I reviewed librevenge version 0.0.1-1 as checked into utopic. This
shouldn't be considered a full security audit, rather a quick gauge of
code quality.
- librevenge provides interfaces for document import filters
- Build-Depends: autotools-dev, dh-autoreconf, debhelper, libboost-dev,
libboost-filesystem-dev, libcppunit-dev, pkg-config, zlib1g-dev
- No networking
- No cryptography
- Does not daemonize
- No maintainer scripts
- No initscripts
- No dbus
- No setuid
- No binaries in bin/
- No udev rules
- Test suite run during build
- No cronjobs
- Build logs clean
- No subprocesses spawned
- Memory management is mixed; some C, some 'new' and 'delete'
- File IO is under control of callers
- No logging
- No environment variables
- No privileged portions of code
- No cryptography
- No networking
- No temporary files
- No webkit
- Clean cppcheck
- No PolicyKit
librevenge's code quality is mixed; most looks average, but obvious
opportunities for code cleanup have been overlooked and there are more
type casts than usual. The library seems to lack a clear vision of what
primitive data types it uses and why it uses them.
I suspect as this library matures we'll have a potentially larger
maintenance burden than usual as a result of code cleanups.
Security team ACK for promoting librevenge to main.
Thanks
** Changed in: librevenge (Ubuntu)
Assignee: Seth Arnold (seth-arnold) => (unassigned)
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1328194
Title:
[MIR] librevenge
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/librevenge/+bug/1328194/+subscriptions
--
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
