Many thanks to Noam Nedelec-Salmon for preparing the loupe MIR:
I reviewed loupe 48.1-3ubuntu1 as checked into questing. This shouldn't be
considered a full audit but rather a quick gauge of maintainability.
> Loupe is an image viewer for the GNOME desktop envrionment. It uses
> glycin-loaders for image loading and decoding. Among other things, it
> supports several image formats, uses GPU-accelerated rendering, and
> allows for simple editing such as crop rotate and flip for some formats.
> This MIR is conducted because `loupe` has now been the new default image
> viewer for GNOME for a few versions and is to become the new default
> image viewer for future ubuntu releases.
- CVE History
- None for loupe itself
- osv-scanner reports 45 packages affected by 74 known vulnerabilities
(0 Critical, 7 High, 12 Medium, 4 Low, 51 Unknown) (vendored code)
- Build-Depends
- debhelper-compat
- meson (universe)
- quilt (universe)
- desktop-file-utils
- itstool (universe)
- libadwaita-1-dev
- liblcms2-dev
- libgtk-4-dev
- libgweather-4-dev
- libseccomp-dev
- dh-cargo
- libstd-rust-dev
- cargo
- rustc
- pre/post inst/rm scripts
- none
- init scripts
- none
- systemd units
- none
- dbus services
- ./usr/share/dbus-1/services/org.gnome.Loupe.service:
[D-BUS Service]
Name=org.gnome.Loupe
Exec=/usr/bin/loupe --gapplication-service
- setuid binaries
- none
- binaries in PATH
- /usr/bin/loupe
- uaudit reported a lack of stack protection flags
- files in vendored code are reported by uaudit as binary (not in PATH)
- empty files
- images such as logos and test data
- compressed archives
- dlls that seem related to windows test suites
- other binary blobs used in test suites
- sudo fragments
- none
- polkit files
- none
- udev rules
- none
- unit tests / autopkgtests
- No unit tests, no autopkgtests
- Jusitification given: it is a thin graphical layer around the glycin
image loading library and the gtk4 graphical toolkit, which are both
heavily tested
- A manual testing procedure is defined at:
https://wiki.ubuntu.com/DesktopTeam/TestPlans/Loupe
- cron jobs
- none
- Build logs
- No concerning error or warning
- warning about .cargo/config being deprecated in favor of config.toml
- warning about not being able to merge eu translations for msgid
- warning from lintian: no-manual-page [usr/bin/loupe]
- Processes spawned
- Nothing remarkable
- Memory management
- A few uses of `unsafe` code blocks (to interact with locale settings)
- File IO
- Nothing remarkable, relies on gio
- Logging
- Nothing remarkable
- Environment variable usage
- Nothing remarkable
- Use of privileged functions
- none
- Use of cryptography / random number sources etc
- none
- Use of temp files
- none
- Use of networking
- none
- Use of WebKit
- none
- Use of PolicyKit
- none
- Any significant cppcheck results
- A few warnings in vendored code (lcms2-sys/vendor/src/cmsplugin.c)
- line 102: warning: Uninitialized variable
- line 330: note: Calling function with uninitialized argument
- Any significant Coverity results
- none
- Any significant shellcheck results
- No concerning results
- A lot of missing double quotation in vendored code (zerocopy)
- Some false positives in various places
- Any significant bandit results
- none
- Any significant govulncheck results
- none
- Any significant Semgrep results
- No concerning results
- A few false positives about missing SRIs in help pages
In summary, nothing concerning in `loupe` itself, but the large amount of
vendored code necessary to accept it in main means that a lot of issues
might be hard to spot and get overlooked.
Some stats about upstream:
- Gnome gitlab repo created on December 26, 2020
- 1413 commits, 7 releases
- 1 week since most recent commit
- 315 project members
- 6 open merge requests, 534 total
Security team ACK for promoting loupe to main.
** Changed in: loupe (Ubuntu)
Assignee: Ubuntu Security Team (ubuntu-security) => (unassigned)
** Changed in: loupe (Ubuntu)
Status: New => In Progress
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/2115989
Title:
[MIR] loupe
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/loupe/+bug/2115989/+subscriptions
--
ubuntu-bugs mailing list
[email protected]
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
