Control: severity -1 important
On Sun, 13 Apr 2025 16:24:12 +0200
Ben Hutchings <
[email protected]> wrote:
Source: dillo
Version: 3.0.5-7
Severity: serious
Tags: security
Following the recent discussion on debian-devel, I'm concerned that
this package is still in stable and testing.
There has been no new upstream version and absolutely minimal fixes in
Debian for the last 10 years. While for some classes of software this
would be fine, a web browser is constantly working with untrusted
input, and a web browser written in C and C++ is likely to have many exploitable security vulnerabilties.
I see no sign that it has already been fuzz tested by the previous
upstream maintainer or the developers of the newer forks, so these vulnerabilities are more likely to be found by attackers than
defenders.
I understand that Dillo does have the advantage of not implementing Javascript, but there is still plenty of complexity in the formats it
does handle. For comparison, see Vincent Sanders' accounts of fuzzing NetSurf, a similarly "light" browser project: <https://vincentsanders.blogspot.com/2016/08/down-rabbit-hole.html>, <https://vincentsanders.blogspot.com/2016/10/rabbit-of-caerbannog.html>.
Ben.
Removing dillo at this stage in the Trixie release process would result
in removal of the src:claws-mail package on account of the claws-mail-dillo-viewer binary package depending upon it. Because
Trixie soft freeze has begun, dropping binary packages from a source
package is no longer appropriate, so dropping claw-mail-dillo-viewer is
not straightforward.
As of last year a new upstream maintainer for Dillo has stepped up and
has made new releases (See
https://dillo-browser.github.io/). While
it's likely too late to get the latest release into trixie, there is
the potential to get it into trixie-backports post-release.
--
Plasma
--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)