I reviewed libva 2.22.0-3 as checked into plucky. This shouldn't be
considered a full audit but rather a quick gauge of maintainability.
libva is a Libva is an implementation for VA-API (Video Acceleration
API)
- CVE History
- Only one CVE appears to exist against this library
(CVE-2024-39929). The CVE does not go into many details. I believe
it was related to the usage of getenv in place of secure_getenv.
Appears to be fixed in version 2.20.
- Build-Depends
- debhelper-compat, libdrm-dev, libgl-dev, libwayland-dev,
libx11-dev, libx11-xcb-dev, libxcb-dri3-dev, libxcb1-dev,
libxext-dev, libxfixes-dev, meson, ninja-build, perl, pkgconf TODO
- No pre/post inst/rm scripts
- No init scripts
- No systemd units
- No dbus services
- No setuid binaries
- binaries in PATH
- /usr/bin/dh_libva
debhelper for packaging VA API drivers
- No sudo fragments
- No polkit files
- No udev rules
- unit tests / autopkgtests
- No tests are provided for this package, although the Desktop Team
seems to have a plan for it:
https://wiki.ubuntu.com/DesktopTeam/TestPlans/libva
- No cron jobs
- Build logs
- No significant build warnings
- No Processes spawned
- Memory management
- memory management seems to be performed properly. Return values
are properly checked and I did not see any low hanging fruit
anywhere.
- File IO
- The library performs file I/O operations in 2 different contexts:
- write tracing information in a specified file. It is possible to
force this behavior by setting the environment variable
LIBVA\_TRACE to a prefix of your choosing. A user may affect
the content of the data to be traced by the usage of various
other env variables, e.g. LIBVA\_MESSAGING\_LEVEL,
LIBVA\_TRACE\_SURFACE, etc.
- Loading specialized drivers via dlopen. This behaviour can be
controlled by the user setting the variables LIBVA\_DRIVERS\_PATH
and LIBVA\_DRIVER\_NAME.
In both cases, access to environment variables is mediated by the
usage of secure_getenv().
- Logging
- The library appears to correctly handle output, avoiding format
string attacks and such.
- Environment variable usage
- The library makes use of various environment variables for its
configuration. The parsing logic of such variables does not appear
to contain dangerous usage of string manipulation routines or
anything suspicious from a security analysis standpoint.
- Does not use any privileged function
- No use of cryptography / random number sources etc
- No use of temp files
- No use of networking
- No use of WebKit
- No use of PolicyKit
- No significant cppcheck results
- Coverity results:
- One harmless unchecked return value from fcntl while setting
FD\_CLOEXEC to an open file descriptor.
- One integer overflow in va/va.c:1088:14:
harmless because GCC uses two's complement integer arithmetic.
- A few type mismatches in format functions, e.g. printing long
long values as long and viceversa. Not a security issue.
- One TOCTOU issue (false positive).
- No significant shellcheck results
The library seems to be well written and quite easy to read.
Security team ACK for promoting libva to main, on the condition that
the tracing feature will be disabled. We suggest to provide a
trace-enabled libva as a separate package.
** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2024-39929
** Changed in: libva (Ubuntu)
Status: New => In Progress
** Changed in: libva (Ubuntu)
Assignee: Ubuntu Security Team (ubuntu-security) => (unassigned)
--
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to libva in Ubuntu.
https://bugs.launchpad.net/bugs/2097800
Title:
[MIR] libva
Status in libva package in Ubuntu:
In Progress
Bug description:
[Availability]
The package libva is already in Ubuntu universe.
The package libva build for the architectures it is designed to work on.
It currently builds and works for all Ubuntu architectures
Link to package https://launchpad.net/ubuntu/+source/libva
[Rationale]
- The package libva is required in Ubuntu main for gnome-remote-desktop
- The package libva will generally be useful for a large part of our user base
- The package libva is a new runtime dependency of package
gnome-remote-desktop that we already support
- There is no other/better way to solve this that is already in main or
should go universe->main instead of this.
- The binary package TBD needs to be in main to achieve keeping
gnome-remote-desktop up-to-date and supported.
- The package libva is required in Ubuntu main no later than February
20 due to Ubuntu 25.04 Feature Freeze. Practically, we will likely
need a Feature Freeze Exception for this.
[Security]
- Had 1 security issue in the past
https://ubuntu.com/security/CVE-2023-39929
https://security-tracker.debian.org/tracker/CVE-2023-39929
The CVE is unclear; it might not have affected Ubuntu.
- no `suid` or `sgid` binaries
- no executables in `/sbin` and `/usr/sbin`
- Package does not install services, timers or recurring jobs
- Security has been kept in mind and common isolation/risk-mitigation
patterns are in place utilizing the following features:
+ apparmor profile copied from evince
- Packages does not open privileged ports (ports < 1024).
- Package does not expose any external endpoints
- Packages does not contain extensions to security-sensitive software
[Quality assurance - function/usage]
- The package works well right after install
[Quality assurance - maintenance]
- The package is maintained well in Debian/Ubuntu/Upstream and does not have
too many, long-term & critical, open bugs
+ Ubuntu https://bugs.launchpad.net/ubuntu/+source/libva
+ Debian https://bugs.debian.org/cgi-bin/pkgreport.cgi?src=libva
+ Upstream https://github.com/intel/libva/issues
- The package does not deal with exotic hardware we cannot support
[Quality assurance - testing]
- The package does not run a test at build time because none is provided
upstream because it is difficult to test hardware accelerated video processing
with build tests.
- The package does not run an autopkgtest because it is difficult to
test hardware accelerated video processing with autopkgtests.
- The package can not be well tested at build or autopkgtest time because it
is difficult to test hardware accelerated video processing that way. To make up
for that:
+ We have access to such hardware in the team
+ Based on that access outlined above, here are the details of the test
plan/automation
https://wiki.ubuntu.com/DesktopTeam/TestPlans/libva
+ We will execute that test plan on-uploads regularly (for SRUs and at
Feature Freeze)
- This package is minimal and will be tested in a more wide reaching solution
https://wiki.ubuntu.com/DesktopTeam/TestPlans/RemoteDesktop
The initial gnome-remote-desktop implementation in gnome-remote-
desktop 48 Beta hides the new zero copy feature behind a debug flag
but it is expected to be the default in later GNOME/Ubuntu releases.
[Quality assurance - packaging]
- debian/watch is present and works
- debian/control defines a correct Maintainer field
- This package does not yield massive lintian Warnings, Errors
- Lintian overrides are not present
- This package does not rely on obsolete or about to be demoted packages.
- This package has no python2 or GTK2 dependencies
- The package will be installed by default, but does not ask debconf questions
- Packaging and build is easy, link to debian/rules
https://salsa.debian.org/multimedia-team/libva/-/blob/master/debian/rules
[UI standards]
- Application is not end-user facing (does not need translation or .desktop
file)
[Dependencies]
- No further depends or recommends dependencies that are not yet in main
[Standards compliance]
- This package correctly follows FHS and Debian Policy
[Maintenance/Owner]
- The owning team will be Desktop Packages and I have their acknowledgement
for that commitment
- The future owning team is already subscribed to the package
- This does not use static builds
- This does not use vendored code
- This package is not rust based
- The package has been built within the last 3 months in the archive
- Build link on launchpad: https://launchpad.net/ubuntu/+source/libva/2.22.0-2
[Background information]
The Package description explains the package well
Upstream Name is libva
Link to upstream project https://github.com/intel/libva
libva was previously in main but was demoted once it was no longer required
for build dependencies to be in main
previous MIR: LP: #597354
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/libva/+bug/2097800/+subscriptions
--
Mailing list: https://launchpad.net/~touch-packages
Post to : touch-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~touch-packages
More help : https://help.launchpad.net/ListHelp
