Source: cinnamon Severity: important Tags: upstream Control: block 967026 by -1
cinnamon uses libcroco, an old GNOME library which is no longer used by GNOME itself. As noted on #967026, libcroco has multiple security issues if it is used to parse untrusted CSS. If I am understanding cinnamon's use of it correctly, it is only used to parse trusted CSS, so these security issues are not directly relevant; however, if we continue to make libcroco available as a standalone library, users will expect that it is safe to use at a security boundary. In Fedora, libcroco was removed from the distribution by bundling a copy in the cinnamon source. I think we should seriously consider doing the same in Debian. Alternatively, someone outside GNOME could take over upstream and downstream maintenance of libcroco, and start by fixing all the CVEs (I wouldn't recommend this, GNOME stopped using it for good reasons). Please see #967026 and https://gitlab.gnome.org/GNOME/libcroco/-/issues/8 for more details. smcv
