Bug#967027: cinnamon: uses libcroco which is unmaintained upstream

To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: Bug#967027: cinnamon: uses libcroco which is unmaintained upstream
From: Simon McVittie <smcv@debian.org>
Date: Mon, 3 Aug 2020 14:06:49 +0100
Message-id: <[🔎] 20200803130649.GA313614@espresso.pseudorandom.co.uk>
Reply-to: Simon McVittie <smcv@debian.org>, 967027@bugs.debian.org

Source: cinnamon
Severity: important
Tags: upstream
Control: block 967026 by -1

cinnamon uses libcroco, an old GNOME library which is no longer used
by GNOME itself.

As noted on #967026, libcroco has multiple security issues if it is used
to parse untrusted CSS. If I am understanding cinnamon's use of it
correctly, it is only used to parse trusted CSS, so these security issues
are not directly relevant; however, if we continue to make libcroco
available as a standalone library, users will expect that it is safe to
use at a security boundary.

In Fedora, libcroco was removed from the distribution by bundling a copy
in the cinnamon source. I think we should seriously consider doing the
same in Debian.

Alternatively, someone outside GNOME could take over upstream and
downstream maintenance of libcroco, and start by fixing all the CVEs
(I wouldn't recommend this, GNOME stopped using it for good reasons).

Please see #967026 and https://gitlab.gnome.org/GNOME/libcroco/-/issues/8
for more details.

    smcv

Reply to:

Follow-Ups:
- Processed: cinnamon: uses libcroco which is unmaintained upstream
  - From: "Debian Bug Tracking System" <owner@bugs.debian.org>
- Processed: Re: Bug#967027: cinnamon: uses libcroco which is unmaintained upstream
  - From: "Debian Bug Tracking System" <owner@bugs.debian.org>
- Bug#967027: cinnamon: uses libcroco which is unmaintained upstream
  - From: Simon McVittie <smcv@debian.org>

Next by Date: Processed: cinnamon: uses libcroco which is unmaintained upstream
Next by thread: Processed: cinnamon: uses libcroco which is unmaintained upstream
Index(es):
- Date
- Thread