[MIR] opus (b-d of jackd2)
Bug #1196967 reported by
Matthias Klose
This bug affects 1 person
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
opus (Ubuntu) |
Fix Released
|
High
|
Unassigned | ||
Saucy |
Fix Released
|
High
|
Unassigned |
Bug Description
Please consider this request for opus to be included in main, required by jackd2. This is an optional dependency to jackd2.
Opus in Debian unstable is currently an unstable version, and maintenance of the Debian package is quite regular. The Ubuntu package carries some useful changes that need to be pushed to Debian, which can be done over time to eventually allow this package to be synced.
Changed in opus (Ubuntu): | |
assignee: | nobody → Luke Yelavich (themuso) |
status: | New → Incomplete |
description: | updated |
Changed in opus (Ubuntu): | |
assignee: | Luke Yelavich (themuso) → Ubuntu Security Team (ubuntu-security) |
Changed in opus (Ubuntu Saucy): | |
milestone: | none → ubuntu-13.09 |
importance: | Undecided → High |
Changed in opus (Ubuntu Saucy): | |
assignee: | Ubuntu Security Team (ubuntu-security) → Seth Arnold (seth-arnold) |
To post a comment you must log in.
I reviewed opus version 1.0.1-0ubuntu1 as checked into Saucy. This should
not be considered a full security audit, but a quick gauge of code
quality.
- opus is a low-latency audio codec, it provides a library that can be
used by applications needing RFC 6716 support
- No cryptography
- Does not itself perform networking, input may be from a network
- Build-Depends on doxygen
- Does not daemonize
- May run as a system user if linked into an appropriate application
- No initscripts
- No dbus
- No setuid
- No privileged portions of code
- No udev rules
- No sudo fragments
- No cron jobs
- Good test suite run at build, malloc check and valgrind integration
available
- Clean build logs
Lintian warnings: new-upstream- release- without- new-version new-upstream- release- without- new-version javascript- library usr/share/ doc/libopus- doc/html/ jquery. js autotools- helper- file config.guess 2012-01-01 autotools- helper- file config.sub 2012-01-01 date-standards- version 3.9.3.1 (current is 3.9.4)
W: libopus0: possible-
W: libopus-doc: possible-
W: libopus-doc: embedded-
W: opus source: outdated-
W: opus source: outdated-
W: opus source: out-of-
- No subprocesses spawned
- Extensive explicit memory management, most of it looked safe, some
aspects of relying upon codec state for size of data copies isn't
wonderful, as finding the amount of data being copied may be quite
difficult to discover when performing maintenance
- Encouraging assert() macros throughout much of the codebase
- Demo programs do file IO only on command-line argument files
- Logging looked safe
- Environment variables used only during test suites, not investigated
- No privileged portions of code
- No cryptography
- No networking
- No temporary file handling
- No webkit
- No qtjsbackend
- No policykit
While the coding style of this library was at times grating, it looked
well-programmed with good defensive checks throughout, and the test suite
looked extensive.
As a codec, it does depend heavily upon expert knowledge to fix
codec-level bugs, so we would be reliant upon upstream for many potential
fixes.
Some notes I took while reading the code, in the hopes that someone finds
them useful:
- opus_demo.c casts return value from malloc(3), disabling warnings opus_custom_ demo.c integer overflows and unchecked malloc(3) )malloc( frame_size* channels* sizeof( opus_int16) ); )malloc( frame_size* channels* sizeof( opus_int16) );
- ./celt/
returns:
in = (opus_int16*
out = (opus_int16*
- Casts in opus_fft_free() appear to defeat const-correctness, why?
Security team ACK for including in main.
Thanks