[MIR] libmysofa
| Affects | Status | Importance | Assigned to | Milestone | |
|---|---|---|---|---|---|
| libmysofa (Ubuntu) |
New
|
Undecided
|
Ubuntu Security Team | ||
Bug Description
[Availability]
The package libmysofa is already in Ubuntu universe.
The package libmysofa build for the architectures it is designed to work on.
It currently builds and works for architetcures: amd64 arm64 armhf i386 ppc64el riscv64 s390x
Link to package https:/
[Rationale]
- The package libmysofa is required in Ubuntu main as a (optional) depends of pipewire
- the library parses spatial audio files which are used by 3D audio systems
- the libmysofa1 binary needs to be promoted
- There is no other/better way to solve this that is already in main or
should go universe->main instead of this.
- The package libmysofa is required in Ubuntu main no later than August 17th
due to mantic feature freeze
[Security]
- Had 15 security issues in the past, sorted out by their status on https:/
Released
- https:/
- https:/
- https:/
- https:/
- https:/
- https:/
Needed
- https:/
- https:/
- https:/
- https:/
Needs triage
- https:/
- https:/
- https:/
- https:/
- https:/
those are also listed in https:/
- no `suid` or `sgid` binaries
- no executables in `/sbin` and `/usr/sbin`
- Package does not install services, timers or recurring jobs
- Packages does not open privileged ports (ports < 1024)
- Packages does not contain extensions to security-sensitive software
[Quality assurance - function/usage]
- The package works well right after install
[Quality assurance - maintenance]
- The package is maintained well in Debian/
- Ubuntu https:/
- Debian https:/
- Upstream https:/
- The package does not deal with exotic hardware we cannot support
[Quality assurance - testing]
- The package runs a test suite on build time, if it fails
it makes the build fail, link to build log https:/
- The package runs an autopkgtest, and is currently passing on
amd64 arm64 armhf ppc64el s390x
https:/
- The tests fail on i386 due to installability issues of depends which isn't an issue
[Quality assurance - packaging]
- debian/watch is present and works
- debian/control defines a correct Maintainer
- This package has no lintian warnings
- Please link to a recent build log of the package
https:/
- Please attach the full output you have got from `lintian --pedantic`
# lintian --pedantic libmysofa_
#
- Lintian overrides are not present
- This package does not rely on obsolete or about to be demoted packages.
- This package has no python2 or GTK2 dependencies
- The package will be installed by default, but does not ask debconf questions
- Packaging and build is easy, link to debian/rules https:/
[UI standards]
- Application is not end-user facing (does not need translation)
[Dependencies]
- No further depends or recommends dependencies that are not yet in main
[Standards compliance]
- This package correctly follows FHS and Debian Policy
[Maintenance/Owner]
- Owning Team will be desktop-packages
- Team is already subscribed to the package
- This does not use static builds
- This does not use vendored code
- This package is not rust based
- The package has been built in the archive more recently than the last
- The package successfully built during the most recent test rebuild
[Background information]
The Package description explains the package well
Upstream Name is libmysofa
Link to upstream project https:/
| description: | updated |
| description: | updated |
| Changed in libmysofa (Ubuntu): | |
| assignee: | nobody → Didier Roche-Tolomelli (didrocks) |
| Didier Roche-Tolomelli (didrocks) wrote | #1 |
| Changed in libmysofa (Ubuntu): | |
| assignee: | Didier Roche-Tolomelli (didrocks) → Canonical Security Team (canonical-security) |
| Changed in libmysofa (Ubuntu): | |
| assignee: | Canonical Security Team (canonical-security) → Ubuntu Security Team (ubuntu-security) |
| tags: | added: sec-2250 |
| Mark Esler (eslerm) wrote | #2 |
| Sebastien Bacher (seb128) wrote | #3 |
| George-Andrei Iosif (iosifache) wrote | #4 |
| Sebastien Bacher (seb128) wrote | #5 |
TODO: Review for Package: libmysofa
[Summary]
MIR team ACK
Due to the history of unresolved CVE, this does need a security review, so I'll assign ubuntu-security
List of specific binary packages to be promoted to main: libmysofa1
[Duplication]
There is no other package in main providing the same functionality.
[Dependencies]
OK:
- no other Dependencies to MIR due to this
- SRCPKG checked with `check-mir`
- all dependencies can be found in `seeded-in-ubuntu` (already in main)
- none of the (potentially auto-generated) dependencies (Depends
and Recommends) that are present after build are not in main
- no -dev/-debug/-doc packages that need exclusion
- No dependencies in main that are only superficially tested requiring
more tests now.
[Embedded sources and static linking]
OK:
- no embedded source present
- no static linking
- does not have unexpected Built-Using entries
OK:
- not a go package, no extra constraints to consider in that regard
- not a rust package, no extra constraints to consider in that regard
[Security]
OK:
- does not run a daemon as root
- does not use webkit1,2
- does not use lib*v8 directly
- does not open a port/socket
- does not process arbitrary web content
- does not use centralized online accounts
- does not integrate arbitrary javascript into the desktop
- does not deal with system authentication (eg, pam), etc)
- does not deal with security attestation (secure boot, tpm, signatures)
- does not deal with cryptography (en-/decryption, certificates, signing, ...)
Problems:
- history of CVEs does look concerning, especially the non triaged ones.
- does not parse data formats (files audio) from an untrusted source.
For both those reasons,
[Common blockers]
OK:
- does not FTBFS currently
- does have a test suite that runs at build time
- test suite fails will fail the build upon error.
- does have a non-trivial test suite that runs as autopkgtest
- This does not need special HW for build or test
- no new python2 dependency
[Packaging red flags]
OK:
- Ubuntu does carry a delta, but it is reasonable and maintenance under control
- symbols tracking is in place
- debian/watch is present and looks ok
- Upstream update history is good
- Debian/Ubuntu update history is good
- the current release is packaged
- promoting this does not seem to cause issues for MOTUs that so far
- no massive Lintian warnings
- debian/rules is rather clean
- It is not on the lto-disabled list
[Upstream red flags]
OK:
- no Errors/warnings during the build
- no incautious use of malloc/sprintf (as far as we can check it)
- no use of sudo, gksu, pkexec, or LD_LIBRARY_PATH (usage is OK inside tests)
- no use of user nobody
- no use of setuid
- no important open bugs (crashers, etc) in Debian or Ubuntu
- no dependency on webkit, qtwebkit, seed or libgoa-*
- not part of the UI for extra checks
- no translation present, but none needed for this case