Control: severity -1 important On Sun, 13 Apr 2025 16:24:12 +0200 Ben Hutchings <b...@decadent.org.uk> wrote:
> Source: dillo > Version: 3.0.5-7 > Severity: serious > Tags: security > > Following the recent discussion on debian-devel, I'm concerned that > this package is still in stable and testing. > > There has been no new upstream version and absolutely minimal fixes in > Debian for the last 10 years. While for some classes of software this > would be fine, a web browser is constantly working with untrusted > input, and a web browser written in C and C++ is likely to have many > exploitable security vulnerabilties. > > I see no sign that it has already been fuzz tested by the previous > upstream maintainer or the developers of the newer forks, so these > vulnerabilities are more likely to be found by attackers than > defenders. > > I understand that Dillo does have the advantage of not implementing > Javascript, but there is still plenty of complexity in the formats it > does handle. For comparison, see Vincent Sanders' accounts of fuzzing > NetSurf, a similarly "light" browser project: > <https://vincentsanders.blogspot.com/2016/08/down-rabbit-hole.html>, > <https://vincentsanders.blogspot.com/2016/10/rabbit-of-caerbannog.html>. > > Ben. Removing dillo at this stage in the Trixie release process would result in removal of the src:claws-mail package on account of the claws-mail-dillo-viewer binary package depending upon it. Because Trixie soft freeze has begun, dropping binary packages from a source package is no longer appropriate, so dropping claw-mail-dillo-viewer is not straightforward. As of last year a new upstream maintainer for Dillo has stepped up and has made new releases (See https://dillo-browser.github.io/). While it's likely too late to get the latest release into trixie, there is the potential to get it into trixie-backports post-release. -- Plasma
