Community Packages

Please read this before reporting a bug:
https://wiki.archlinux.org/title/Bug_reporting_guidelines

Do NOT report bugs when a package is just outdated, or it is in the AUR. Use the 'flag out of date' link on the package page, or the Mailing List.

REPEAT: Do NOT report bugs for outdated packages!
Tasklist

FS#63649 - [gummi] issues due to packaging GTK3 fork instead of the original GTK2 project

Attached to Project: Community Packages
Opened by alexm (alexandervdm) - Wednesday, 04 September 2019, 08:53 GMT
Last edited by Alexander F. Rødseth (xyproto) - Wednesday, 04 September 2019, 20:58 GMT
Task Type Bug Report
Category Security
Status Closed
Assigned To Alexander F. Rødseth (xyproto)
Levente Polyak (anthraxx)
Architecture All
Severity High
Priority Normal
Reported Version
Due in Version Undecided
Due Date Undecided
Percent Complete 100%
Votes 0
Private No

Details

Description:

Arch has chosen to package an unmaintained unofficial (gtk3) fork [1] of Gummi instead of the official releases [2] that is currently still on gtk2.

The unofficial 0.7.4 version that is being offered by Arch suffers among other things from:
* CVE-2015-7758 [3]
* Clicking "Project" and then "Open Project" results in segfault [4]

The last time this was reported in March of 2016 [5], this change was reverted, but for some reason the unofficial fork got packaged again in February of 2018.

[1] https://github.com/aitjcize/Gummi
[2] https://github.com/alexandervdm/gummi
[3] https://nvd.nist.gov/vuln/detail/CVE-2015-7758
[4] https://github.com/alexandervdm/gummi/issues/112
[5] https://bugs.archlinux.org/task/48495

This task depends upon

Closed by  Alexander F. Rødseth (xyproto)
Wednesday, 04 September 2019, 20:58 GMT
Reason for closing:  Fixed
Comment by Alexander F. Rødseth (xyproto) - Wednesday, 04 September 2019, 09:17 GMT
Thanks for reporting. I will have to double-check this by building the GTK2 version, but as far as I remember, the GTK2 version did not work properly under Wayland/Sway. Once the official webpage for Gummi is up again, I will try building the GTK2 version and check: http://gummi.midnightcoding.org/
Comment by Eli Schwartz (eschwartz) - Wednesday, 04 September 2019, 16:54 GMT
Packaging fundamentally broken forks of a project, because the Wayland/Sway users need to use XWayland, makes no sense. Upstream is actively maintained, why switch to a hostile fork that is *not* maintained?

There are hundreds of gtk2 applications in the official repos and zero plans to drop them. Any problems that Wayland users have will be seen in significant parts of the distribution already. There is zero rationale to go outside of upstream for this.

There is no "gtk3 version", to compare "the gtk2 version" to. There is only "the project", and "something that isn't the project, doesn't work like the project does, has security vulnerabilities the project does, and segfaults".

Tagged as a security issue, because that is what it is.
Comment by Levente Polyak (anthraxx) - Wednesday, 04 September 2019, 17:23 GMT
There is no point waiting for some web page, please switch it back to the maintained non vulnerable variant.
Comment by Alexander F. Rødseth (xyproto) - Wednesday, 04 September 2019, 18:46 GMT
Levente, the only reason for waiting for the official web page is to see where they host the official tar.gz files, possibly together with a signature. Other than that, I completely agree that waiting for the official web page to come up is not relevant.

Eli, sometimes it makes sense to use forks, but I agree with you here. If the original code is maintained, but this fork is not, it makes sense to switch back to the original code.

I'm planning to switch back to the original sources (and also test if it works with Sway/Wayland).
Comment by Levente Polyak (anthraxx) - Wednesday, 04 September 2019, 19:01 GMT
You can check later, right now we have a vulnerable version in the repository and in the bast it wasn't signed either so nothing to loose only to gain.
Whenever the page will be up, you can check and improve later
Comment by Alexander F. Rødseth (xyproto) - Wednesday, 04 September 2019, 19:02 GMT
Updated to the latest version of Gummi, version 0.6.6, with the tagline "We're still here" (by upstream), from January 27th, 2016, which uses GTK 2 instead of GTK 3.
Comment by Alexander F. Rødseth (xyproto) - Wednesday, 04 September 2019, 20:58 GMT
Also bumping epoch.

Loading...