Bug#1131939: malcontent CVE-2026-44931
Salvatore Bonaccorso
carnil at debian.org
Wed May 27 07:59:55 BST 2026
Hi Jeremy,
On Tue, May 26, 2026 at 11:36:25AM -0400, Jeremy Bícha wrote:
> On Tue, May 26, 2026 at 11:29 AM Salvatore Bonaccorso <carnil at debian.org> wrote:
> > Maybenot RC, but if there is not a reason to introduce a a known
> > issue, is there a reason you need o rebase on 0.14.0? Can we keep it
> > at the version it is now to not get the issue into forky and see if a
> > solution appears upstream?
>
> We patch gnome-control-center to keep using malcontent 0.13. This is
> fine for now, but eventually we will want the newer version. I haven't
> tested malcontent 0.14 but the NEWS suggests that it has new features
> that may make the parental controls more effective. (My somewhat harsh
> review is that malcontent 0.13 isn't very effective so I appreciate
> improvement.)
>
> https://salsa.debian.org/gnome-team/gnome-control-center/-/blob/debian/latest/debian/patches/debian/Revert-wellbeing-Synchronize-settings-with-malcontent.patch
>
> https://gitlab.freedesktop.org/pwithnall/malcontent/-/blob/main/NEWS
First of all, please take my apology, it looks my reply was completely
mangled by having it rewriten my answer. But it looks you still got my
point.
How about then keeping the situation as long it is either affordable
for you, or alternatively update to 0.14.0 but open a RC bug level for
the CVE, so it is clear that it is desirable to have it fixed for
forky.
Upstream has explained the difficulties in:
https://gitlab.freedesktop.org/pwithnall/malcontent/-/work_items/137
So maybe raising the flag as rc level in Debian could motivate someone
into helping upstream in developing a fix?
Regards,
Salvatore
More information about the Pkg-freedesktop-maintainers
mailing list