security-sensitive software:
the package provides H.265 video codec which processes untrusted input
[Quality assurance - function/usage]
- The package works well right after install
[Quality assurance - maintenance]
- The package is maintained well in Debian/Ubuntu and has not too many
and long term critical bugs open
- Ubuntu https://bugs.launchpad.net/ubuntu/+source/libde265/+bug
- Debian https://bugs.debian.org/cgi-bin/pkgreport.cgi?src=libde265
- The package has important open bugs, listing them:
- https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1029357
libde265: CVE-2022-43245 CVE-2022-43249
- https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1029397
libde265: CVE-2020-21596
- The package does not deal with exotic hardware we cannot support
[Quality assurance - testing]
- The package does not run a test at build time because it is not implemented
upstream
- The package does not run an autopkgtest because it is not implemented
This section is not complete, as the test plan/approach for developing
autopkgtests needs to be discussed.
TODO: - The package can not be tested at build or autopktest time because TBD
TODO: to make up for that here TBD is a test plan/automation and example
TODO: test TBD (logs/scripts)
[Quality assurance - packaging]
- debian/watch is present and works
- debian/control defines a correct Maintainer field
- This package does not yield massive lintian Warnings, Errors
https://udd.debian.org/lintian/?packages=libde265
- Please link to a recent build log of the package
https://launchpadlibrarian.net/647779131/buildlog_ubuntu-lunar-amd64.libde265_1.0.9-1.1_BUILDING.txt.gz
- Please attach the full output you have got from
`lintian --pedantic` as an extra post to this bug.
- Lintian overrides are not present
- This package does not rely on obsolete or about to be demoted packages.
- This package has no python2 or GTK2 dependencies
- The package will not be installed by default
- Packaging and build is easy, link to d/rules
https://git.launchpad.net/ubuntu/+source/libde265/tree/debian/rules
[UI standards]
- Application is not end-user facing (does not need translation)
- End-user applications without desktop file, not needed because
it does not provide any GUI
[Dependencies]
- There are further dependencies that are not yet in main, the MIR
process for them is handled as part of this bug here.
libde265-examples has following runtime dependencies in universe:
- https://launchpad.net/ubuntu/+source/qtbase-opensource-src
- https://launchpad.net/ubuntu/+source/libsdl1.2
- https://launchpad.net/ubuntu/+source/ffmpeg
[Standards compliance]
- This package correctly follows FHS and Debian Policy
[Maintenance/Owner]
- Owning Team will be Foundations Team
- Team is not yet, but will subscribe to the package before promotion
- This does not use static builds
- This does not use vendored code
- This package is not rust based
- The package has been built in the archive more recently than the last
test rebuild
[Background information]
The Package description explains the package well
Upstream Name is libde265 - open h.265 codec implementation
Link to upstream project https://github.com/strukturag/libde265
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/libde265/+bug/2004449/+subscriptions
More information about the foundations-bugs
mailing list