Bug#993372: Bug#993378: RM: gtkpod -- RoQA; Upstream not active, orphaned & uses a vulnerable embedded library

To: Adrian Bunk <bunk@debian.org>
Cc: 993378@bugs.debian.org, 993372@bugs.debian.org, 993375@bugs.debian.org
Subject: Bug#993372: Bug#993378: RM: gtkpod -- RoQA; Upstream not active, orphaned & uses a vulnerable embedded library
From: Neil Williams <codehelp@debian.org>
Date: Wed, 1 Sep 2021 09:32:09 +0100
Message-id: <[🔎] 20210901093209.0f9c82e1@felix.codehelp>
Reply-to: Neil Williams <codehelp@debian.org>, 993372@bugs.debian.org
In-reply-to: <[🔎] 20210901080509.GA16603@localhost>
References: <163042138563.8500.3211996827374362579.reportbug@felix.codehelp> <[🔎] 20210901080509.GA16603@localhost> <163041839894.6615.16096066799254327376.reportbug@felix.codehelp>

On Wed, 1 Sep 2021 11:05:09 +0300
Adrian Bunk <bunk@debian.org> wrote:

> Control: tags 993378 moreinfo
> 
> On Tue, Aug 31, 2021 at 03:49:45PM +0100, Neil Williams wrote:
> > Package: ftp.debian.org
> > Severity: normal
> > 
> > gtkpod upstream has moved but has not had any activity for over 5
> > years.
> > 
> > When investigating the two CVEs against AtomicParsley, former
> > maintainer Matteo F. Vescovi reached out to me to suggest removal
> > of gtkpod.
> > 
> > The use case for this package seems to be declining / absent and 4
> > crash bugs are currently open.
> > 
> > Fixes for these bugs and CVEs seem unlikely to appear, it would
> > seem best to remove gtkpod from Debian at this point.  
> 
> As a user I am quite unhappy when a working package I am using is out
> of the void getting am RM bug.
> 
> With software for older hardware it is normal that upstream becomes 
> inactive, and anything other than declining usage would be a surprise.
> 
> I am also dismayed at the CVEs. At first sight the "two CVEs" might
> be for the same bug, with the fix for the first CVE not fixing the
> bug. Does manually backporting the one-character change from
> CVE-2021-37232 fix everything, even without the larger CVE-2021-37231
> refactoring?

Hi Adrian.

Sorry, No. The commit linked to CVE-2021-37232 does not even fix the
problem described as being fixed by that commit in atomicparsley, at
least in my testing using the data file supplied by upstream. I
mentioned this in the bug report against atomicparsley - 993366

https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=993366#5

That atomicparsley data file cannot be used to test gtkpod, only
atomicparsley itself.

As mentioned already, gtkpod is now orphaned and the maintainer who
orphaned it suggested removing the package. (The CVEs are not the only
bugs against either atomicparsley or gtkpod).

The two CVEs are not the same bug - at least not according to the
commits made upstream for the two issues in atomicparsley.

Orphaned packages are at risk of sudden removal - until and unless
someone adopts the package.

-- 
Neil Williams
=============
https://linux.codehelp.co.uk/

Attachment: pgpCMynEDHo3a.pgp
Description: OpenPGP digital signature

Reply to:

References:
- Bug#993372: Bug#993378: RM: gtkpod -- RoQA; Upstream not active, orphaned & uses a vulnerable embedded library
  - From: Adrian Bunk <bunk@debian.org>

Prev by Date: Bug#993372: Bug#993378: RM: gtkpod -- RoQA; Upstream not active, orphaned & uses a vulnerable embedded library
Next by Date: Bug#993372: Bug#993378: RM: gtkpod -- RoQA; Upstream not active, orphaned & uses a vulnerable embedded library
Previous by thread: Bug#993372: Bug#993378: RM: gtkpod -- RoQA; Upstream not active, orphaned & uses a vulnerable embedded library
Next by thread: Bug#993372: Bug#993378: RM: gtkpod -- RoQA; Upstream not active, orphaned & uses a vulnerable embedded library
Index(es):
- Date
- Thread