[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#967027: marked as done (cinnamon: uses libcroco which is unmaintained upstream)

Your message dated Sun, 20 Dec 2020 20:16:43 +0000
with message-id <E1kr58F-000BjU-Gx@fasolo.debian.org>
and subject line Bug#967027: fixed in cinnamon 4.8.3-3
has caused the Debian Bug report #967027,
regarding cinnamon: uses libcroco which is unmaintained upstream
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact owner@bugs.debian.org

967027: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=967027
Debian Bug Tracking System
Contact owner@bugs.debian.org with problems
--- Begin Message ---
Source: cinnamon
Severity: important
Tags: upstream
Control: block 967026 by -1

cinnamon uses libcroco, an old GNOME library which is no longer used
by GNOME itself.

As noted on #967026, libcroco has multiple security issues if it is used
to parse untrusted CSS. If I am understanding cinnamon's use of it
correctly, it is only used to parse trusted CSS, so these security issues
are not directly relevant; however, if we continue to make libcroco
available as a standalone library, users will expect that it is safe to
use at a security boundary.

In Fedora, libcroco was removed from the distribution by bundling a copy
in the cinnamon source. I think we should seriously consider doing the
same in Debian.

Alternatively, someone outside GNOME could take over upstream and
downstream maintenance of libcroco, and start by fixing all the CVEs
(I wouldn't recommend this, GNOME stopped using it for good reasons).

Please see #967026 and https://gitlab.gnome.org/GNOME/libcroco/-/issues/8
for more details.


--- End Message ---
--- Begin Message ---
Source: cinnamon
Source-Version: 4.8.3-3
Done: Norbert Preining <norbert@preining.info>

We believe that the bug you reported is fixed in the latest version of
cinnamon, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 967027@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
Norbert Preining <norbert@preining.info> (supplier of updated cinnamon package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)

Hash: SHA512

Format: 1.8
Date: Mon, 21 Dec 2020 04:31:36 +0900
Source: cinnamon
Architecture: source
Version: 4.8.3-3
Distribution: unstable
Urgency: medium
Maintainer: Debian Cinnamon Team <debian-cinnamon@lists.debian.org>
Changed-By: Norbert Preining <norbert@preining.info>
Closes: 967027
 cinnamon (4.8.3-3) unstable; urgency=medium
   [ Simon McVittie ]
   * d/control: Remove unused build-dependency on libcroco3-dev (Closes: #967027)
 7473955ccf757fa4ff11a65d2fe4f735c71a32d0 2495 cinnamon_4.8.3-3.dsc
 28147df4c04cd55633d600ffc5b5053b06335a05 98436 cinnamon_4.8.3-3.debian.tar.xz
 c082e4b81de8e07c46b1488b5e06f46b0b562a9c 18827 cinnamon_4.8.3-3_source.buildinfo
 487c4da012c1b5035ee696e1cbaed15348fc91e7294981f0f6bf7269415ade12 2495 cinnamon_4.8.3-3.dsc
 de3dc37afcf16d640336e89ef05d73e7eb2445989cc0b34af7a879c6a84aad6c 98436 cinnamon_4.8.3-3.debian.tar.xz
 4025b5bcaf72d820f96ae42f3fc4685a9bec727778d932d1577bd71c8baf45e3 18827 cinnamon_4.8.3-3_source.buildinfo
 bdf4e2a72a7550d7eef61c88568a63c5 2495 x11 optional cinnamon_4.8.3-3.dsc
 35c9dfda1d66563bb41bbc2265079d48 98436 x11 optional cinnamon_4.8.3-3.debian.tar.xz
 753da1016744fe55bb187e276777a7e9 18827 x11 optional cinnamon_4.8.3-3_source.buildinfo



--- End Message ---

Reply to: