Bug#967027: marked as done (cinnamon: uses libcroco which is unmaintained upstream)

To: Norbert Preining <norbert@preining.info>
Subject: Bug#967027: marked as done (cinnamon: uses libcroco which is unmaintained upstream)
From: "Debian Bug Tracking System" <owner@bugs.debian.org>
Date: Sun, 20 Dec 2020 20:21:12 +0000
Message-id: <[🔎] handler.967027.D967027.160849540530365.ackdone@bugs.debian.org>
Reply-to: 967027@bugs.debian.org
References: <E1kr58F-000BjU-Gx@fasolo.debian.org> <20200803130649.GA313614@espresso.pseudorandom.co.uk>

Your message dated Sun, 20 Dec 2020 20:16:43 +0000
with message-id <E1kr58F-000BjU-Gx@fasolo.debian.org>
and subject line Bug#967027: fixed in cinnamon 4.8.3-3
has caused the Debian Bug report #967027,
regarding cinnamon: uses libcroco which is unmaintained upstream
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact owner@bugs.debian.org
immediately.)


-- 
967027: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=967027
Debian Bug Tracking System
Contact owner@bugs.debian.org with problems

--- Begin Message ---

To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: cinnamon: uses libcroco which is unmaintained upstream
From: Simon McVittie <smcv@debian.org>
Date: Mon, 3 Aug 2020 14:06:49 +0100
Message-id: <20200803130649.GA313614@espresso.pseudorandom.co.uk>

Source: cinnamon
Severity: important
Tags: upstream
Control: block 967026 by -1

cinnamon uses libcroco, an old GNOME library which is no longer used
by GNOME itself.

As noted on #967026, libcroco has multiple security issues if it is used
to parse untrusted CSS. If I am understanding cinnamon's use of it
correctly, it is only used to parse trusted CSS, so these security issues
are not directly relevant; however, if we continue to make libcroco
available as a standalone library, users will expect that it is safe to
use at a security boundary.

In Fedora, libcroco was removed from the distribution by bundling a copy
in the cinnamon source. I think we should seriously consider doing the
same in Debian.

Alternatively, someone outside GNOME could take over upstream and
downstream maintenance of libcroco, and start by fixing all the CVEs
(I wouldn't recommend this, GNOME stopped using it for good reasons).

Please see #967026 and https://gitlab.gnome.org/GNOME/libcroco/-/issues/8
for more details.

    smcv

--- End Message ---

--- Begin Message ---

To: 967027-close@bugs.debian.org
Subject: Bug#967027: fixed in cinnamon 4.8.3-3
From: Debian FTP Masters <ftpmaster@ftp-master.debian.org>
Date: Sun, 20 Dec 2020 20:16:43 +0000
Message-id: <E1kr58F-000BjU-Gx@fasolo.debian.org>
Reply-to: Norbert Preining <norbert@preining.info>

Source: cinnamon
Source-Version: 4.8.3-3
Done: Norbert Preining <norbert@preining.info>

We believe that the bug you reported is fixed in the latest version of
cinnamon, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 967027@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Norbert Preining <norbert@preining.info> (supplier of updated cinnamon package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Mon, 21 Dec 2020 04:31:36 +0900
Source: cinnamon
Architecture: source
Version: 4.8.3-3
Distribution: unstable
Urgency: medium
Maintainer: Debian Cinnamon Team <debian-cinnamon@lists.debian.org>
Changed-By: Norbert Preining <norbert@preining.info>
Closes: 967027
Changes:
 cinnamon (4.8.3-3) unstable; urgency=medium
 .
   [ Simon McVittie ]
   * d/control: Remove unused build-dependency on libcroco3-dev (Closes: #967027)
Checksums-Sha1:
 7473955ccf757fa4ff11a65d2fe4f735c71a32d0 2495 cinnamon_4.8.3-3.dsc
 28147df4c04cd55633d600ffc5b5053b06335a05 98436 cinnamon_4.8.3-3.debian.tar.xz
 c082e4b81de8e07c46b1488b5e06f46b0b562a9c 18827 cinnamon_4.8.3-3_source.buildinfo
Checksums-Sha256:
 487c4da012c1b5035ee696e1cbaed15348fc91e7294981f0f6bf7269415ade12 2495 cinnamon_4.8.3-3.dsc
 de3dc37afcf16d640336e89ef05d73e7eb2445989cc0b34af7a879c6a84aad6c 98436 cinnamon_4.8.3-3.debian.tar.xz
 4025b5bcaf72d820f96ae42f3fc4685a9bec727778d932d1577bd71c8baf45e3 18827 cinnamon_4.8.3-3_source.buildinfo
Files:
 bdf4e2a72a7550d7eef61c88568a63c5 2495 x11 optional cinnamon_4.8.3-3.dsc
 35c9dfda1d66563bb41bbc2265079d48 98436 x11 optional cinnamon_4.8.3-3.debian.tar.xz
 753da1016744fe55bb187e276777a7e9 18827 x11 optional cinnamon_4.8.3-3_source.buildinfo

-----BEGIN PGP SIGNATURE-----

iQEzBAEBCgAdFiEE68ws0vrA2voQX53I2A4JsIcUAGYFAl/frMgACgkQ2A4JsIcU
AGY/pQf7Bznp3Ku8AHeLnRxPSRTXtjmY2VFUCO7LrknVZlbi1bd6UY4DCrKIItpF
B39tFG7XU0scmY3NFzT4I25wzfHaEj4kXDuRnouI1SlgP6sFq7QApBktj5njebQH
gSvd6OpgwdcZo5VGtdMwjvF7r6bHjw1AqsryVqiuz30+qjGX+BWUd/2joKiSdG0L
dnyvlzyG8o1+gwk50uKeMGFiQsbtLq5Tv8nSGSaqeDQ87LrKVlr2benP2N2BMyb7
5er9sptK4sRajXYwDEQDkdMLvXn7KjYh+jvWH/w+1460Eol8UF/BaV0H4eB0tT70
OT+vjVJq4WrPu3fhl558oG0P3Chpaw==
=OrzH
-----END PGP SIGNATURE-----

--- End Message ---

Reply to:

Prev by Date: Re: Bug#967027: cinnamon: uses libcroco which is unmaintained upstream
Next by Date: Bug#977762: marked as done (cinnamon-settings-daemon: FTBFS on s390x: Dependency "xorg-wacom" not found)
Previous by thread: Processed: Bug#967027 marked as pending in cinnamon
Next by thread: Processing of cinnamon-settings-daemon_4.8.2-3_source.changes
Index(es):
- Date
- Thread