[Bug 2137712] Re: [MIR] gst-thumbnailers

Fri, 06 Mar 2026 11:21:25 -0800 

I reviewed gst-thumbnailers 1.0~alpha.3-0ubuntu1 as checked into resolute. This 
shouldn't be
considered a full audit but rather a quick gauge of maintainability.

gst-thumbnailers is a software that generates thumbnailers of images and videos 
for the
GStreamer framework.

- CVE History
  - none
- Build-Depends
  - Depends on the following deb packages:
    - debhelper-compat (= 13),
    - dh-cargo,
    - cargo:native,
    - gstreamer1.0-plugins-bad,
    - gstreamer1.0-plugins-base,
    - gstreamer1.0-plugins-good,
    - libglycin-2-dev,
    - libgstreamer-plugins-base1.0-dev,
    - libgstreamer1.0-dev,
    - libstd-rust-dev,
    - meson,
    - quilt,
    - rustc:native (>= 1.88)
  - Additionally, it vendors the following packages (123) on 
debian/missing-sources:
    - crossbeam-utils 0.8.21
    - js_sys 1.12
    - bumpalo 0.2.8
    - kstring 2.0.2
    - once_cell 1.1.3
    - plotters-backend 0.3.7
    - toml_datetime 0.7.3
    - gstreamer-base-sys 0.24.2
    - plotters 0.3.7
    - gstreamer-video-sys 0.24.1
    - memchr 2.7.6
    - toml_edit 0.23.7
    - gstreamer-base 0.24.2
    - serde_json 1.0.145
    - image 0.25.9
    - num-integer 0.1.46
    - cast 0.3.0
    - futures-sink 0.3.31
    - rayon 1.11.0
    - num-traits 0.2.19
    - pxfm 0.1.25
    - wasm_bindgen_macro 1.0
    - walkdir 2.5.0
    - bytemuck 1.24.0
    - futures-io 0.3.31
    - smallvec 1.15.1
    - cfg-if 1.0.4
    - serde_core 1.0.228
    - unicode-ident 1.0.22
    - quote 1.0.42
    - gstreamer-sys 0.24.2
    - same-file 1.0.6
    - tinytemplate 1.2.1
    - bitflags 2.10.0
    - thiserror-impl 2.0.17
    - futures-channel 0.3.31
    - gstreamer 0.24.3
    - static_assertions 1.1.0
    - gstreamer-video 0.24.3
    - clap 4.5.53
    - proc-macro2 1.0.103
    - ryu 1.0.20
    - autocfg 1.5.0
    - byteorder-lite 0.1.0
    - clap_builder 4.5.53
    - wasm_bindgen_macro_support 3.0.0
    - pkg-config 0.3.32
    - num-rational 0.4.2
    - ciborium-ll 0.2.2
    - indexmap 2.12.1
    - glib-sys 0.21.2
    - gio-sys 0.21.2
    - itertools 0.13.0
    - hashbrown 0.16.1
    - itoa 1.0.15
    - gstreamer-app 0.24.2
    - target-lexicon 0.13.3
    - glib-macros 0.21.4
    - rayon-core 1.13.0
    - ciborium-io 0.2.2
    - zerocopy 0.8.30
    - crossbeam-deque 0.8.6
    - heck 0.5.0
    - toml_writer 1.0.4
    - ciborium 0.2.2
    - serde 1.0.228
    - pin-utils 0.1.0
    - criterion 0.7.0
    - moxcms 0.7.9
    - gobject-sys 0.21.2
    - futures-macro 0.3.31
    - equivalent 1.0.2
    - half 2.7.1
    - gio 0.21.4
    - wasm_bindgen 1.0
    - regex-automata 0.4.13
    - pastey 0.1.1
    - libc 0.2.177
    - syn 2.0.111
    - version-compare 0.2.1
    - system-deps 7.0.7
    - serde_derive 1.0.228
    - clap_lex 0.7.6
    - toml_parser 1.0.4
    - slab 0.4.11
    - glib 0.21.4
    - criterion-plot 0.6.0
    - libglycin-rebind-sys 0.0.1
    - regex-syntax 0.8.8
    - futures-util 0.3.31
    - libglycin-rebind 0.0.1
    - toml 0.9.8
    - anstyle 1.0.13
    - muldiv 1.0.1
    - oorandom 11.1.5
    - either 1.15.0
    - rustversion 1.0.49
    - web_sys =0.3.82
    - crossbeam-epoch 0.9.18
    - winapi_util 0.1.11
    - wasm_bindgen_shared 1.0.5
    - futures-task 0.3.31
    - aho-corasick 1.1.4
    - anes 0.1.6
    - pin-project-lite 0.2.16
    - crunchy 0.2.4
    - proc-macro-crate 3.4.0
    - clap_derive 4.5.49
    - futures-executor 0.3.31
    - regex 1.12.2
    - plotters-svg 0.3.7
    - zerocopy-derive 0.8.30
    - windows_link 0.2.1
    - windows_sys 0.2.1
    - futures-core 0.3.31
    - gstreamer-app-sys 0.24.0
    - itertools 0.14.0
    - option-operations 0.6.0
    - winnow 0.7.14
    - cfg-expr 0.20.4
    - atomic_refcell 0.1.13
    - thiserror 2.0.17
    - serde_spanned 1.0.3
- pre/post inst/rm scripts
  - none
- init scripts
  - none
- systemd units
  - none
- dbus services
  - none
- setuid binaries
  - none
- binaries in PATH
  - only ./usr/bin/gst-audio-thumbnailer
- sudo fragments
  - none
- polkit files
  - none
- udev rules
  - none
- unit tests / autopkgtests
  - Only 3 tests are run at build time.
  - There are some integration tests on debian/tests
- cron jobs
  - none
- Build logs
  - looks good

- Processes spawned
  - none, only on benchmark
- Memory management
  - none
- File IO
  - It accepts an output arg and will write a PNG on it.
- Logging
  - On error state, it will send the debug information to the stdout. 
- Environment variable usage
  - none
- Use of privileged functions
  - none
- Use of cryptography / random number sources etc
  - none
- Use of temp files
  - none
- Use of networking
  - none
- Use of WebKit
  - none
- Use of PolicyKit
  - none

- Any significant cppcheck results
  - none
- Any significant Coverity results
  - none
- Any significant shellcheck results
  - none
- Any significant bandit results
  - none
- Any significant govulncheck results
  - none
- Any significant Semgrep results
  - none

There are 123 packages vendored inside this package.

This package seems to rely on glycin to enforce the proper sandbox. 
Glycin will decide which sandbox to use based on the system:
https://github.com/GNOME/glycin/blob/main/README.md#sandboxing-and-inner-workings

Security team ACK for promoting gst-thumbnailers to main

** Changed in: gst-thumbnailers (Ubuntu)
       Status: New => In Progress

** Changed in: gst-thumbnailers (Ubuntu)
     Assignee: Ubuntu Security Team (ubuntu-security) => (unassigned)

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/2137712

Title:
  [MIR] gst-thumbnailers

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/gst-thumbnailers/+bug/2137712/+subscriptions


-- 
ubuntu-bugs mailing list
[email protected]
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

Reply via email to