Source: gettext Severity: important Tags: upstream Control: block 967026 by -1
gettext uses libcroco, an old GNOME library which is no longer used by GNOME itself, as part of term-styled-ostream, an ANSI terminal text highlighting library that for some reason uses CSS in its full generality as a (much more general than necessary!) style language. As noted on #967026, libcroco has multiple security issues if it is used to parse untrusted CSS. If I am understanding gettext's use of it correctly, it is only used to parse trusted CSS, so these security issues are not directly relevant; however, if we continue to make libcroco available as a standalone library, users will expect that it is safe to use at a security boundary. In Fedora, libcroco was removed from the distribution by making gettext use the vendored copy of libcroco that is already in gettext's upstream source code. I think we should seriously consider doing the same in Debian. I think it would also make a lot of sense to delete all the parts of the vendored libcroco that are outside its scope (anything involving block layout for a start). Alternatively, someone outside GNOME could take over upstream and downstream maintenance of libcroco, and start by fixing all the CVEs (but I wouldn't recommend this, GNOME stopped using it for good reasons). Please see #967026 and https://gitlab.gnome.org/GNOME/libcroco/-/issues/8 for more details. smcv
