[Summary] The libcupsfilters package currently uses qpdf, a PDF transformation and introspection library written in C++. The upstream project plans to replace qpdf with pdfio, a PDF reading and writing library written in C. The primary goal is ABI compatibility and easier symbol tracking. In addition, PDFio is much more lightweight than QPDF, so libcupsfilters can more easily be used on low-resource devices, for example adapter boxes which make legacy printers driverless. The upstream pdfio project is being actively maintained.
MIR team ACK under the constraint to resolve the below listed required TODOs and as much as possible having a look at the recommended TODOs. This does need a security review, so I'll assign ubuntu-security. List of specific binary packages to be promoted to main: libpdfio1 Specific binary packages built, but NOT to be promoted to main: None Notes: #0 Needs a security review because of issues noted in the [Security] section - CVE history and cryptography implementation. #1 The upstream pull-request that migrates libcupsfilter from using qpdf to pdfio, is not yet merged -> https://github.com/OpenPrinting/libcupsfilters/pull/71/ #2 The Ubuntu Printing Team is already subscribed to the package. #3 After libcupsfilters moves away from qpdf, the latter will cease to have any reverse dependencies in main. We should have a plan to demote qpdf to universe. Required TODOs: #4 Resolving the differences between dpkg-gensymbols output and contents of debian/libpdfio1.symbols. See the warning noted in [Packaging red flags]. Though the difference is related to private symbols, it would be good to have this warning fixed because symbol tracking is one of the primary rationales for this MIR. Recommended TODOs: #5 Fix build warnings noted in [Upstream red flags]. [Rationale, Duplication and Ownership] - There is no other package in main providing the same functionality. => As the bug report mentions, package qpdf in main does provide this functionality. But the libcupsfilters upstream project intends to replace qpdf (a C++ library) by pdfio written in C. There is no other package in main that offers a PDF reading & writing library written in C. - A team is committed to own long term maintenance of this package. => Ubuntu Printing Team - The rationale given in the report seems valid and useful for Ubuntu. => Minor problem: the upstream pull-request that migrates libcupsfilters from using qpdf to using pdfio hasn’t yet been merged - https://github.com/OpenPrinting/libcupsfilters/pull/71/ [Dependencies] OK: - No other dependencies to MIR due to this SRCPKG checked with `check-mir` => reports libpdfio1 which is a binary package of pdfio itself (libpdfio1-dev depends on libpdfio1) all dependencies can be found in `seeded-in-ubuntu` (already in main) none of the (potentially auto-generated) dependencies (Depends and Recommends) that are present after build are not in main - No -dev/-debug/-doc packages that need exclusion - No dependencies in main that are only superficially tested requiring more tests now. Problems: None [Embedded sources and static linking] OK: No embedded source present No static linked No Built-Using not a go package, no extra constraints to consider in that regard not a rust package, no extra constraints to consider in that regard Problems: None [Security] OK: - does not run a daemon as root - does not use webkit1,2 - does not use lib*v8 directly - does not expose any external endpoint (port/socket/... or similar) - does not process arbitrary web content - does not use centralized online accounts - does not integrate arbitrary javascript into the desktop - does not deal with system authentication (eg, pam), etc) - does not deal with security attestation (secure boot, tpm, signatures) Problems: - pdfio is bound to parse content from untrusted sources - CVEs revealing denial-of-service vulnerabilities that have been fixed CVE-2023-24808 (CVSS 5.2) - https://www.cve.org/CVERecord?id=CVE-2023-24808 CVE-2024-42358 (CVSS 6.2) - https://www.cve.org/CVERecord?id=CVE-2024-42358 CVE-2023-28428 (CVSS 6.2) - https://www.cve.org/CVERecord?id=CVE-2023-28428 - pdfio implements its own cryptography. It supports AES and RC4 encrypt/decrypt and MD5 and SHA256 hashes. See files: 1. pdfio-aes.c 2. pdfio-rc4.c 3. pdfio-md5.c 4. pdfio-sha256.c [Common Blockers] OK: - does not FTBFS currently - does have a test suite that runs at build time - test suite fails will fail the build upon error. - does have a non-trivial test suite that runs as autopkgtest => only tests that use internal APIs are disabled, which is reasonable. - this does not need special HW for build or test - not a Python package - not a Golang package Problems: None [Packaging red flags] OK: - this package does not yet have a Debian counterpart => request for packaging - https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1093735f4 - symbols tracking is in place - debian/watch is present and looks ok (if needed, e.g. non-native) - Upstream update history is good - Ubuntu update history is sporadic => the package less than a month old - the current release is packaged - promoting this does not seem to cause issues for MOTUs that so far maintained the package - no massive lintian warnings => includes a lintian override, but that seems to be avoiding a false flag - debian/rules is rather clean - It is not on the lto-disabled list Problems: - dpkg-gensymbols does not match debian/libpdfio1.symbols in build dpkg-gensymbols: warning: some new symbols appeared in the symbols file: see diff output below dpkg-gensymbols: warning: debian/libpdfio1/DEBIAN/symbols doesn't match completely debian/libpdfio1.symbols --- debian/libpdfio1.symbols (libpdfio1_1.5.1+dfsg-0ubuntu1_amd64) +++ dpkg-gensymbols_N39_3 2025-03-28 23:06:39.760104851 +0000 @@ -1,4 +1,6 @@ libpdfio.so.1 libpdfio1 #MINVER# + _pdfioTokenInit@Base 1.5.1+dfsg-0ubuntu1 + _pdfioTokenRead@Base 1.5.1+dfsg-0ubuntu1 pdfioArrayAppendArray@Base 1.5.0 pdfioArrayAppendBinary@Base 1.5.0 pdfioArrayAppendBoolean@Base 1.5.0 [Upstream red flags] OK: - no incautious use of malloc/sprintf (as far as we can check it) - no use of sudo, gksu, pkexec, or LD_LIBRARY_PATH - no use of user nobody - no use of setuid/setgid - no important open bugs (crashers, etc) in Ubuntu - no dependency on webkit, qtwebkit or libseed - not part of the UI for extra checks - no translation present, but none needed for this case (user visible)? Problems: - 2 warnings possibly resulting from CFLAGS passed by dpkg-buildflags (ignoring 2 more warnings in tests) => warning: "_FORTIFY_SOURCE" redefined => pdfio-value.c:607:73: warning: ‘Z’ directive output may be truncated writing 1 byte into a region of size between 0 and 16 [-Wformat-truncation=] 607 | snprintf(datestr, sizeof(datestr), "D:%04d%02d%02d%02d%02d%02dZ", date.tm_year + 1900, date.tm_mon + 1, date.tm_mday, date.tm_hour, date.tm_min, date.tm_sec); ** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2023-24808 ** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2023-28428 ** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2024-42358 ** Changed in: pdfio (Ubuntu) Assignee: Pushkar Kulkarni (pushkarnk) => Ubuntu Security Team (ubuntu-security) -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/2103648 Title: [MIR] pdfio To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/pdfio/+bug/2103648/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
