Summary: | dev-libs/libcroco: multiple vulnerabilities (CVE-2017-{8834,8871}) | ||
---|---|---|---|
Product: | Gentoo Security | Reporter: | Ian Zimmerman <nobrowser> |
Component: | Vulnerabilities | Assignee: | Gentoo Security <security> |
Status: | IN_PROGRESS --- | ||
Severity: | normal | CC: | ajak, gnome |
Priority: | Normal | ||
Version: | unspecified | ||
Hardware: | All | ||
OS: | Linux | ||
URL: | http://openwall.com/lists/oss-security/2017/06/08/2 | ||
See Also: |
https://bugzilla.gnome.org/show_bug.cgi?id=782647 https://bugzilla.gnome.org/show_bug.cgi?id=782649 |
||
Whiteboard: | A3 [glsa? cleanup] | ||
Package list: | Runtime testing required: | --- |
Description
Ian Zimmerman
2017-06-08 22:24:04 UTC
Thanks for the report. Maintainer(s): Ping. ping Looked again, this isn't fixed upstream and it's just a proposed patch. The upstream bugs have been WONTFIX'ed. A comment on each of them: libcroco is not under development anymore. Its codebase has been archived. Closing this report as WONTFIX as part of Bugzilla Housekeeping to reflect reality. Please feel free to reopen this ticket (or rather transfer the project to GNOME Gitlab, as GNOME Bugzilla is being shut down) if anyone takes the responsibility for active development again. Nothing is going to happen here really. libcroco is dead and vulnerabilities will remain unless someone takes over maintenance (I don't know why anyone would). This means that librsvg-2.40 - the last non-rust version - will remain security vulnerable (it probably is directly too, but indirectly via libcroco at least too), and architectures without rust will not be able to solve that. However various architectures are rust-capable, but not supported in Gentoo. And then there's also older gnome-shell and cinnamon and apparently something called dev-libs/eekboard. Newer gnome-shell bundles libcroco code, hopefully using only a subset and in a more controlled environment. Hi @leio, can you please explain for the non-gnome-woke here how the rust based versions of rsvg avoid the vulnerability? They still depend on libcroco as far as I can see. librsvg-2.48.8 does not depend on libcroco, but uses maintained rust crates that new rust Firefox stuff is using or going to be using for the same purpose (statically linked into librsvg-2.so) (In reply to Sam James from comment #2) > Patch: > https://bug782647.bugzilla-attachments.gnome.org/attachment.cgi?id=374219 This patch was good enough for openSUSE, so I suggest applying with https://bugs.gentoo.org/722752#c1 and call it a day. I'll do it and see if tests pass. I've updated the status to cleanup but I realize that we can't actually do that unless we want to pull gnome from wd40 arches (currently hppa/ia64/s390/alpha/mips, based on librsvg). My suggestion would be to drop the arm/ppc/sparc/x86 keywords on librsvg-2.40.21 at least (since all these have a stable newer non-libcroco version). Perhaps some of the wd40 arches can be dropped as well, but a lot of stuff depends on librsvg so I'm not sure how feasible that is. |