I reviewed `speexdsp` `1.2.1-1` as checked into Noble. This shouldn't be considered a full audit, but rather a quick gauge of maintainability that involves static and dynamic analysis techniques.
Speex is an open-source and free audio compression codec specialised in reproducing human speech (at low bitrates, ~2.1–32 kbit/s/channel). The format is contained by other formats such as Ogg and Flash Video. The format was replaced by its parent organisation, Xiph, with the Opus format. Despite its obsoletion, the format is still supported by open-source software such as [OpenWrt](https://github.com/openwrt/packages/issues/3747). SpeexDSP is a library that includes the preprocessor, the acoustic echo canceller, the jitter buffer, and the resample. It should be noted that `speexdsp`'s code was part of main until Ubuntu 22.04. Before this release, the codebase wasn't represented by a separate package but as part of the `speex` package. As SpeexDSP is a no-dependency library, it can be linked by programs with `-lspeexdsp -lm`. Likewise, the simple input is the Speex-encoded data provided by the program linking SpeexDSP. As the library is written in C but lacks OS interaction, the codebase is prone to memory corruption issues that may ultimately lead to code execution in the context of the parent process. - CVE History - There is no CVE issued for SpeexDSP. - The Speex library, which is a sibling codebase as `speexdsp` was derived from it, has two other CVEs in the past: - CVE-2020-23904: Bogus stack buffer overflow that couldn't be validated by the maintainers. - CVE-2020-23903: Division by zero in `speexenc`, an example program - The Speex sibling codebase was also integrated into OSS-Fuzz. - The integration definition files are placed in the [Speex](https://gitlab.xiph.org/xiph/speex/-/blob/master/contrib/oss-fuzz/speexd ec_fuzzer.cc) and [OSS-Fuzz](https://github.com/google/oss-fuzz/tree/master/projects/speex) repositories. - [There are 13 bugs](https://bugs.chromium.org/p/oss-fuzz/issues/list?q=speex&can=1) between 2019 and 2021 that were maturely tackled by the maintainers. - Build-Depends - It depends only on `libm` and `libc`. - pre/post inst/rm scripts - N/A - init scripts - N/A - systemd units - N/A - dbus services - N/A - setuid binaries - N/A - binaries in PATH - N/A - sudo fragments - N/A - polkit files - N/A - udev rules - N/A - unit tests / autopkgtests - There is no unit test for the whole codebase. - The encoding and decoding of the Speex code are tested in the previously-mentioned sibling codebase and OSS-Fuzz. - cron jobs - N/A - Build logs - N/A - Processes spawned - N/A - Memory management - The allocations take place for the members of the "states". These are internal structures, with multiple fields, that contain the current state of a given operation executed by the library. - The library defines wrappers over the standard memory management functions in its `libspeexdsp/os_support.h` file. These wrapper functions are called in all files where memory management is needed. The functions are properly called: if the library allocates a lot of members in an initialisation function (for example, `speex_preprocess_state_init`, which deals with allocating `SpeexPreprocessState` structures), it also frees them in another specialised function (to continue the preprocessor example, in the `speex_preprocess_state_destroy` function). - File IO - Files are opened in: - `libspeexdsp/testecho.c`, which is a test program that has arguments corresponding to the files to be opened and written; and - `libspeexdsp/mdf.c`, in which the 3 file paths are hard-coded (for example, `aec_rec.sw`) and safely opened and written. - Logging - The library logs static messages using functions defined in its `libspeexdsp/os_support.h`, such as `speex_warning` and `speex_notify`. - It also exports a logging-related, speex_resampler_strerr, which deals with converting a resampling status code into a string. - Environment variable usage - N/A - Use of privileged functions - N/A - Use of cryptography / random number sources etc - N/A - Use of temp files - N/A - Use of networking - N/A - Use of WebKit - N/A - Use of PolicyKit - N/A - Any significant cppcheck results - `cppcheck` was run again with additional flags to include the headers. - No warning was generated. - The `cppcheck.manual.txt` file was additionally generated. - Any significant Coverity results - Coverity reported two issues with possible security impact. Both are in the `update_filer` function from `resample.c`, but they were manually invalidated: - `st->num_rate/st->den_rate` cannot trigger a division by zero. `st->den_rate` is set in the function `speex_resampler_set_rate_frac` to the value of one argument of `update_filter`. The argument is checked in the prologue of the function to contain a value different from 0. - `quality_map[st->quality]` cannot access a memory address before the start of `quality_map` due to a negative value of `st->quality`. The latter is checked in the `update_filter` function to be a value between 0 and 10. - Any significant spellcheck results - All generated warnings are created for build scripts which are not installed on the user's hosts. - Any significant bandit results - N/A - Any significant govulncheck results - N/A - Any significant Semgrep results - The warnings only appear for the shell scripts. - The default "auto" configuration didn't process much of the C codebase because of the wrappers from `libspeexdsp/os_support.h`. - Likewise, the community rules downloaded with `semgrep-rules-manager` were used. - The results were stored in `semgrep.manual.txt`. In addition to the analysis performed with static analysers, fuzzing was also performed. The resampling, echoing, and denoising methods were called in three harnesses, which were then built with `afl-gcc` and ASan, and run with AFL++. After 1 million iterations, no crash was detected. Despite the lack of previous vulnerabilities on which the upstream behaviour could have been observed, it can be anticipated that the upstream will respond to any future vulnerability issue. This viewpoint is strengthened by the maturity of the parent organisation, response to OSS-Fuzz bugs in the case of `speex`, and lack of issues discovered during this analysis. Security team ACK for promoting `speexdsp` to main. Thanks! ** Bug watch added: github.com/openwrt/packages/issues #3747 https://github.com/openwrt/packages/issues/3747 ** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2020-23903 ** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2020-23904 ** Changed in: speexdsp (Ubuntu) Assignee: Ubuntu Security Team (ubuntu-security) => (unassigned) -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/2047149 Title: [MIR] speexdsp To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/speexdsp/+bug/2047149/+subscriptions -- ubuntu-bugs mailing list [email protected] https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
