On 2022-02-14 at 05:28, Stella Ashburne wrote: > Hi Andy > >> From: "Andrew M.A. Cater" <amaca...@einval.com> >> >> Stella (and others) >> >> This is apparently a long standing bug from pango1.0 >> >> Debian bug #565500 >> >> and has been outstanding for a decade or so. > > And why has the decade-old bug not been resolved, may I ask?
I have only a vague guess about this, based on reading the bug report and the other bug reports (not all on the Debian bug tracker) linked from it. Your guess on that front may well be as good as mine; have you read those bug reports? > Won't it pose a security risk such as in escalation of root > privileges? Only if libthai itself contains a security vulnerability which would make such escalation possible - in which case it would be more important and more appropriate to fix that bug than to fix this one. >> Thai poses interesting font, formatting and display properties - if >> you're not Thai, it doesn't matter to you, but, as you can see it's >> fairly well embedded into various libraries. > > I wonder who embed Thai fonts and code in the first place.. I think you're reading this wrong. If you look at the package description for libpango-1.0-0 (which, as pointed out elsewhere, depends on libthai0 and is the reason why libthai0 is installed on your system), you'll see that it says in part: >>> Pango is a library for layout and rendering of text, with an >>> emphasis on internationalization. Pango can be used anywhere >>> that text layout is needed. It includes layout-and-rendering support for many, many languages. What this means in practice is that it implements a set of functions which other programs can call when they want to delegate the task of laying out and rendering text. The benefit of using those functions when writing a program, rather than handling the work yourself, is that A: you have less work to do, and B: you can automatically get layout and rendering right for every language the library supports, rather than having to worry about implementing every single one of them yourself. Most of the languages supported by Pango do not depend on language-specific external libraries; the code to support them is either internal to Pango, or contained in non-language-specific internal libraries. The Thai language (and apparently also related languages, such as Lao) is an exception, because the rules for laying it out and rendering it are both sufficiently complex and sufficiently distinct from those needed by most other languages that it was deemed better to implement that logic as a separate library. Any program that wants to let its text be translated into languages which use layout, etc., rules that differ from the language in which that text was written is likely to use libpango. Because libpango provides this type of support for Thai by depending on an external library, installing any of those programs will result in installing not only libpango-1.0-0, but also libthai0. None of those programs have embedded Thai fonts, or "Thai code" (whatever one might intend that to mean) - at least not by this avenue, and probably not at all. Rather, they have simply delegated layout and rendering work to libpango, by calling appropriate functions (which will cause the program to break if libpango is not available). libpango has also not embedded either of those things. Rather, it has delegated the task of laying out and rendering Thai-language text to libthai, by calling appropriate functions (which will cause the library, and the programs calling it, to break if libthai is not available). If a program on your system is configured to display Thai text - for example, if you go to a Website which contains text written in that language, such as https://en.wikipedia.org/wiki/Thai_language, and your browser is configured to display that Website as intended - then very probably the program will call the functions in libpango, which will recognize the Thai language and call the functions in libthai, which will do the layout-and-rendering work, and return the result up the stack, so that the program will be able to display the text correctly. If no program on your system ever encounters Thai text in a way that makes it want to call those functions, then the code in libthai will never actually run on your system. (And therefore your system will not be at risk from any security vulnerabilities contained in that code.) Please note that the only way that Thai is special here is that its support is provided by a language-specific external library. Pango contains comparable support for many, many other languages, they're just all implemented internally or using non-language-specific external libraries. Given that the intent of libpango is to provide support for layout and rendering of all of these languages, the alternative to having it depend on libthai0 would not be to omit the code which supports these things; rather, it would be to include that code in libpango-1.0-0 itself directly, where you'd never have noticed that it was present. >> It's about as relevant to you as the fact that the Debian installer >> supports several languages: if you don't use them in install and >> set up the locales they're essentially irrelevant but are there for >> the convenience of people who need them. > > Indeed, I don't use non-English language versions during install > and/or set up Thai-specific locales but libthai still ends up in my > installed system. And you also don't use any of the other non-English languages for which layout is supported by libpango (unless you happen to go to a Website which has text in that language), but that also gets installed on your system, so that the functions which programs use to delegate the layout-and-rendering tasks are going to be available. > My concern is whether libthai poses a security risk to Debian users. Do you have any reason to believe that it might? As compared to any other random library that Debian provides. -- The Wanderer The reasonable man adapts himself to the world; the unreasonable one persists in trying to adapt the world to himself. Therefore all progress depends on the unreasonable man. -- George Bernard Shaw
signature.asc
Description: OpenPGP digital signature
