[Pkg-matrix-maintainers] Bug#1117736: nheko: Nheko freezes any running Ungoogled Chromium job that is running, then kills it on exit

Jonas Smedegaard jonas at jones.dk
Fri Oct 10 15:30:17 BST 2025 

Control: severity -1 important

Quoting Manny (2025-10-10 15:53:46)
> Package: nheko
> Version: 0.11.3-2
> Severity: critical
> Tags: upstream
> Justification: breaks unrelated software
> X-Debbugs-Cc: debbug.nheko at sideload.33mail.com
> 
> If Ungoogled Chromium ver 112 is running when Nheko is launched, the
> UC job freezes. No user i/o is accepted.. it becomes like a kind of
> software brick. UC cannot even be closed, only killed from the CLI.
> 
> If UC is left alone in the frozen state until Nheko exits, then Nheko
> brings UC down with it.
> 
> This report is tagged as /critical/ because it disasterously impacts
> another unrelated application. It’s also a local security problem
> because different X or Wayland apps should not have the capability of
> interfering with each other like this. But I did not tag the report as
> “security” because it’s not the sort of vuln that remote attackers
> could easily exploit without chaining other exploits. 
> 
> FWIW, the testing was done on a system running Wayland, Sway, and X
> Wayland.
> 
> Also note that Ungoogled Chromium is not in official Debian repos. But
> Chromium is, so this defect likely impacts Chromium. I have not tested
> that myself but if someone confirms it, then this bug should be tagged
> as affecting Chromium.

Thanks for reporting this issue.

>From your description, it seems to me that Ungoogled Chromium might
just as well be the cause of the fatal situation you describe.

Also, Debian cannot meaningfully extend its stability to cover
non-Debian code that we cannot possibly examine let alone fix.

For these reasons, I am lowering the severity.

 - Jonas

-- 
 * Jonas Smedegaard - idealist & Internet-arkitekt
 * Tlf.: +45 40843136  Website: http://dr.jones.dk/
 * Sponsorship: https://ko-fi.com/drjones

 [x] quote me freely  [ ] ask before reusing  [ ] keep private
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 931 bytes
Desc: signature
URL: <http://alioth-lists.debian.net/pipermail/pkg-matrix-maintainers/attachments/20251010/03ba8a06/attachment.sig>

More information about the Pkg-matrix-maintainers mailing list