FS#64416 - [gettext] depends on libcroco, but uses internal static copy instead

Attached to Project: Arch Linux
Opened by Eli Schwartz (eschwartz) - Thursday, 07 November 2019, 04:32 GMT
Last edited by Allan McRae (Allan) - Monday, 28 February 2022, 10:15 GMT
Task Type Bug Report
Category Packages: Core
Status Closed
Assigned To Jan Alexander Steffens (heftig)
Architecture All
Severity Low
Priority Normal
Reported Version
Due in Version Undecided
Due Date Undecided
Percent Complete 100%
Votes 0
Private No

Details

The gettext package has a dependency on the libcroco package, but does not link to libcroco-0.6.so -- running makepkg reveals that when configuring libtextstyle it is ending up with the following options:

checking whether to use the included libcroco... yes
checking whether to use the included glib... yes
checking whether to use the included libxml... yes

The package should be fixed to link correctly to the system copy.

Note: at the same time, libcroco and libxml2 really need to be moved to [core], because core packages should only depend on core and depending on packages in another repository means an update to its dependencies doesn't have an enforced [testing] period and can therefore break the package.

Note2: libxml2 is correctly linked to by /usr/lib/libgettextsrc-0.20.1.so, if not by libtextstyle, and therefore libxml2 would need to be moved to core even if the internal copy of libcroco was kept.
This task depends upon

Closed by  Allan McRae (Allan)
Monday, 28 February 2022, 10:15 GMT
Reason for closing:  Fixed
Additional comments about closing:  gettext-0.21-2
Comment by Jan de Groot (JGC) - Thursday, 07 November 2019, 10:56 GMT
included libcroco/libxml was forced with 0.20.1. This change was intentional upstream to optimize program startup.

What isn't intentional though is that gettext links against included AND system libxml2 now.

For security reasons using system libxml2 and libcroco would be better though: gettext is not released very often, it includes libxml2 version 2.9.9 and they have one buffer overrun patch applied to their local version, which is not in a public gettext release. Upstream libxml2 is at 2.9.10 and includes a massive amount of security fixes.

I would propose to revert the upstream change by changing libtextstyle/gnulib-m4/gnulib-comp.m4. Lines to change are gl_LIBCROCO([yes]), gl_LIBGLIB([yes]) and gl_LIBXML([yes]). "yes" should become "no".
Comment by Jan Alexander Steffens (heftig) - Tuesday, 12 November 2019, 09:29 GMT
libcroco is dying: https://people.gnome.org/~federico/blog/css-in-librsvg-is-now-in-rust.html

I'll make a patch devendoring glib2 and libxml2, but leaving the included libcroco.
Comment by Jan de Groot (JGC) - Tuesday, 12 November 2019, 10:00 GMT
Importing libcroco into gettext doesn't fix any bugs present in their copy of libcroco.

Though hardly maintained upstream, we have more users of libcroco, so the package will not go away soon.

In addition to that: the bump to 0.6.13 was done post-release. The 0.6.13 release contains a security fix that has been sitting in GNOME git for 2 years. Gettext 0.20.1 doesn't have the fix.
Comment by Jan Alexander Steffens (heftig) - Tuesday, 12 November 2019, 10:36 GMT
> I would propose to revert the upstream change by changing libtextstyle/gnulib-m4/gnulib-comp.m4. Lines to change are gl_LIBCROCO([yes]), gl_LIBGLIB([yes]) and gl_LIBXML([yes]). "yes" should become "no".

This doesn't work. The build doesn't use the needed include dirs and fails, no matter which of the three you try to devendor.
Comment by Jan Alexander Steffens (heftig) - Tuesday, 12 November 2019, 10:41 GMT
> Though hardly maintained upstream, we have more users of libcroco, so the package will not go away soon.

The only other users are librsvg and gnome-shell; the former was already ported in master and the blog post talks about porting the latter.
Comment by Jan de Groot (JGC) - Tuesday, 12 November 2019, 10:46 GMT
Fedora uses a sed hack and adds CPPFLAGS/LIBS exports. Not ideal, but should work.

https://src.fedoraproject.org/rpms/gettext/blob/master/f/gettext.spec#_183
https://src.fedoraproject.org/rpms/gettext/blob/master/f/gettext.spec#_201

Also, unrelated to this bug, there's an additional libtool script that we don't patch with the sed hack in the PKGBUILD.
Comment by Jensen McKenzie (your_doomsday) - Friday, 14 August 2020, 11:34 GMT
librococo is now officially abandoned with upstream stance that security issues aren't worth fixing because there are too much of them (and nobody cares to do the fixes): https://gitlab.gnome.org/Archive/libcroco/-/issues/8#note_881361

Recommendation for distros is to bundle libcroco internally for the few projects that still needs it or even better drop it if possible: https://src.fedoraproject.org/rpms/gettext/c/093dcc4088340167126723346095247ed336c9d0?branch=master.

Considering that gettext currently doesn't use system wide libcroco at all and as a part of base group is very common among Arch users I think dropping libcroco dep is a no brainer here. After that cinnamon will be the only package in repos runtime depending in libcroco.
Comment by Shen-Ta Hsieh (BestSteve) - Tuesday, 25 May 2021, 12:37 GMT Comment by Allan McRae (Allan) - Monday, 28 February 2022, 07:45 GMT
My summary from looking at this bug:

- gettext now uses builtin copies of libcroco and glib2 and does not provide a way of using external versions.
- we should use internal libcroco anyway, as we want this package gone from the repos
- gettext uses a internal subset of libxml2. There is a configure option that apparently allows building against libxml2, but it seems to do nothing...
- we can adjust the libtextstyle/gnulib-m4/gnulib-comp.m4 to try and force full libxml2 usage, but that causes failures due to old configure files and autoconf versions...
- libxml2 still is linked in for some parts of the build.

While it is better from a security standpoint to not use the internal versions of the library, the upstream developers have made it clear this is what they intend. So I am going to remove the libcroco dependency, add libxml2 (because it is directly linked in some places) and upload that as an intermediate solution.
Comment by Allan McRae (Allan) - Monday, 28 February 2022, 07:59 GMT
In fact... I will disable building libtextstyle - the included libcroco has known security bugs. Fedora has a patch. This has the side effect of only using the external libxml2 package.

Loading...