[Pkg-mailman-hackers] Bug#987654: python3-django-hyperkitty: Loads Google Fonts (fonts.gstatic.com), causing privacy breach

Kunal Mehta legoktm at debian.org
Tue Apr 27 06:20:53 BST 2021 

Package: python3-django-hyperkitty
Version: 1.3.4-2
Severity: important

Hyperkitty's CSS attempts to loads fonts from Google Fonts, causing a privacy breach:

@font-face {
  font-family: 'Droid Sans';
  font-style: normal;
  font-weight: 400;
  src: local('Droid Sans'), local('DroidSans'),
       url(https://fonts.gstatic.com/s/droidsans/v6/s-BiyweUPV0v-yRb-cjciC3USBnSvpkopQaUR-2r7iU.ttf) format('truetype'),
       url(/mailman3/static/hyperkitty/libs/fonts/droid/DroidSans.ttf?9a88e405c18d) format('truetype');
}

These fonts are already bundled in the package, so trying to load them from Google
causes a privacy breach for no good reason.

This has already been fixed upstream: <https://gitlab.com/mailman/hyperkitty/-/commit/b35d20f45aafbd152e059abe3d4052485ffae305>,
I hope we can include this fix for bullseye.

Let me know if I can help with fixing (NMU, etc.), I've already prepared a fixed package
for our Mailman3 install at Wikimedia.

-- Kunal

-- System Information:
Debian Release: 10.9
  APT prefers stable
  APT policy: (500, 'stable')
Architecture: amd64 (x86_64)

Kernel: Linux 5.4.98-1.fc25.qubes.x86_64 (SMP w/2 CPU cores)
Kernel taint flags: TAINT_OOT_MODULE
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8), LANGUAGE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /usr/bin/dash
Init: systemd (via /run/systemd/system)

Versions of packages python3-django-hyperkitty depends on:
pn  fonts-glewlwyd               <none>
pn  libjs-bootstrap              <none>
ii  python3                      3.7.3-1
ii  python3-dateutil             2.7.3-3
pn  python3-django               <none>
pn  python3-django-compressor    <none>
pn  python3-django-extensions    <none>
pn  python3-django-gravatar2     <none>
pn  python3-django-haystack      <none>
pn  python3-django-mailman3      <none>
pn  python3-django-q             <none>
pn  python3-djangorestframework  <none>
ii  python3-lockfile             1:0.12.2-2
pn  python3-mailmanclient        <none>
pn  python3-networkx             <none>
pn  python3-robot-detection      <none>
ii  python3-tz                   2019.1-1

Versions of packages python3-django-hyperkitty recommends:
pn  mailman3-web  <none>

python3-django-hyperkitty suggests no packages.

More information about the Pkg-mailman-hackers mailing list