I reviewed dav1d 1.5.3-1 as checked into resolute. This shouldn't be
considered a full audit but rather a quick gauge of maintainability.
dav1d is a new AV1 cross-platform decoder, open-source, and focused on
speed, size and correctness.
- CVE History
- CVE-2023-32570
- CVE-2024-1580
both cves have been addressed.
- Build-Depends
- meson
- ninja-build
- nasm
no encryption libs or networking
- pre/post inst/rm scripts
- none
- init scripts
- none
- systemd units
- none
- dbus services
- none
- setuid binaries
- none
- binaries in PATH
- only /usr/bin/dav1d in the dav1d package.
- sudo fragments
- none
- polkit files
- none
- udev rules
- none
- unit tests / autopkgtests
- the package contains a testsuite. if the tests fail, the package
build fails too.
- the package does not contain any autopkgtest.
- cron jobs
- none
- Build logs
- no warnings
- Processes spawned
- none
- Memory management
- as far as I see, memory management looks ok.
- File IO
- file I/O seems limited to the /usr/bin/dav1d tool, which is to be expected.
- I do not see anything weird here.
- Logging
- logs are performed by the dav1d utility only on stderr.
- Environment variable usage
- the dav1d binary only checks for POSIXLY_CORRECT to be set, disregarding
its value.
- Use of privileged functions
- none
- Use of cryptography / random number sources etc
- none
- Use of temp files
- none
- Use of networking
- none
- Use of WebKit
- none
- Use of PolicyKit
- none
- Any significant cppcheck results
- only false positives due to macros not recognized.
- Any significant Coverity results
- Coverity reported a few findings. I was able to exclude the
majority of them as they seem false positives.
- Any significant shellcheck results
- none
- Any significant bandit results
- none
- Any significant govulncheck results
- none
- Any significant Semgrep results
- none
Memory management seems to be done properly. From the security point
of view I do not see any blockers. The package seems pretty well
maintained and upstream seems responsive. There are a few findings
from Coverity that need to be clarified with upstream but this can be
done in parallel. Overall I believe we can include the package in
main.
Security team ACK for promoting dav1d to main.
** CVE added: https://cve.org/CVERecord?id=CVE-2023-32570
** CVE added: https://cve.org/CVERecord?id=CVE-2024-1580
** Changed in: dav1d (Ubuntu)
Status: Confirmed => In Progress
** Changed in: dav1d (Ubuntu)
Assignee: Ubuntu Security Team (ubuntu-security) => (unassigned)
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/2133757
Title:
[MIR] dav1d (transitive depends of libavif -> pillow)
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/dav1d/+bug/2133757/+subscriptions
--
ubuntu-bugs mailing list
[email protected]
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
