Source: dillo Version: 3.0.5-7 Severity: serious Tags: security Following the recent discussion on debian-devel, I'm concerned that this package is still in stable and testing.
There has been no new upstream version and absolutely minimal fixes in Debian for the last 10 years. While for some classes of software this would be fine, a web browser is constantly working with untrusted input, and a web browser written in C and C++ is likely to have many exploitable security vulnerabilties. I see no sign that it has already been fuzz tested by the previous upstream maintainer or the developers of the newer forks, so these vulnerabilities are more likely to be found by attackers than defenders. I understand that Dillo does have the advantage of not implementing Javascript, but there is still plenty of complexity in the formats it does handle. For comparison, see Vincent Sanders' accounts of fuzzing NetSurf, a similarly "light" browser project: <https://vincentsanders.blogspot.com/2016/08/down-rabbit-hole.html>, <https://vincentsanders.blogspot.com/2016/10/rabbit-of-caerbannog.html>. Ben. -- System Information: Debian Release: trixie/sid APT prefers unstable-debug APT policy: (500, 'unstable-debug'), (500, 'stable-updates'), (500, 'stable-security'), (500, 'oldstable-updates'), (500, 'oldstable-security'), (500, 'oldoldstable-updates'), (500, 'oldoldstable'), (500, 'unstable'), (500, 'testing'), (500, 'stable'), (500, 'oldstable'), (1, 'experimental') Architecture: amd64 (x86_64) Kernel: Linux 6.12.19-amd64 (SMP w/12 CPU threads; PREEMPT) Locale: LANG=en_GB.UTF-8, LC_CTYPE=en_GB.UTF-8 (charmap=UTF-8), LANGUAGE not set Shell: /bin/sh linked to /usr/bin/dash Init: systemd (via /run/systemd/system) LSM: AppArmor: enabled
signature.asc
Description: PGP signature
