libpango shouldn't depend on libthai

Bug #509919 reported by Michael Jones on 2010-01-20
This bug affects 2 people
Affects Status Importance Assigned to Milestone
pango1.0 (Ubuntu)

Bug Description

I live in the United States and speak only English and Spanish (somewhat).

The recent update to libthai and libthai data due to arbitrary code execution via long strings prompted me to try removing libthai and libthai-data.

Given that I don't speak the language, and know with high certainty that no one who uses my machine will speak it, there is no reason for it to be on my machine.

Its not the space that it takes that bothers me (Though, it would be nice to reclaim the space regardless), but that a package I don't need on my machine has a security flaw that would enable an attacker to compromise my machine.

I recognize that people who do speak the Thai language need this library, but given that I chose my language as English at install, isn't there anyway to remove language packages that I didn't select/don't need?

Here is the output from the terminal:

jonesmz@jonesmz-laptop:~$ sudo apt-get remove libthai-data
[sudo] password for jonesmz:
Reading package lists... Done
Building dependency tree
Reading state information... Done
The following packages were automatically installed and are no longer required:
  sg3-utils libdlmcontrol3 feynmf mutter-common wamerican guile-1.8 dvgrab latex2html librpmbuild0 python-psyco debootstrap libopenipmi0 lilypond-doc libfence4 python-pexpect libdmraid1.0.0.rc15 lilypond-data python-renderpm libatk1.0-dev
  libgda-4.0-common libgcj-bc python-libvirt libxcb-keysyms1 groff libgretl1 deluge-common lives-data nmap tex4ht libnet-snmp-perl libopenais3 libcvaux1 mplayer-skins libgfortran3 corosync gretl-doc liblogthread3
  gobject-introspection-glib-2.0 libccs3 ipython java-common librpmio0 librpm0 vflib3 libcddb2 libcairo2-dev libcorosync4 python-lxml python-reportlab-accel libaccess-bridge-java python-gda icedtea-6-jre-cacao libweed0 libfile-basedir-perl
  gretl-common pidgin-data libboost-thread1.38.0 libffi-dev libnss3-dev luatex eclipse-platform-data tofrodos gcj-4.4-jre-lib gobject-introspection libgcj10 kpartx libdlm3 python-configobj x11proto-composite-dev libjlibeps-java
  guile-1.6-libs ant-optional-gcj libtorrent-rasterbar5 valgrind libvlc2 tidy libtidy-0.99-0 libnet-telnet-perl ant python-numpy snmp cman deluge-core gcj-4.4-base python-cheetah libfile-mimeinfo-perl libgnomeprint2.2-data schedtool
  python-rpm vlc-nox python-compizconfig texlive-metapost-doc libgda-4.0-4 libgcj-common python-svn ogmtools gjs x11proto-damage-dev libupnp3 libjaxp1.3-java openjdk-6-jre-headless giblib1 libxcb-render-util0-dev libjiu-java drgeo-doc
  openipmi libgavl1 icedax tzdata-java libwxbase2.8-0 texlive-xetex gnuplot-nox openais kbibtex libgirepository1.0-0 gobject-introspection-freedesktop libjline-java texlive-bibtex-extra openjdk-6-jre-lib libxdamage-dev libnspr4-dev
  libxerces2-java libwmf-bin libqthreads-12 libfile-desktopentry-perl liblzo2-2 python-pysqlite2 libcv1 libdbus-glib-1-dev libsox-fmt-base texlive-metapost sox python-uniconvertor
  libblas3gf tex4ht-common libxcomposite-dev libamd2.2.0 liblapack3gf xserver-xephyr libc6-dbg libsox-fmt-alsa rhino context vlc-plugin-pulse vlc-data libpixman-1-dev global libcman3 python-scipy dmraid
  texlive-font-utils libumfpack5.4.0 wbritish libxcb-render0-dev default-jre-headless libboost-filesystem1.38.0 python-foolscap mkvtoolnix scrot ca-certificates-java libsox1a libimlib2 ant-gcj perl-doc python-chardet libvlccore2
  mplayer-nogui ant-optional libguile-ltdl-1 python-reportlab python-virtinst libboost-system1.38.0 python-libtorrent python-vm-builder texinfo libdvilib2-16 boinc-client python-gobject-dev libgnomecups1.0-1 python-urlgrabber libgdl-1-common
Use 'apt-get autoremove' to remove them.
The following packages will be REMOVED:
  alacarte alleyoop apport-gtk apturl asymptote at-spi boinc-manager brasero brltty-x11 bum checkbox-gtk chromium-browser chromium-browser-inspector chromium-codecs-ffmpeg compiz compiz-fusion-plugins-extra compiz-fusion-plugins-main
  compiz-gnome compiz-plugins compizconfig-settings-manager couchdb-bin cournol default-jre deluge desktopcouch dia dia-common dia-libs diffuse dolphin drgeo eclipse eclipse-jdt eclipse-pde eclipse-platform eclipse-plugin-cvs eclipse-rcp eog
  evince file-roller finch firefox-3.5 firefox-3.5-branding firefox-3.5-gnome-support firefox-3.7 firefox-3.7-branding firefox-3.7-gnome-support firefox-gnome-support firestarter flashblock flashplugin-installer flashplugin-nonfree
  frei0r-plugins gcalctool gconf-editor gdebi gdm gdm-guest-session gdmap gedit ggcov gimp gksu gnome-about gnome-accessibility-themes gnome-applets gnome-bluetooth gnome-codec-install gnome-control-center gnome-disk-utility
  gnome-games-common gnome-icon-theme gnome-keyring gnome-mag gnome-media gnome-menus gnome-nettool gnome-panel gnome-power-manager gnome-screensaver gnome-session gnome-session-bin gnome-session-canberra gnome-settings-daemon gnome-shell
  gnome-system-monitor gnome-system-tools gnome-terminal gnome-themes-selected gnome-themes-ubuntu gnome-user-guide gnome-user-guide-en gnome-utils gnuplot gnuplot-x11 gobject-introspection-repository gparted graphviz graphviz-cairo gretl
  gretl-data gstreamer0.10-plugins-good gstreamer0.10-x gtk2-engines gtk2-engines-murrine gtk2-engines-pixbuf gucharmap gvb gvfs gvfs-backends gvfs-bin gvfs-fuse human-theme humanity-icon-theme ibus ibus-gtk ibus-m17n ibus-table
  icedtea6-plugin imagemagick indicator-applet indicator-messages inkscape jockey-gtk kdebase-bin kdebase-runtime kdebase-runtime-bin-kde4 kfind khelpcenter4 kile konqueror konqueror-nsplugins konsole language-selector
  language-support-writing-en latexdraw libaccess-bridge-java-jni libatspi1.0-0 libavahi-ui0 libbonoboui2-0 libbrasero-media0 libcanberra-gtk-module libcanberra-gtk0 libclutter-1.0-0 libclutter-gtk-0.10-0 libcryptui0 libdbusmenu-gtk0
  libedataserverui1.2-8 libequinox-osgi-java libevdocument1 libevview1 libexchange-storage1.2-3 libgail-common libgail-gnome-module libgail18 libgcr0 libgdict-1.0-6 libgdl-1-3 libgdu-gtk0 libgegl-0.0-0 libgimp2.0 libgksu2-0 libglade2-0
  libgnome-bluetooth7 libgnome-desktop-2-11 libgnome-media0 libgnome-pilot2 libgnome-window-settings1 libgnome2-0 libgnome2-canvas-perl libgnome2-perl libgnomecanvas2-0 libgnomekbd4 libgnomekbdui4 libgnomeprint2.2-0 libgnomeui-0
  libgpod-common libgpod4 libgraphviz4 libgstfarsight0.10-0 libgtk-vnc-1.0-0 libgtk2-gladexml-perl libgtk2-perl libgtk2-spell-perl libgtk2.0-0 libgtk2.0-bin libgtk2.0-dev libgtkdatabox-0.9.0-1 libgtkhtml-editor0 libgtkhtml2-0
  libgtkhtml3.14-19 libgtkmm-2.4-1c2a libgtksourceview2.0-0 libgtkspell0 libgucharmap7 libgweather1 libhighgui1 libindicate-gtk1 libkonq5 libkonqsidebarplugin4 liblaunchpad-integration1 liblpint-bonobo0 libm17n-0 libmagick++2 libmagickcore2
  libmagickwand2 libmetacity0 libmutter0 libnautilus-extension1 libnotify-dev libnotify1 libpanel-applet2-0 libpango-perl libpango1.0-0 libpango1.0-dev libpangomm-1.4-1 libpolkit-gtk-1-0 libpoppler-glib4 libpurple0 librsvg2-2 librsvg2-common
  libsexy2 libswt-gtk-3.5-java libswt-gtk-3.5-jni libtelepathy-farsight0 libthai-data libthai0 libtotem-plparser12 libunique-1.0-0 libvte9 libwebkit-1.0-2 libwmf0.2-7-gtk libwnck22 libwxgtk2.8-0 libxine1 libxine1-misc-plugins lilypond
  linsmith lives m17n-contrib m17n-db meld metacity mousetweaks mozilla-plugin-vlc mozilla-stumbleupon mplayer mutter nautilus nautilus-sendto nautilus-share network-manager-gnome notify-osd obex-data-server openjdk-6-jre openproj perlmagick phonon-backend-xine pidgin pidgin-libnotify pidgin-plugin-pack playonlinux policykit-1-gnome prism python-aptdaemon-gtk
  python-desktopcouch python-desktopcouch-records python-eggtrayicon python-gdl python-gksu2 python-glade2 python-gmenu python-gnome2 python-gnome2-extras python-gnomeapplet python-gnomecanvas python-gnomekeyring python-gtk-vnc python-gtk2
  python-gtk2-dev python-gtk2-doc python-gtkhtml2 python-gtkmozembed python-gtksourceview2 python-gtkspell python-ibus python-launchpad-integration python-nautilus python-notify python-pyatspi python-rsvg python-sexy python-ubuntuone-client
  python-uno python-virtkey python-vte python-webkit python-wxgtk2.8 python-wxversion qa-assistant qemu-launcher qemulator rabbitvcs rhythmbox screensaver-default-images seahorse seamonkey-browser seamonkey-gnome-support software-center
  software-properties-gtk ssh-askpass-gnome synaptic system-config-cluster system-config-printer-gnome telepathy-haze tex-guy thunderbird-3.0 thunderbird-3.0-gnome-support tsclient ubufox ubuntu-artwork ubuntu-docs ubuntustudio-theme umit
  update-manager update-notifier usb-creator-gtk useragentswitcher vinagre vino virt-manager virt-viewer vlc winefish xdg-user-dirs-gtk xscreensaver-data xscreensaver-gl xsplash xulrunner-1.9.1 xulrunner-1.9.1-dev
  xulrunner-1.9.1-gnome-support xulrunner-1.9.3 xulrunner-1.9.3-gnome-support xulrunner-dev yakuake yelp zenity zim
0 upgraded, 0 newly installed, 362 to remove and 10 not upgraded.
After this operation, 1,673MB disk space will be freed.
Do you want to continue [Y/n]? n

ProblemType: Bug
Architecture: i386
Date: Tue Jan 19 19:16:21 2010

DistroRelease: Ubuntu 9.10
InstallationMedia: Ubuntu 9.10 "Karmic Koala" - Release Candidate i386 (20091020.3)
Package: libthai-data 0.1.12-1
PackageArchitecture: all
ProcVersionSignature: Ubuntu 2.6.31-17.54-core
SourcePackage: libthai
Uname: Linux 2.6.31-17-core i686

Michael Jones (jonesmz) wrote :

I wanted to remove these packages too.

Changed in libthai (Ubuntu):
status: New → Confirmed
pierre3 (pierre3) wrote :

after remove this packages libthai0 & libthai-data OS crashed because many files are ereased from HD.
made in several machines with same results.
for me it seem to be a sort a of malware made by a clown !

- The vulnerability has been fixed in 0.1.12-1ubuntu0.2 [1] So, you might have already updated it before reporting this bug.


- The vulnerability was later proved to be ineffective in libthai [2]. Instead, it's pango/glib that's vulnerable. So, if you want to get rid of all packages with security flaw, just remove pango instead. :P


- Regarding the dependency, nothing can be done in libthai to change this. It's pango that pulls it in, according to upstream decision. Before the merge, it used to be shipped as a separate third-party plug-in. Well, if you ask for the re-split, one can ask for other language engines to be split, too. So, this should be reassigned to pango, for its maintainers to decide.

Mike Doherty (doherty) wrote :

So, it appears the complaint is really about libpango's dependency on libthai

affects: libthai (Ubuntu) → pango1.0 (Ubuntu)
summary: - Hundreds of packages depend on libthai and libthai-data
+ libpango shouldn't depend on libthai
Changed in pango1.0 (Ubuntu):
status: Confirmed → New
Gary M (garym) on 2011-01-03
tags: added: karmic lucid maverick natty
Changed in pango1.0 (Ubuntu):
status: New → Confirmed
To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.