I just wanted to complement the review with a few remarks. The recommendation I made about disabling the trace feature is more of a precaution than anything else. It is a feature I believe it is unnecessary to have in a production environment but I may be wrong. In the end, if disabling the feature turns out to be difficult for any reason I would not complain if we keep it as it is. The answer for the MIR would still be ACK.
The recommendation I made comes from the evaluation of a few context the library may be used in. A couple of examples: The first dangerous context that comes to my mind would be the case of a setuid binary linked against libva. If an unprivileged user were to specify a log file path, the library would happily obey. The consequences of this action largely depends on the content being written and the location chosen for the output file. As an example, imagine writing a file in /etc/cron.d. This would lead to privilege escalation if the written data were to contain a valid cron line. This scenario has been prevented by the usage of secure_getenv, introduced in version 2.20 of the library. Another possible context would be the following. Imagine a service that uses libva in the backend for processing images, videos and such. Imagine again the service provides "limited" configuration options in the form of environment variables to be passed to the backend. You may argue a service like this is badly designed and I definitely agree but I cannot exclude such a flawed system exists or will not exist in the future. I may not be able to currently provide any working exploit or any other plausible scenario but I prefer the safest assumption I am not being creative enough. In the end it is a library and as such it is difficult to predict the context it would be used in. Hence my the conclusion to disable the feature if it is not necessary. -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to libva in Ubuntu. https://bugs.launchpad.net/bugs/2097800 Title: [MIR] libva Status in libva package in Ubuntu: In Progress Bug description: [Availability] The package libva is already in Ubuntu universe. The package libva build for the architectures it is designed to work on. It currently builds and works for all Ubuntu architectures Link to package https://launchpad.net/ubuntu/+source/libva [Rationale] - The package libva is required in Ubuntu main for gnome-remote-desktop - The package libva will generally be useful for a large part of our user base - The package libva is a new runtime dependency of package gnome-remote-desktop that we already support - There is no other/better way to solve this that is already in main or should go universe->main instead of this. - The binary package TBD needs to be in main to achieve keeping gnome-remote-desktop up-to-date and supported. - The package libva is required in Ubuntu main no later than February 20 due to Ubuntu 25.04 Feature Freeze. Practically, we will likely need a Feature Freeze Exception for this. [Security] - Had 1 security issue in the past https://ubuntu.com/security/CVE-2023-39929 https://security-tracker.debian.org/tracker/CVE-2023-39929 The CVE is unclear; it might not have affected Ubuntu. - no `suid` or `sgid` binaries - no executables in `/sbin` and `/usr/sbin` - Package does not install services, timers or recurring jobs - Security has been kept in mind and common isolation/risk-mitigation patterns are in place utilizing the following features: + apparmor profile copied from evince - Packages does not open privileged ports (ports < 1024). - Package does not expose any external endpoints - Packages does not contain extensions to security-sensitive software [Quality assurance - function/usage] - The package works well right after install [Quality assurance - maintenance] - The package is maintained well in Debian/Ubuntu/Upstream and does not have too many, long-term & critical, open bugs + Ubuntu https://bugs.launchpad.net/ubuntu/+source/libva + Debian https://bugs.debian.org/cgi-bin/pkgreport.cgi?src=libva + Upstream https://github.com/intel/libva/issues - The package does not deal with exotic hardware we cannot support [Quality assurance - testing] - The package does not run a test at build time because none is provided upstream because it is difficult to test hardware accelerated video processing with build tests. - The package does not run an autopkgtest because it is difficult to test hardware accelerated video processing with autopkgtests. - The package can not be well tested at build or autopkgtest time because it is difficult to test hardware accelerated video processing that way. To make up for that: + We have access to such hardware in the team + Based on that access outlined above, here are the details of the test plan/automation https://wiki.ubuntu.com/DesktopTeam/TestPlans/libva + We will execute that test plan on-uploads regularly (for SRUs and at Feature Freeze) - This package is minimal and will be tested in a more wide reaching solution https://wiki.ubuntu.com/DesktopTeam/TestPlans/RemoteDesktop The initial gnome-remote-desktop implementation in gnome-remote- desktop 48 Beta hides the new zero copy feature behind a debug flag but it is expected to be the default in later GNOME/Ubuntu releases. [Quality assurance - packaging] - debian/watch is present and works - debian/control defines a correct Maintainer field - This package does not yield massive lintian Warnings, Errors - Lintian overrides are not present - This package does not rely on obsolete or about to be demoted packages. - This package has no python2 or GTK2 dependencies - The package will be installed by default, but does not ask debconf questions - Packaging and build is easy, link to debian/rules https://salsa.debian.org/multimedia-team/libva/-/blob/master/debian/rules [UI standards] - Application is not end-user facing (does not need translation or .desktop file) [Dependencies] - No further depends or recommends dependencies that are not yet in main [Standards compliance] - This package correctly follows FHS and Debian Policy [Maintenance/Owner] - The owning team will be Desktop Packages and I have their acknowledgement for that commitment - The future owning team is already subscribed to the package - This does not use static builds - This does not use vendored code - This package is not rust based - The package has been built within the last 3 months in the archive - Build link on launchpad: https://launchpad.net/ubuntu/+source/libva/2.22.0-2 [Background information] The Package description explains the package well Upstream Name is libva Link to upstream project https://github.com/intel/libva libva was previously in main but was demoted once it was no longer required for build dependencies to be in main previous MIR: LP: #597354 To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/libva/+bug/2097800/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
