[Bug 1827442] Re: [MIR] libheif
Vladimir Petko
1827442 at bugs.launchpad.net
Wed Feb 1 08:56:08 UTC 2023
** Description changed:
[Availablity]
The package libheif is already in ubuntu/universe.
The package libheif build for the architectures it is designed to work on.
It currently builds and works for architectures:
amd64 arm64 armhf i386 ppc64el riscv64 s390x
Link to package: https://launchpad.net/ubuntu/+source/libheif
[Rationale]
- The package libheif is required in Ubuntu main for decoding
- ISO/IEC 23008-12:2017 HEIF files by libgd2 which is present in main.
+ ISO/IEC 23008-12:2017 HEIF files by libgd2 which is present in main.
- The package libheif will not generally be useful for a large part of our user
- base, but is important/helpful still because no other package in main supports
- decoding of ISO/IEC 23008-12:2017 HEIF files.
+ base, but is important/helpful still because no other package in main supports
+ decoding of ISO/IEC 23008-12:2017 HEIF files.
- The package libheif is a runtime dependency of package libgd2 that we already
- support.
+ support.
- It would be great and useful to community/processes to have the package
- libheif in Ubuntu main, but there is no definitive deadline.
+ libheif in Ubuntu main, but there is no definitive deadline.
[Security]
- libheif had 4 security issues in the past:
- - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-23109
- The github issue: https://github.com/strukturag/libheif/issues/207 is open,
- though developer comments that it was fixed in 1.7.0
- - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-19499
- Fixed in 1.5.0
- - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-19498
- Fixed in 1.5.0.
- - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-11471
- Fixed in 1.5.0.
- The vulnerable versions are libheif < 1.7.0, current version 1.14.2
- Currently vulnerable packages (CVE-2020-23109) are deployed in focal and
- bionic. Jammy and up has no known vulnerabilitites.
+ - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-23109
+ The github issue: https://github.com/strukturag/libheif/issues/207 is open,
+ though developer comments that it was fixed in 1.7.0
+ - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-19499
+ Fixed in 1.5.0
+ - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-19498
+ Fixed in 1.5.0.
+ - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-11471
+ Fixed in 1.5.0.
+ The vulnerable versions are libheif < 1.7.0, current version 1.14.2
+ Currently vulnerable packages (CVE-2020-23109) are deployed in focal and
+ bionic. Jammy and up has no known vulnerabilitites.
- no `suid` or `sgid` binaries
- no executables in `/sbin` and `/usr/sbin`
- Package does not install services, timers or recurring jobs
- Packages does not open privileged ports (ports < 1024)
- Packages does contain extensions to security-sensitive software:
- the package provides HEIF image plugin which processes untrusted input
+ the package provides HEIF image plugin which processes untrusted input
[Quality assurance – function/usage]
- The package does not work well right after install. There is a bug filed in
- debian: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1029668
- 1.14.2 contains significant regression, HEIC can not be read using viewnoir.
+ debian: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1029668
+ 1.14.2 contains significant regression, HEIC can not be read using viewnoir.
- Basic test cases pass:
- apt install imagemagick
- wget https://filesamples.com/samples/image/heif/sample1.heif
- convert -verbose sample1.heif test.gif
- wget https://filesamples.com/samples/image/heic/sample1.heic
- convert -verbose sample1.heic test1.gif
- Notice, that libgd2 HEIF support is disabled.
+ apt install imagemagick
+ wget https://filesamples.com/samples/image/heif/sample1.heif
+ convert -verbose sample1.heif test.gif
+ wget https://filesamples.com/samples/image/heic/sample1.heic
+ convert -verbose sample1.heic test1.gif
+ Notice, that libgd2 HEIF support is disabled.
- Compiling a sample that tries to save HEIF file produces following output
- "GD Warning: HEIF image support has been disabled"
-
+ "GD Warning: HEIF image support has been disabled"
[Quality assurance - maintenance]
- The package is maintained well in Debian/Ubuntu and has no bugs open
- - Ubuntu https://bugs.launchpad.net/ubuntu/+source/libheif/+bug
- - Debian https://bugs.debian.org/cgi-bin/pkgreport.cgi?src=libheif
+ - Ubuntu https://bugs.launchpad.net/ubuntu/+source/libheif/+bug
+ - Debian https://bugs.debian.org/cgi-bin/pkgreport.cgi?src=libheif
- The package has important open bugs, listing them:
- - https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1014125
- Confirm CVE-2020-23109 fix
- - https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1029668
- 1.14.2 contains significant regression, HEIC can not be read using
- viewnoir package [confirmed in lunar].
- Downgrading to 1.13.0-1 solves the issue.
+ - https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1014125
+ Confirm CVE-2020-23109 fix
+ - https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1029668
+ 1.14.2 contains significant regression, HEIC can not be read using
+ viewnoir package [confirmed in lunar].
+ Downgrading to 1.13.0-1 solves the issue.
- The package does not deal with exotic hardware we cannot support
-
[Quality assurance – testing]
- The package does not run a test at build time because no unit tests are
- present in the repository upstream:
- https://launchpadlibrarian.net/646769183/buildlog_ubuntu-lunar-amd64.libheif_1.14.2-1_BUILDING.txt.gz
- https://github.com/strukturag/libheif
+ present in the repository upstream:
+ https://launchpadlibrarian.net/646769183/buildlog_ubuntu-lunar-amd64.libheif_1.14.2-1_BUILDING.txt.gz
+ https://github.com/strukturag/libheif
- The package does not run an autopkgtest because no autopackage tests are
- present.
- Note: upstream contains a CI script that can be adapted for autopkgtests:
- https://github.com/strukturag/libheif/blob/master/scripts/run-ci.sh
+ present.
+ Note: upstream contains a CI script that can be adapted for autopkgtests:
+ https://github.com/strukturag/libheif/blob/master/scripts/run-ci.sh
This section is not complete, as the test plan/approach for developing
autopkgtests needs to be discussed.
TODO: - The package can not be tested at build or autopktest time because TBD
TODO: to make up for that here TBD is a test plan/automation and example
TODO: test TBD (logs/scripts)
-
[Quality assurance - packaging]
- debian/watch is present and works BUT also get-orig-head target is present
- in debian/rules that produces a different result.
- There is no specific documentation on which method to use.
+ in debian/rules that produces a different result.
+ There is no specific documentation on which method to use.
- debian/control defines a correct Maintainer field
- This package does not yield massive lintian Warnings, Errors
- https://udd.debian.org/lintian/?packages=libheif
+ https://udd.debian.org/lintian/?packages=libheif
- Please link to a recent build log of the package
- https://launchpadlibrarian.net/646769183/buildlog_ubuntu-lunar-amd64.libheif_1.14.2-1_BUILDING.txt.gz
+ https://launchpadlibrarian.net/646769183/buildlog_ubuntu-lunar-amd64.libheif_1.14.2-1_BUILDING.txt.gz
- Please attach the full output you have got from `lintian --pedantic` as an
- extra post to this bug.
+ extra post to this bug.
- Lintian overrides are not present
- This package relies on obsolete or about to be demoted packages
- see https://udd.debian.org/lintian/?packages=libheif, consider using
- libgdk-pixbuf-2.0-dev instead of transitional libgdk-pixbuf2.0-dev
+ see https://udd.debian.org/lintian/?packages=libheif, consider using
+ libgdk-pixbuf-2.0-dev instead of transitional libgdk-pixbuf2.0-dev
- This package has no python2 or GTK2 dependencies
- The package will not be installed by default
- Packaging and build is easy, link to d/rules:
- https://salsa.debian.org/multimedia-team/libheif/-/blob/master/debian/rules
+ https://salsa.debian.org/multimedia-team/libheif/-/blob/master/debian/rules
[UI standards]
- Application is not end-user facing (does not need translation)
- End-user applications without desktop file, not needed because application
- does not provide GUI
+ does not provide GUI
[Dependencies]
- There are further dependencies that are not yet in main, MIR for them
is at:
- aom: LP: #2004442
- - dav1d: LP #2004446
- - libde265: LP #2004449
- - x265: LP #2004453
+ - dav1d: LP: #2004446
+ - libde265: LP: #2004449
+ - x265: LP: #2004453
[Standards compliance]
- This package correctly follows FHS and Debian Policy
[Maintenance/Owner]
- Owning Team will be Foundations team
- Team is already subscribed to the package
- This does not use static builds
- This does not use vendored code
- This package is not rust based
[Background information]
The Package description explains the package well
Upstream Name is libheif
Link to upstream project https://github.com/strukturag/libheif/
--
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to libheif in Ubuntu.
https://bugs.launchpad.net/bugs/1827442
Title:
[MIR] libheif
Status in aom package in Ubuntu:
Invalid
Status in dav1d package in Ubuntu:
Invalid
Status in libde265 package in Ubuntu:
Invalid
Status in libheif package in Ubuntu:
In Progress
Status in x265 package in Ubuntu:
Invalid
Bug description:
[Availablity]
The package libheif is already in ubuntu/universe.
The package libheif build for the architectures it is designed to work on.
It currently builds and works for architectures:
amd64 arm64 armhf i386 ppc64el riscv64 s390x
Link to package: https://launchpad.net/ubuntu/+source/libheif
[Rationale]
- The package libheif is required in Ubuntu main for decoding
ISO/IEC 23008-12:2017 HEIF files by libgd2 which is present in main.
- The package libheif will not generally be useful for a large part of our user
base, but is important/helpful still because no other package in main supports
decoding of ISO/IEC 23008-12:2017 HEIF files.
- The package libheif is a runtime dependency of package libgd2 that we already
support.
- It would be great and useful to community/processes to have the package
libheif in Ubuntu main, but there is no definitive deadline.
[Security]
- libheif had 4 security issues in the past:
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-23109
The github issue: https://github.com/strukturag/libheif/issues/207 is open,
though developer comments that it was fixed in 1.7.0
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-19499
Fixed in 1.5.0
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-19498
Fixed in 1.5.0.
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-11471
Fixed in 1.5.0.
The vulnerable versions are libheif < 1.7.0, current version 1.14.2
Currently vulnerable packages (CVE-2020-23109) are deployed in focal and
bionic. Jammy and up has no known vulnerabilitites.
- no `suid` or `sgid` binaries
- no executables in `/sbin` and `/usr/sbin`
- Package does not install services, timers or recurring jobs
- Packages does not open privileged ports (ports < 1024)
- Packages does contain extensions to security-sensitive software:
the package provides HEIF image plugin which processes untrusted input
[Quality assurance – function/usage]
- The package does not work well right after install. There is a bug filed in
debian: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1029668
1.14.2 contains significant regression, HEIC can not be read using viewnoir.
- Basic test cases pass:
apt install imagemagick
wget https://filesamples.com/samples/image/heif/sample1.heif
convert -verbose sample1.heif test.gif
wget https://filesamples.com/samples/image/heic/sample1.heic
convert -verbose sample1.heic test1.gif
Notice, that libgd2 HEIF support is disabled.
- Compiling a sample that tries to save HEIF file produces following output
"GD Warning: HEIF image support has been disabled"
[Quality assurance - maintenance]
- The package is maintained well in Debian/Ubuntu and has no bugs open
- Ubuntu https://bugs.launchpad.net/ubuntu/+source/libheif/+bug
- Debian https://bugs.debian.org/cgi-bin/pkgreport.cgi?src=libheif
- The package has important open bugs, listing them:
- https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1014125
Confirm CVE-2020-23109 fix
- https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1029668
1.14.2 contains significant regression, HEIC can not be read using
viewnoir package [confirmed in lunar].
Downgrading to 1.13.0-1 solves the issue.
- The package does not deal with exotic hardware we cannot support
[Quality assurance – testing]
- The package does not run a test at build time because no unit tests are
present in the repository upstream:
https://launchpadlibrarian.net/646769183/buildlog_ubuntu-lunar-amd64.libheif_1.14.2-1_BUILDING.txt.gz
https://github.com/strukturag/libheif
- The package does not run an autopkgtest because no autopackage tests are
present.
Note: upstream contains a CI script that can be adapted for autopkgtests:
https://github.com/strukturag/libheif/blob/master/scripts/run-ci.sh
This section is not complete, as the test plan/approach for developing
autopkgtests needs to be discussed.
TODO: - The package can not be tested at build or autopktest time because TBD
TODO: to make up for that here TBD is a test plan/automation and example
TODO: test TBD (logs/scripts)
[Quality assurance - packaging]
- debian/watch is present and works BUT also get-orig-head target is present
in debian/rules that produces a different result.
There is no specific documentation on which method to use.
- debian/control defines a correct Maintainer field
- This package does not yield massive lintian Warnings, Errors
https://udd.debian.org/lintian/?packages=libheif
- Please link to a recent build log of the package
https://launchpadlibrarian.net/646769183/buildlog_ubuntu-lunar-amd64.libheif_1.14.2-1_BUILDING.txt.gz
- Please attach the full output you have got from `lintian --pedantic` as an
extra post to this bug.
- Lintian overrides are not present
- This package relies on obsolete or about to be demoted packages
see https://udd.debian.org/lintian/?packages=libheif, consider using
libgdk-pixbuf-2.0-dev instead of transitional libgdk-pixbuf2.0-dev
- This package has no python2 or GTK2 dependencies
- The package will not be installed by default
- Packaging and build is easy, link to d/rules:
https://salsa.debian.org/multimedia-team/libheif/-/blob/master/debian/rules
[UI standards]
- Application is not end-user facing (does not need translation)
- End-user applications without desktop file, not needed because application
does not provide GUI
[Dependencies]
- There are further dependencies that are not yet in main, MIR for them
is at:
- aom: LP: #2004442
- dav1d: LP: #2004446
- libde265: LP: #2004449
- x265: LP: #2004453
[Standards compliance]
- This package correctly follows FHS and Debian Policy
[Maintenance/Owner]
- Owning Team will be Foundations team
- Team is already subscribed to the package
- This does not use static builds
- This does not use vendored code
- This package is not rust based
[Background information]
The Package description explains the package well
Upstream Name is libheif
Link to upstream project https://github.com/strukturag/libheif/
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/aom/+bug/1827442/+subscriptions
More information about the foundations-bugs
mailing list