Your message dated Sat, 19 Dec 2020 21:33:53 +0000
with message-id <[email protected]>
and subject line Bug#967028: fixed in gettext 0.21-1
has caused the Debian Bug report #967028,
regarding gettext: uses system libcroco which is unmaintained upstream
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
967028: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=967028
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Source: gettext
Severity: important
Tags: upstream
Control: block 967026 by -1
gettext uses libcroco, an old GNOME library which is no longer used
by GNOME itself, as part of term-styled-ostream, an ANSI terminal text
highlighting library that for some reason uses CSS in its full generality
as a (much more general than necessary!) style language.
As noted on #967026, libcroco has multiple security issues if it is used
to parse untrusted CSS. If I am understanding gettext's use of it
correctly, it is only used to parse trusted CSS, so these security issues
are not directly relevant; however, if we continue to make libcroco
available as a standalone library, users will expect that it is safe to
use at a security boundary.
In Fedora, libcroco was removed from the distribution by making gettext
use the vendored copy of libcroco that is already in gettext's upstream
source code. I think we should seriously consider doing the same in
Debian. I think it would also make a lot of sense to delete all the
parts of the vendored libcroco that are outside its scope (anything
involving block layout for a start).
Alternatively, someone outside GNOME could take over upstream and
downstream maintenance of libcroco, and start by fixing all the CVEs
(but I wouldn't recommend this, GNOME stopped using it for good reasons).
Please see #967026 and https://gitlab.gnome.org/GNOME/libcroco/-/issues/8
for more details.
smcv
--- End Message ---
--- Begin Message ---
Source: gettext
Source-Version: 0.21-1
Done: Santiago Vila <[email protected]>
We believe that the bug you reported is fixed in the latest version of
gettext, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Santiago Vila <[email protected]> (supplier of updated gettext package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Format: 1.8
Date: Sat, 19 Dec 2020 21:56:00 +0100
Source: gettext
Architecture: source
Version: 0.21-1
Distribution: unstable
Urgency: medium
Maintainer: Santiago Vila <[email protected]>
Changed-By: Santiago Vila <[email protected]>
Closes: 507091 547798 949338 967028
Changes:
gettext (0.21-1) unstable; urgency=medium
.
* New upstream release.
- xgettext can detect '(eval_)gettext -e' in shell scripts. Closes:
#507091.
- <gettext.h> compiles cleanly as C++. Closes: #547798.
- The unpacked usr/share/gettext/intl is no longer installed.
If you were using these files, find them in
/usr/share/gettext/archive.dir.tar.xz, which is part of the
autopoint package.
- Drop Daiki Ueno key (now expired) from signing-key.asc.
- Put the new upstream key instead:
"Bruno Haible (Open Source Development) <[email protected]>"
9001 B85A F9E1 B83D F1BD A942 F5BE 8B26 7C6A 406D
.
* Patches that are no longer necessary:
- 01-do-not-use-java-in-urlget.patch: Replaced with logic in debian/rules.
- 02-msgfmt-remove-pot-creation-date.patch: Merged upstream.
- 03-avoid-extraneous-nul-bytes.patch: Merged upstream.
- 04-fix-msgunfmt-heap-corruption.patch: Merged upstream.
- 05-fix-crash-xgettext-with-its.patch: Merged upstream.
- 06-java9-support.patch: Merged upstream.
- 07-java11-support.patch: Merged upstream.
- 08-java-future-support.patch: Merged upstream.
- 09-fix-crash-with-po-file-input.patch: Merged upstream.
.
* New patches:
- 01-use-system-help2man.patch: Use system help2man instead of
embedded help2man. Closes: #949338.
- 02-library-dependencies.patch: Link all libraries and
executables against all of their dependencies, correctly.
(Latent upstream bug, exposed by hardening.)
- 03-disable-libtextstyle.patch: Do not build libtextstyle.
It depends on libcroco, which is unmaintained and has known
security bugs. Use the Gnulib libtextstyle-dummy module
(already included in the upstream sources) instead.
Note that this means --color options silently do nothing.
Closes: #967028.
.
* Debhelper compat level 13 (current recommended).
- Switch to dh sequencing.
- Switch to Build-Depends: debhelper-compat.
- Switch to declarative package contents, using dh_install etc.
dh-exec is needed for build profile filtering in a few places.
(The old scripting is preserved in debian/rules.old.)
- Manual ldconfig triggers are no longer necessary.
- The HTML documentation and examples are now installed in
/usr/share/doc/gettext instead of .../gettext-doc.
.
* gettext-el is now created using dh_elpa, eliminating the need for
custom package scripts.
.
* Standards-Version: 4.5.0.
- All lintian E-level diagnostics have been addressed, and
many but not all of the W- and I-level diagnostics.
- I don’t *think* any specific changes were required besides the
above, but I could have missed something.
.
* Add groff to Build-Depends.
.
* This release is mostly the work of Zack Weinberg <[email protected]>.
I'm merely making (very small) editorial changes and the upload.
Thanks a lot.
Checksums-Sha1:
f8c28700807a6015a70e8653cb17f495ddc9680d 2249 gettext_0.21-1.dsc
9d75b47baed1a612c0120991c4b6d9cf95e0d430 9714352 gettext_0.21.orig.tar.xz
b56f3358813526db83269ca2b2edc233b2115d59 819 gettext_0.21.orig.tar.xz.asc
c77024bbd6dbc1c5c40132bdfa19cbb38fa38945 35792 gettext_0.21-1.debian.tar.xz
2069ddbba7c74e029db4ad99ab11b6899f164c8c 10461 gettext_0.21-1_source.buildinfo
Checksums-Sha256:
6324b09233c143b5aaa6af373dee81391e626a6735ed7a8276728513e80936ae 2249
gettext_0.21-1.dsc
d20fcbb537e02dcf1383197ba05bd0734ef7bf5db06bdb241eb69b7d16b73192 9714352
gettext_0.21.orig.tar.xz
d2587b13a73000e67bce860106c55b726c3e6b5bad06390d073f077334f4b5f3 819
gettext_0.21.orig.tar.xz.asc
3edcbbccff37c47c5a12da945d7f79fa66606cec283f0ccb17e234a006887008 35792
gettext_0.21-1.debian.tar.xz
13625ed38ad4fbbda6776fc77d6fcbd185d273859a1f7a80c53b7a4780f7a531 10461
gettext_0.21-1_source.buildinfo
Files:
4f7ff6cebbc910cbd37e9ccacd61aad4 2249 devel optional gettext_0.21-1.dsc
40996bbaf7d1356d3c22e33a8b255b31 9714352 devel optional
gettext_0.21.orig.tar.xz
532b6937f73151c0f4b2d633c9934c87 819 devel optional
gettext_0.21.orig.tar.xz.asc
5207f64fac98311e18a1ba0dc98b8398 35792 devel optional
gettext_0.21-1.debian.tar.xz
796ed5b3ae4f967fafb893bdb550b09a 10461 devel optional
gettext_0.21-1_source.buildinfo
-----BEGIN PGP SIGNATURE-----
iQEzBAEBCAAdFiEE1Uw7+v+wQt44LaXXQc5/C58bizIFAl/ebbEACgkQQc5/C58b
izL/ZQf8CjUsC0kdKl6y7leZ1XphGhJaXx1SKb+212NHS8gX2A+hMaosyD3cG5M+
YyUXHxKfOPGyXqAUx1Bto3Wl0n29vSBKWk9Xl++B7Q3cCZ9hRuSu5qa+bcO/cSwF
DMasP8lVoUWz97oqn42gyjLcDozkSBivRPrAKpdMYrKrMDm+AvEdxLJxOBe03fYK
Z/U9u4NxRSGq8HJSKjYZJsEaB8vy+Qg95TJffmWrLLAz1WG3gdTIcuBJokk1Xk+G
/Lmg89TugTumZssfKnhSFV1kXkV5LVNn9zgYtSPUvlvq/4/yJa9gl5UYrBUH9oTi
WecDz8bCIacw1wscC4//JdZ+QCaLpw==
=gUdK
-----END PGP SIGNATURE-----
--- End Message ---
