I reviewed highway 1.2.0-3ubuntu2 as checked into oracular. This shouldn't be
considered a full audit but rather a quick gauge of maintainability. PLACE
OTHER NOTES REGARDING THE NATURE OF THE REVIEW ITSELF.
highway is a C++ library that provides portable SIMD/vector intrinsics. It
makes SIMD/vector programming easy to increase performace in softwares.
- CVE History
- None
- Build-Depends
- Nothing concerning, it requires cmake, libgtest-dev and ninja-build as
build depends
- pre/post inst/rm scripts
- None
- init scripts
- None
- systemd units
- None
- dbus services
- None
- setuid binaries
- None
- binaries in PATH
- it will geberate these libraries
- /lib/x86_64-linux-gnu/libhwy.so.1
- /lib/x86_64-linux-gnu/libhwy_contrib.so.1
- /lib/x86_64-linux-gnu/libhwy_test.so.1
- sudo fragments
- None
- polkit files
- None
- udev rules
- None
- unit tests / autopkgtests
- There are extensive set of unit test cases which runs when building
the package
- Right now only the smoke test is being run as a autosuggest
- cron jobs
- None
- Build logs
- == compiler warnings() ==
CMake Warning:
dh_installdocs: warning: Cannot auto-detect main package for highway-doc. If
the default is wrong, please use --doc-main-package
- == failures() ==
-- Performing Test HWY_EMSCRIPTEN - Failed
-- Performing Test HWY_RISCV - Failed
Dereference of free object 2, next object number as offset failed (code = -18),
returning NULL object.
100% tests passed, 0 tests failed out of 1985
Measurement failed: overhead 50 < 52
MeasureClosure failed.
- == warnings() ==
dh_auto_configure -- -DCMAKE_SKIP_RPATH:BOOL=OFF -DBUILD_SHARED_LIBS:BOOL=ON
-DHWY_WARNINGS_ARE_ERRORS:BOOL=ON -DHWY_SYSTEM_GTEST:BOOL=ON
cd obj-x86_64-linux-gnu && DEB_PYTHON_INSTALL_LAYOUT=deb
PKG_CONFIG=/usr/bin/pkg-config cmake -DCMAKE_INSTALL_PREFIX=/usr
-DCMAKE_BUILD_TYPE=None -DCMAKE_INSTALL_SYSCONFDIR=/etc
-DCMAKE_INSTALL_LOCALSTATEDIR=/var -DCMAKE_EXPORT_NO_PACKAGE_REGISTRY=ON
-DCMAKE_FIND_USE_PACKAGE_REGISTRY=OFF
-DCMAKE_FIND_PACKAGE_NO_PACKAGE_REGISTRY=ON
-DFETCHCONTENT_FULLY_DISCONNECTED=ON -DCMAKE_INSTALL_RUNSTATEDIR=/run -GNinja
-DCMAKE_VERBOSE_MAKEFILE=ON -DCMAKE_INSTALL_LIBDIR=lib/x86_64-linux-gnu
-DCMAKE_SKIP_RPATH:BOOL=OFF -DBUILD_SHARED_LIBS:BOOL=ON
-DHWY_WARNINGS_ARE_ERRORS:BOOL=ON -DHWY_SYSTEM_GTEST:BOOL=ON ..
CMake Deprecation Warning at CMakeLists.txt:28 (cmake_policy):
CMake Warning:
dh_installdocs: warning: Cannot auto-detect main package for highway-doc. If
the default is wrong, please use --doc-main-package
- == dpkg_warnings() ==
dpkg-shlibdeps: warning: diversions involved - output may be incorrect
dpkg-shlibdeps: warning: diversions involved - output may be incorrect
dpkg-shlibdeps: warning: package could avoid a useless dependency if
debian/libhwy1t64/usr/lib/x86_64-linux-gnu/libhwy_contrib.so.1.2.0
debian/libhwy1t64/usr/lib/x86_64-linux-gnu/libhwy.so.1.2.0
debian/libhwy1t64/usr/lib/x86_64-linux-gnu/libhwy_test.so.1.2.0 were not linked
against libgcc_s.so.1 (they use none of the library's symbols)
- Processes spawned
- Looks good, few instances are in tests.
- Memory management
- Few instances are there in hwy/base.h, hwy/aligned_allocator_test.cc and
hwy/contrib/thread_pool/thread_pool.h but all of them look fine
- File IO
- It is there in docs/ folder. looks good
- Logging
- Logging is being done carefully
- Environment variable usage
- None
- Use of privileged functions
- None
- Use of cryptography / random number sources etc
- nothing significant, most of the occurrences are in md files as part of
documentation, looks fine
- Use of temp files
- None
- Use of networking
- Looks fine
- Use of WebKit
- None
- Use of PolicyKit
- None
- Any significant cppcheck results
- All findings are in test files, looks fine
- Any significant Coverity results
- Coverity scan result is of 247MB, but majority of them are false positive
and are from tests/ folder
- Few Interger Under/Overflow issues in hwy/alligned_allocator.h,
hwy/contrib/algo/find-inl.h, hwy/contrib/algo/find-inl.h, and
hwy/nanobenchmark.cc are too false positive since the proper checks has
been implemented in alligned_allocator.h file regarding the size before
allocating the memory poiters
- Any significant shellcheck results
- looks fine, findings are in tests and docs folder
- Any significant bandit results
- Few low findings in docs/mm-converter.py which are false positive
- Any significant govulncheck results
- N/A, no go files
- Any significant Semgrep results
- None
One possible issue I see is binaries are not PIE enabled, but since these are
libraries it should be fine
- libhwy_contrib.so.1.2.0
- libhwy_test.so.1.2.0
- libhwy.so.1.2.0
Security team ACK for promoting highway to main. There are no visible issues
found.
** Changed in: highway (Ubuntu)
Assignee: Ubuntu Security Team (ubuntu-security) => (unassigned)
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/2070807
Title:
[MIR] highway
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/highway/+bug/2070807/+subscriptions
--
ubuntu-bugs mailing list
[email protected]
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
