Old webkit-gtk slots are unmaintained and contain multiple security issues: https://lists.fedoraproject.org/archives/list/devel%40lists.fedoraproject.org/thread/S3VHBCPMPVZ3NBKR7FQZQE6HBUHVEZ3D/ That is the cause Fedora switched to a snapshot of shotwell that finally uses the fixed webkitgtk4: http://pkgs.fedoraproject.org/cgit/rpms/shotwell.git/tree/shotwell.spec Could we get also a fixed snapshot? Thanks a lot
Without snapshot we are also security vulnerable: https://mail.gnome.org/archives/distributor-list/2016-March/msg00001.html
Not a shotwell user, but the security issue (among a few similar security issues against other apps) has been noted in LWN: http://lwn.net/Articles/679862 which in turn links a gnome blog entry: https://blogs.gnome.org/mcatanzaro/2016/03/12/do-you-trust-this-application/ which it turn points to the vulnerability notification from back in January on the gnome distributor's list, which gentoo gtk and gnome app maintainers should be on and thus should have gotten the notification back then (with the March followup that leio noted in comment #1): https://mail.gnome.org/archives/distributor-list/2016-January/msg00000.html So ccing security@ because this has been going on since January and hwoarang@ and graphics@ seem to have been MIA for six weeks and counting... on a security issue that's now getting more publicity. Maybe that will at least get the package security-masked and perhaps ultimately last-rited, since nobody seems interested in fixing it. Users can note that it's the uploading feature that's the issue, as it doesn't verify the security of the connection, which means passwords to the upload accounts may have been exposed and should be changed. Users simply using shotwell for its local photo management features and not to upload aren't affected. Too bad the uploading feature isn't switchable via USE flag so just the flag could be use-masked, but I suppose upstream didn't expose that as a build-time option, so...
Added the Gnome project as well. Should p.mask and last-rites be considered this package will also need to be removed as a dependency from: gnome-base/gnome-extra-apps and the local USE flag removed. If there is not a timely response we will coordinate to mask the package and issue last-rites. @Markos, I know have your devaway set, but please let us know what you would like to do as maintainer of the package. There is a git snapshot available upstream with the appropriate TLS fix from Fedora. Active development seems to have ceased though. Thanks. Still pending a CVE assignment: http://www.openwall.com/lists/oss-security/2015/12/04/4
*** Bug 581376 has been marked as a duplicate of this bug. ***
[master a421d5f] media-gfx/shotwell: Version bump 2 files changed, 115 insertions(+) create mode 100644 media-gfx/shotwell/shotwell-0.23.1.ebuild
The vulnerable versions were dropped