I reviewed libimagequant (2.12.2-1) from disco. libimagequant is a library to conversion of RGBA images to 8-bit indexed-color (palette) images it uses pngquant2.
- repository: https://github.com/ImageOptim/libimagequant - last commit: on Nov 12, 2018 - Build dependencies: - debhelper, d-shlibs - CVE history is in pngquant, though libimagequant uses a self java implementation and seems not to be affected. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-5735 - no pre or postinst scripts - no systemd unit files - no system dbus services - no setuid files - no binaries in path - no sudo fragments - no udev rules - no tests running/no tests at all - no cron jobs - clean build log - doesn't spawn other processes - memory mgmt seemed ok - file IO - no file IO - minimal logging - looked fine - no ioctl() or privileged syscalls - does not use cryptography - does not use dbus - does not use webkit - does not use temp files - does not use javascripts - CPPcheck: possible null pointer in libimagequant.c 1841 : palette variable is not check while it is used. - does not use polkit ACK from security team to promote it to main. ** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2016-5735 -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1812858 Title: [MIR] libimagequant (dependency of pillow) To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/libimagequant/+bug/1812858/+subscriptions -- ubuntu-bugs mailing list [email protected] https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
