I reviewed woff2 1.0.2-1 as checked in to cosmic. This isn't a full security audit, but rather a quick gauge of maintainability.
- woff2 is a library for decompressing WOFF2 font files to TTF, and is an implementation of the W3C spec (https://www.w3.org/TR/WOFF2/). - No CVEs in our database. - Build-Depends: cmake, debhelper, libbrotli-dev, pkg-config - It is designed to process untrusted data from the web. - Contains several binaries in PATH: woff2_info, woff2_compress, woff2_decompress - Doesn't spawn any subprocesses. - Uses a mixture of operator new[] and std::vector for allocating write buffers. - Uses a convenience class (woff2::Buffer) for reading from memory buffers, designed to protect against out-of-bounds errors. - Makes use of std::unique_ptr - Doesn't open any files. - Some logging via printf and fprintf. - No environment variable use. - No privileged code. - No networking. - No cryptography. - No sql. - Doesn't use temporary files. - No webkit. - Some cppcheck errors. The first 2 look bogus, and the remaining ones in woff2_enc.cc are struct members that are unused: [src/font.cc:88]: (error) Uninitialized struct member: table.flavor [src/font.cc:88]: (error) Uninitialized struct member: table.num_tables [src/woff2_enc.cc:349]: (error) Uninitialized struct member: table.checksum [src/woff2_enc.cc:349]: (error) Uninitialized struct member: table.offset [src/woff2_enc.cc:349]: (error) Uninitialized struct member: table.length [src/woff2_enc.cc:349]: (error) Uninitialized struct member: table.data [src/woff2_enc.cc:349]: (error) Uninitialized struct member: table.reuse_of [src/woff2_enc.cc:349]: (error) Uninitialized struct member: table.flag_byte [src/woff2_enc.cc:349]: (error) Uninitialized struct member: table.src_offset [src/woff2_enc.cc:349]: (error) Uninitialized struct member: table.dst_offset [src/woff2_enc.cc:349]: (error) Uninitialized struct member: table.dst_length [src/woff2_enc.cc:349]: (error) Uninitialized struct member: table.dst_data - Build logs are mostly clean, but there is a compiler warning on 32-bit architectures: /<<PKGBUILDDIR>>/src/woff2_dec.cc: In function ‘bool woff2::{anonymous}::ReadWOFF2Header(const uint8_t*, size_t, woff2::{anonymous}::WOFF2Header*)’: /<<PKGBUILDDIR>>/src/woff2_dec.cc:1184:37: warning: format ‘%lu’ expects argument of type ‘long unsigned int’, but argument 4 has type ‘size_t {aka unsigned int}’ [-Wformat=] src_offset, length, dst_offset); ^ The format identifier here should probably be %zu. - No init scripts or systemd unit files. - No dbus services. - No setuid binaries. - Doesn't call any privileged commands. - No sudo fragments. - No udev rules - No cronjobs. - There doesn't appear to be any standalone tests in the woff2 repository. woff2 support in Chrome (using the same library) has its own tests, but that's no use here. woff2 is fairly small and well maintained upstream. As expected for something that processes untrusted data, it is programmed defensively against invalid input. It is already embedded inside Firefox and Chrome, and shouldn't be a maintenance burden. Security team ACK for promoting woff2 to main. ** Changed in: woff2 (Ubuntu) Assignee: Ubuntu Security Team (ubuntu-security) => (unassigned) -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1742743 Title: [MIR] woff2 To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/woff2/+bug/1742743/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
