Bug#967026: libcroco: security-sensitive but unmaintained upstream

Simon McVittie smcv at debian.org
Mon Aug 3 13:54:21 BST 2020 

Source: libcroco
Severity: important
Tags: upstream wontfix security
X-Debbugs-Cc: security at debian.org

Quoting from https://gitlab.gnome.org/GNOME/libcroco/-/issues/8:

> Given that this is not the even only security issue filed here, and
> there are likely many more lurking, I don't think it's a good use of
> anyone's time to keep alive a project that is only used anymore by a
> non-gnome desktop. You could ask cinnamon to take it over, or simply
> archive it.

and

> Yeah, this project is insecure and not maintained anymore. The reason
> I made some releases was that there were patches standing in bugzilla
> and it was needed at the time. Now that most of the projects are ported
> to something else I would say this project should just die.

The Debian GNOME team does not have the resources to maintain a
potentially security-sensitive library that is not maintained upstream
and is not actually needed by GNOME.

As noted on #960527, the remaining packages in unstable that Depend and
Build-Depend on libcroco are:

- cinnamon: Like GNOME Shell, I don't think this parses untrusted CSS,
  only CSS that comes from the shell itself or an extension (which can
  execute arbitrary code with the user's privileges *anyway*, so they're
  inherently trusted).

  In Fedora, the standalone libcroco was apparently removed by bundling
  (vendoring) a copy of libcroco with cinnamon, on the understanding
  that if it is used at a security boundary, then any security issues
  are cinnamon's responsibility.

  gnome-shell in unstable contains a cut-down fork of croco, in which
  the developers are deleting unused code and gradually redoing what's
  left in Rust, using Mozilla's underlying parser. Cinnamon developers
  could consider vendoring that instead (which would be consistent with
  Cinnamon's status as a fork of an older GNOME version).

- gettext: seems to be part of term-styled-ostream, an ANSI terminal text
  highlighting library, rather than parsing anything untrusted.
  A bundled (vendored) copy is already included upstream, although Debian
  doesn't use it.

I think we should remove the standalone library from Debian to avoid the
expectation that it is safe to use at a security boundary, and vendor a
copy into projects that only use it in non-security-sensitive contexts.
It would probably also make sense to be added to the security team's
list of packages that are not security-supported.

Alternatively, if someone outside the GNOME team (the cinnamon
maintainers?) is willing to take over as upstream and provide ongoing
security support, we could go that route, but I would not advise it
(upstream consider libcroco to be dead).

I'll file bugs against cinnamon and gettext when I have a bug number
to block them by.

Regards,
    smcv

More information about the pkg-gnome-maintainers mailing list