[Bug 1827442] Re: [MIR] libheif

Lukas Märdian 1827442 at bugs.launchpad.net
Wed Feb 1 08:39:49 UTC 2023 

See separate MIR bug reports for libheif dependencies:

- aom: bug #2004442
- dav1d: bug #2004446
- libde265: bug #2004449
- x265: bug #2004453

** Changed in: aom (Ubuntu)
       Status: Incomplete => Invalid

** Changed in: dav1d (Ubuntu)
       Status: Incomplete => Invalid

** Changed in: libde265 (Ubuntu)
       Status: Incomplete => Invalid

** Changed in: x265 (Ubuntu)
       Status: Incomplete => Invalid

** No longer affects: libgd2 (Ubuntu)

-- 
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to libgd2 in Ubuntu.
https://bugs.launchpad.net/bugs/1827442

Title:
  [MIR] libheif

Status in aom package in Ubuntu:
  Invalid
Status in dav1d package in Ubuntu:
  Invalid
Status in libde265 package in Ubuntu:
  Invalid
Status in libheif package in Ubuntu:
  In Progress
Status in x265 package in Ubuntu:
  Invalid

Bug description:
  [Availablity]

  The package libheif is already in ubuntu/universe.
  The package libheif build for the architectures it is designed to work on.
  It currently builds and works for architectures:
  amd64 arm64 armhf i386 ppc64el riscv64 s390x
  Link to package:  https://launchpad.net/ubuntu/+source/libheif

  [Rationale]

  - The package libheif is required in Ubuntu main for decoding
    ISO/IEC 23008-12:2017 HEIF files by libgd2 which is present in main.
  - The package libheif will not generally be useful for a large part of our user
    base, but is important/helpful still because no other package in main supports
    decoding of ISO/IEC 23008-12:2017 HEIF files.
  - The package libheif is a runtime dependency of package libgd2 that we already
    support.
  - It would be great and useful to community/processes to have the  package
    libheif in Ubuntu main, but there is no definitive deadline.

  [Security]

  - libheif had 4 security issues in the past:
    - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-23109
      The github issue: https://github.com/strukturag/libheif/issues/207 is open,
      though developer comments that it was fixed in 1.7.0
    - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-19499
      Fixed in 1.5.0
    - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-19498
      Fixed in 1.5.0.
    - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-11471
      Fixed in 1.5.0.
    The vulnerable versions are libheif < 1.7.0, current version 1.14.2
    Currently vulnerable packages (CVE-2020-23109) are deployed in focal and
    bionic. Jammy and up has no known vulnerabilitites.
  - no `suid` or `sgid` binaries
  - no executables in `/sbin` and `/usr/sbin`
  - Package does not install services, timers or recurring jobs
  - Packages does not open privileged ports (ports < 1024)
  - Packages does contain extensions to security-sensitive software:
    the package provides HEIF image plugin which processes untrusted input

  [Quality assurance – function/usage]

  - The package does not work well right after install. There is a bug filed in
    debian: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1029668
    1.14.2 contains significant regression, HEIC can not be read using viewnoir.
  - Basic test cases pass:
      apt install imagemagick
      wget https://filesamples.com/samples/image/heif/sample1.heif
      convert -verbose sample1.heif test.gif
      wget https://filesamples.com/samples/image/heic/sample1.heic
      convert -verbose sample1.heic test1.gif
    Notice, that libgd2 HEIF support is disabled.
  - Compiling a sample that tries to save HEIF file produces following output
    "GD Warning: HEIF image support has been disabled"

  
  [Quality assurance - maintenance]

  - The package is maintained well in Debian/Ubuntu and has no bugs open
     - Ubuntu https://bugs.launchpad.net/ubuntu/+source/libheif/+bug
     - Debian https://bugs.debian.org/cgi-bin/pkgreport.cgi?src=libheif
  - The package has important open bugs, listing them:
    - https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1014125
      Confirm CVE-2020-23109 fix
    - https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1029668
      1.14.2 contains significant regression, HEIC can not be read using
      viewnoir package [confirmed in lunar].
      Downgrading to 1.13.0-1 solves the issue.
  - The package does not deal with exotic hardware we cannot support

  
  [Quality assurance – testing]

  - The package does not run a test at build time because no unit tests are
    present in the repository upstream:
    https://launchpadlibrarian.net/646769183/buildlog_ubuntu-lunar-amd64.libheif_1.14.2-1_BUILDING.txt.gz
    https://github.com/strukturag/libheif
  - The package does not run an autopkgtest because no autopackage tests are
    present.
    Note: upstream contains a CI script that can be adapted for autopkgtests:
    https://github.com/strukturag/libheif/blob/master/scripts/run-ci.sh

  This section is not complete, as the test plan/approach for developing
  autopkgtests needs to be discussed.
  TODO: - The package can not be tested at build or autopktest time because TBD
  TODO:   to make up for that here TBD is a test plan/automation and example
  TODO:   test TBD (logs/scripts)

  
  [Quality assurance - packaging]

  - debian/watch is present and works BUT also get-orig-head target is present
    in debian/rules that produces a different result.
    There is no specific documentation on which method to use.
  - debian/control defines a correct Maintainer field
  - This package does not yield massive lintian Warnings, Errors
    https://udd.debian.org/lintian/?packages=libheif
  - Please link to a recent build log of the package
    https://launchpadlibrarian.net/646769183/buildlog_ubuntu-lunar-amd64.libheif_1.14.2-1_BUILDING.txt.gz
  - Please attach the full output you have got from `lintian --pedantic` as an
    extra post to this bug.
  - Lintian overrides are not present
  - This package relies on obsolete or about to be demoted packages
    see https://udd.debian.org/lintian/?packages=libheif, consider using
    libgdk-pixbuf-2.0-dev instead of transitional libgdk-pixbuf2.0-dev
  - This package has no python2 or GTK2 dependencies
  - The package will not be installed by default
  - Packaging and build is easy, link to d/rules:
    https://salsa.debian.org/multimedia-team/libheif/-/blob/master/debian/rules

  [UI standards]

  - Application is not end-user facing (does not need translation)
  - End-user applications without desktop file, not needed because application
    does not provide GUI

  [Dependencies]

  - There are further dependencies that are not yet in main, MIR for them
    is at:
    - aom: LP: #2004442
    - dav1d: LP #2004446
    - libde265: LP #2004449
    - x265: LP #2004453

  [Standards compliance]

   - This package correctly follows FHS and Debian Policy

  [Maintenance/Owner]

  - Owning Team will be Foundations team
  - Team is already subscribed to the package
  - This does not use static builds
  - This does not use vendored code
  - This package is not rust based

  [Background information]

  The Package description explains the package well
  Upstream Name is libheif
  Link to upstream project https://github.com/strukturag/libheif/

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/aom/+bug/1827442/+subscriptions

More information about the foundations-bugs mailing list