Ubuntu
libcue package

[MIR] libcue

Bug #1770871 reported by Jeremy Bícha
8
This bug affects 1 person
Affects Status Importance Assigned to Milestone
libcue (Ubuntu)
Fix Released
Medium
Unassigned

Bug Description

Availability
============
Built for all supported architectures. In sync with Debian.

Rationale
=========
The Ubuntu Desktop team intends to include tracker by default in Ubuntu 18.10. tracker recommends tracker-miner-fs which depends on tracker-extract which has an optional dependency on libcue to handle metadata for CD music/audio tracks.

libcue was previously in Ubuntu main (until April 2015 I believe) so I'm hoping for fast-track processing. The previous MIR was LP: #641339

Security
========
No known security issues

https://security-tracker.debian.org/tracker/source-package/libcue
https://launchpad.net/ubuntu/+source/libcue/+cve

Quality assurance
=================
- Please subscribe Ubuntu Desktop Packages.

https://bugs.launchpad.net/ubuntu/+source/libcue
https://bugs.debian.org/cgi-bin/pkgreport.cgi?src=libcue
https://github.com/lipnitsk/libcue/issues

Tests are run during the build.
No autopkgtests.

Dependencies
============
No binary universe dependencies

Standards compliance
====================
4.1.4, dh compat 11, dh7 style simple rules

Maintenance
===========
Orphaned.

https://salsa.debian.org/debian/libcue

upstream:
https://github.com/lipnitsk/libcue

See original description
Jeremy Bícha (jbicha)
description: updated
Jeremy Bícha (jbicha)
description: updated
Jeremy Bícha (jbicha)
description: updated
Jeremy Bícha (jbicha)
description: updated
Revision history for this message
Matthias Klose (doko) wrote :

this looks ok, still pending:

 - bug subscriber
 - tracker-miners MIR

Changed in libcue (Ubuntu):
status: New → Incomplete
Revision history for this message
Launchpad Janitor (janitor) wrote :

[Expired for libcue (Ubuntu) because there has been no activity for 60 days.]

Changed in libcue (Ubuntu):
status: Incomplete → Expired
Jeremy Bícha (jbicha)
Changed in libcue (Ubuntu):
status: Expired → Incomplete
Launchpad Janitor (janitor)
Changed in libcue (Ubuntu):
status: Incomplete → Expired
Jeremy Bícha (jbicha)
Changed in libcue (Ubuntu):
status: Expired → Incomplete
Revision history for this message
Iain Lane (laney) wrote :

I'll reset this back to New, because I would like to upload Nautilus depending on tracker soon. This is something we should do towards the start of a cycle.

Changed in libcue (Ubuntu):
status: Incomplete → New
importance: Undecided → Medium
Revision history for this message
Iain Lane (laney) wrote :

If the previous MIR can be used to promote this to main again, please just let us know.

Revision history for this message
Matthias Klose (doko) wrote :

this looks ok from the packaging side.
It's a little bit odd that the package is orphaned in Debian, and now pulled into main.

assigning to the security team for a review (parsing external data)

Changed in libcue (Ubuntu):
status: New → Confirmed
Jeremy Bícha (jbicha)
Changed in libcue (Ubuntu):
assignee: nobody → Ubuntu Security Team (ubuntu-security)
Revision history for this message
Alex Murray (alexmurray) wrote :

I reviewed libcue (2.2.1-2) from disco. This is not a full security audit but
rather a quick gauge of maintainability.

libcue is a library to parse CUE sheets / files (metadata which describes how
tracks of a CD or DVD are layed out). Stored as plain text and commonly have
the .cue extension. Parsed via flex / bison.

- Build dependencies:
  - bison, cmake, debhelper-compat, flex

- No CVE history

- no pre or postinst scripts
- no systemd unit files
- no system dbus services
- no setuid files
- no binaries in PATH
- no sudo fragments
- no udev rules
- tests run during the build, seems reasonably extensive
- no cron jobs
- clean build log other than warning regarding possible buffer overflow in
  time_frame_to_mmssff() - see below

- doesn't spawn other processes
- memory management looked careful
- file IO - reads from FILE* via flex, doesn't directly open files
- minimal logging, looked fine
- no environment variables used
- no ioctl() or other privileged syscalls
- Does not use cryptography
- Does not use DBus
- Does not use webkit
- Does not use temporary files
- Does not use javascript
- No cppcheck errors
- Does not use polkit

- Potential for signed integer overflow in time_msf_to_frame() if time is negative
- Potential for buffer overflow in time_frame_to_mmssff() if time is negative
  - Both would be fixed if time was treated everywhere as an unsigned quantity
    rather than signed integral types (int/long)

- ACK from security team to promote to main.

Changed in libcue (Ubuntu):
assignee: Ubuntu Security Team (ubuntu-security) → nobody
Revision history for this message
Sebastien Bacher (seb128) wrote :

libcue 2.2.1-2 in disco: universe/libs -> main

Changed in libcue (Ubuntu):
status: Confirmed → Fix Released
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.