Using CVE-2020-12825 at first here but it's possible there's others. Standalone libcroco has been abandoned and there is a semi-fork used within gnome-shell.
Package list is empty or all packages have requested keywords.