© 2004
Canonical Ltd.
•
Terms of use
•
Data privacy
•
Contact Launchpad Support
•
Blog
•
Careers
•
System status
•
0e1f616
(Get the code!)
I reviewed libfreeaptx 0.1.1-1ubuntu1 as checked into kinetic. This shouldn't be considered a full audit but rather a quick gauge of maintainability.
libfreeaptx is an implementation of the audio processing technology (aptX) codec. It is a fork of the libopenatpx library (which is in universe) - the fork was done since the most recent version of libopenaptx (0.2.1) now has an incompatible license and so this is a fork of the 0.2.0 version with a real license.
- No CVE History
- No Build-Depends
- No pre/post inst/rm scripts
- No init scripts
- No systemd units
- No dbus services
- No setuid binaries
- 2 binaries in PATH from freeaptx-utils binary package
- -rwxr-xr-x root/root 14648 2022-05-20 22:53 ./usr/bin/
- -rwxr-xr-x root/root 14648 2022-05-20 22:53 ./usr/bin/
- utils to read / write raw 24-bit signed stereo samples from / to aptX via stdin/stdout
- No sudo fragments
- No polkit files
- No udev rules
- No unit tests
- 3 simple autopkgtests
- build test compiles a very simple C program using libfreeaptx to check headers / pkg-config files are installed correctly
- 2 other tests use freeaptxenc to encode a raw sample to aptX and then decode it again in both regular and HD
- No cron jobs
- Build logs are quite clean
- No processes spawned
- No dynamic memory management other than allocating a structure on the heap to store context for the session
- Otherwise uses buffers provided by the caller and appears to be quite good at checking buffer lengths etc to not overflow them
- No file IO
- Logging is only done in CLI based enc/dec tools and is careful not to have potential format string vulnerabilities
- No environment variable usage
- No use of privileged functions
- No use of cryptography / random number sources etc
- No use of temp files
- No use of networking
- No use of WebKit
- No use of PolicyKit
- No significant cppcheck results
- No significant Coverity results
- No significant shellcheck results
libfreeaptx looks like pretty decent code - it is small and doesn't do anything fancy with memory management and appears quite defensive in how it checks buffer lengths etc. The biggest issue I have with this package is the lack of unit tests for the code - so it will make it hard to verify that any future changes don't inadvertently break it. Lack of these is annoying but the upstream repo doesn't contain them either nor does libopenaptx either so this is not a blocker.
Security team ACK for promoting libfreeaptx to main.