I reviewed pdfio 1.5.1+dfsg-0ubuntu1 as checked into questing. This shouldn't
be
considered a full audit but rather a quick gauge of maintainability.
PDFio is a simple C library for reading and writing pdfs authored by
Michael Sweet, author of CUPS. It provides various functionality for
manipulating PDF's, including reading and writing of encrypted PDFs.
Notably, it does not include any functionality for rendering or viewing
PDFs.
- CVE History
- 3 historical CVEs
- CVE-2024-42358
- CVE-2023-28428
- CVE-2023-24808
- All three are DOS vulnerabilities caused by parsing malformed input files
- Fixed quickly upstream and tracked through github security advisories
- Build-Depends
- Normal builddeps
- pre/post inst/rm scripts
- None
- init scripts
- None
- systemd units
- None
- dbus services
- None
- setuid binaries
- None
- binaries in PATH
- None
- sudo fragments
- None
- polkit files
- None
- udev rules
- None
- unit tests / autopkgtests
- Includes non-trivial build tests and autopkgtests
- Autopkgtests skips a few tests that use internal APIs
- cron jobs
- None
- Build logs
- As noted in the MIR team ACK, there are two notable compiler warnings
- warning: "_FORTIFY_SOURCE" redefined
- pdfio-value.c:607:73: warning: Z directive output may be truncated
writing 1 byte into a region of size between 0 and 16 [-Wformat-truncation=]
- There is an additional dpkg warning that is mentioned in the MIR team ACK
as a required TODO to fix before promotion to main
- dpkg-gensymbols: warning: debian/libpdfio1/DEBIAN/symbols doesn't match
completely debian/libpdfio1.symbols
- Processes spawned
- None
- Memory management
- Defensive memory management
- File IO
- One notable item:
- The pdfioFileCreate() function creates a PDF file using a filename
provided from the calling application without using the O_EXCL flag. This could
potentially allow users to overwrite existing files. This requires the calling
application to make a choice on whether to allow overwrites
- Logging
- Seemingly comprehensive error messaging
- Environment variable usage
- Checks for the presence of TMPDIR when creating a temporary PDF file,
otherwise defaults to '/tmp'
- Use of privileged functions
- None
- Use of cryptography / random number sources etc
- The package includes the function _pdfioCryptoMakeRandom
- this attempts to use getrandom() to generate a random number
- if getrandom() is not present in the system the package falls back on
reading from /dev/urandom to generate a random number
- if this fails for any reason, it instead performs its own implementation
of a Mersenne twister PRNG
- The package implements its own cryptography, found in pdfio-crypto.c
- It currently supports the following:
- The original 40-bit RC4 (V2+R2) encryption for reading only
- 128-bit RC4 (V2+R3) encryption for reading and writing
- 128-bit AES (V4+R4) encryption for reading and writing
- Plans to implement support for 256-bit AES (V6+R6) encryption for
reading and writing in the future
- Upstream acknowledges the known weaknesses of PDF encryption
- Use of temp files
- pdfioFileCreateTemporary() creates a temporary PDF file
- checks for the presence of a reachable TMPDIR, otherwise the defaults to
'/tmp' for the directory
- temp file name is a randomly generated string (see use of cryptography
section)
- it checks 1000 times for a unique name
- it will not create a file if one already exists with the generated name
- Use of networking
- None
- Use of WebKit
- None
- Use of PolicyKit
- None
- Any significant cppcheck results
- All results are false positives
- Any significant Coverity results
- None
- Upstream maintains it's own coverity project for this linked in the
github: https://scan.coverity.com/projects/michaelrsweet-pdfio
- The last scan was in April of this year, and found one defect that has
since been fixed
- Any significant shellcheck results
- None
- Any significant bandit results
- None
- Any significant govulncheck results
- None
- Any significant Semgrep results
- None
Overall the package seems to be healthy and easily maintainable with a
reasonable motivation.
Notably, upstream maintains their own Coverity project for the package,
includes a
Security.md file, and utilizes Github's security advisories to track CVEs.
Security team ACK for promoting pdfio to main on the condition of
completing the MIR team's required TODOs.
** Changed in: pdfio (Ubuntu)
Status: New => In Progress
** Changed in: pdfio (Ubuntu)
Assignee: Ubuntu Security Team (ubuntu-security) => (unassigned)
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/2103648
Title:
[MIR] pdfio
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/pdfio/+bug/2103648/+subscriptions
--
ubuntu-bugs mailing list
[email protected]
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
