[Pkg-rust-maintainers] Bug#1038447: librsvg: FTBFS on big-endian architectures: multiple test regressions since September 2022

[Simon McVittie]

Control: severity -1 important

On Sun, 18 Jun 2023 at 14:52:18 +0100, Simon McVittie wrote:
> On Sun, 18 Jun 2023 at 14:47:00 +0100, Simon McVittie wrote:
> > I rebuilt librsvg in bookworm on the s390x porterbox zelenka, and can
> > confirm that 2.54.5+dfsg-1 now fails in bookworm too. So something must
> > have triggered a regression between September 2022 and now.
> 
> It would be helpful if someone with suitable hardware could put this
> through debbisect or similar to find out which build-dependency triggered
> this.

Since nobody seems to have had a chance to do this, and this FTBFS is now
blocking a fix for a security vulnerability (#1041810, CVE-2023-38633),
I'm going to disable the relevant tests, which lowers the severity of
this bug to important (verified to be sufficient to avoid the FTBFS on
the s390x porterbox, zelenka).

The result is that there are known mis-renderings for certain SVG
files on s390x, powerpc, ppc64 and other big-endian architectures,
some of which could be highly visible in desktop enviroments like GNOME
if icons happen to use of the relevant features. This is unfortunate,
but seems less of a disservice to our users than preventing a security
fix on the more widely-used little-endian architectures.

Help would still be appreciated from the porting teams for big-endian
architectures. This is probably not actually a librsvg bug, because the
same librsvg source code worked in September 2022 but failed in June 2023,
which would point to this being a regression in some other component (but
I don't know which one, and I don't have the hardware to run debbisect).

Thanks,
    smcv