[MacPorts] #68593: gettext @0.21.1: newer version available
MacPorts
noreply at macports.org
Thu Nov 9 22:41:51 UTC 2023
#68593: gettext @0.21.1: newer version available
------------------------+------------------------
Reporter: tifrueh | Owner: ryandesign
Type: update | Status: closed
Priority: Normal | Milestone:
Component: ports | Version: 2.8.1
Resolution: duplicate | Keywords:
Port: gettext |
------------------------+------------------------
Comment (by ryandesign):
Replying to [comment:2 tifrueh]:
> ''Note: Looking at the Arch Linux package I saw that `libtextstyle` is
being disabled there, due to it depending on `libcroco` which is
supposedly unmaintained and insecure. Might it be a good idea to do the
same thing on MacPorts?''
As it says in `port info libtextstyle`, "This library is part of gettext
and a prerequisite for tools like msgfmt and friends". `msgfmt` is used by
zillions of ports. In addition, bison depends on libtextstyle.
gettext used to have the ability to use an external (MacPorts) version of
libcroco but that capability was removed from upstream gettext and the
MacPorts gettext port with the 0.21.x update. I'm not familiar with
libcroco or gettext's use of it. I do see that
[https://gitlab.gnome.org/Archive/libcroco libcroco has been archived] and
I do see that [https://gitlab.gnome.org/Archive/libcroco/-/issues/8 the
most recently filed bug report] is a CVE that was not fixed upstream. The
MacPorts libcroco port did get
[changeset:698a3c4277751f712a7b627ad0da38e19c61556d/macports-ports a patch
for that CVE]. I do not see that patch having been applied to the version
of libcroco included in the gettext repository.
Please bring your concerns to the developers of gettext since they are the
ones who would have to add the patch for the CVE or rewrite libtextstyle
to use a different library if they agree that libcroco is insecure.
--
Ticket URL: <https://trac.macports.org/ticket/68593#comment:4>
MacPorts <https://www.macports.org/>
Ports system for macOS
More information about the macports-tickets
mailing list