Re: Security concerns with Stardict in Debian stable releases

To: "xiao sheng wen(肖盛文)" <atzlinux@debian.org>
Cc: debian-devel@lists.debian.org
Subject: Re: Security concerns with Stardict in Debian stable releases
From: Aaron Rainbolt <arraybolt3@gmail.com>
Date: Sun, 19 Oct 2025 22:55:54 -0500
Message-id: <[🔎] 20251019225554.1bee7af9@kf-m2g5>
In-reply-to: <[🔎] 1cf4339d-660c-4a1d-9a9c-9375b5520cfe@debian.org>
References: <[🔎] 20251017142732.25cd5729@kf-m2g5> <[🔎] aPLCvRFpdKsse3LN@remnant.pseudorandom.co.uk> <[🔎] 20251017173523.6c70291a@kf-m2g5> <[🔎] 1cf4339d-660c-4a1d-9a9c-9375b5520cfe@debian.org>

On Sun, 19 Oct 2025 22:28:14 +0800
xiao sheng wen(肖盛文) <atzlinux@debian.org> wrote:

> Hi,
> 
> 在 2025/10/18 06:35, Aaron Rainbolt 写道:
> > On Fri, 17 Oct 2025 23:27:09 +0100
> > Simon McVittie <smcv@debian.org> wrote:
> >   
> >> On Fri, 17 Oct 2025 at 14:27:32 -0500, Aaron Rainbolt wrote:  
> >>> The Debian Policy manual states in section 2.2.1:
> >>>    
> >>>> In addition, the packages in main
> >>>> ...
> >>>> * must not be so buggy that we refuse to support them...    
> >>>
> >>> I would argue Stardict is this buggy.    
> >>
> >> If that's the case, the first place to report it would be a RC bug 
> >> against the stardict package (and if the stardict maintainer
> >> downgrades the severity of RC bugs in a way that is contrary to
> >> project consensus, the group that can overrule them is the release
> >> team or the technical committee).  
> > 
> > This has already happened. See
> > https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1110370, which was
> > filed with severity "critical" and tag "security", and which the
> > maintainer changed to severity "wishlist" and removed the "security"
> > tag from. The maintainer later upgraded the severity to "Important",
> > but still did not leave it release-critical, thus why the
> > vulnerability still exists in Trixie.  
> 
> About fix this vulnerability in Trixie, Please see:
> 
> https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1113750
> 
> The Debian Release Team will review it before next stable point
> release.

I had overlooked that, thank you for pointing it out.

I guess the central "goal" of my email was to try to find a way to keep
password or similar leaks. In your opinion, do you think this issue or
a similar one has a high chance of occurring again in the future, or do
you think that this probably won't be a problem in the long run for
Forky and later? If it isn't going to resurface, then I don't think
there's any good reason for my initial request for package removal to
be considered.

Thanks for your time.

--
Aaron

> Regards,
>

Attachment: pgpkVCwRgS8hY.pgp
Description: OpenPGP digital signature

Reply to:

References:
- Security concerns with Stardict in Debian stable releases
  - From: Aaron Rainbolt <arraybolt3@gmail.com>
- Re: Security concerns with Stardict in Debian stable releases
  - From: Simon McVittie <smcv@debian.org>
- Re: Security concerns with Stardict in Debian stable releases
  - From: Aaron Rainbolt <arraybolt3@gmail.com>
- Re: Security concerns with Stardict in Debian stable releases
  - From: xiao sheng wen(肖盛文) <atzlinux@debian.org>

Prev by Date: Re: Security concerns with Stardict in Debian stable releases
Next by Date: Re: Accepted node-tar-fs 2.1.3-0+deb12u2 (source all) into oldstable-proposed-updates
Previous by thread: Re: Security concerns with Stardict in Debian stable releases
Next by thread: Bug#1118359: ITP: python-ftfy -- Fixes mojibake and other Unicode text problems
Index(es):
- Date
- Thread