wxGTK depends on webkit-gtk slots 2 or 3 which are vulnerable to many AcE and DoS and are being removed from the tree. Refer to bug 577068 for more details
Created attachment 495616 [details] wxGTK-3.0.2.0-r3.ebuild proposed ebuild depending on net-libs/webkit-gtk:4
You can't just change the dep and call it a day. It will still be linking against webkit-gtk:2 if that's present and make it be kept around by preserved-libs; if not, it will simply fail configure phase. Additionally this ebuild seems to be against an older revision. Also, SLOT=3.0 (as opposed to SLOT=3.0-gtk3) can NEVER work with webkit-gtk:4, because webkit-gtk:4 is gtk3 only. The plan is to remove wxWebView completely for gtk2 version and see about webit-gtk:4 (instead of webkit-gtk:3) for 3.0-gtk3 slot.
(In reply to Mart Raudsepp from comment #2) > You can't just change the dep and call it a day. It will still be linking > against webkit-gtk:2 if that's present and make it be kept around by > preserved-libs; if not, it will simply fail configure phase. Additionally > this ebuild seems to be against an older revision. Also, SLOT=3.0 (as > opposed to SLOT=3.0-gtk3) can NEVER work with webkit-gtk:4, because > webkit-gtk:4 is gtk3 only. > > The plan is to remove wxWebView completely for gtk2 version and see about > webit-gtk:4 (instead of webkit-gtk:3) for 3.0-gtk3 slot. Fair enough, but I wanted to make it depend on net-libs/webkit-gtk:4 because of this glsa: https://security.gentoo.org/glsa/201706-15
Created attachment 509602 [details, diff] patch generated via git from upstream changes Including new webkit API in for 3.0.3.1 version bump is high priority. Testing currently in progress (waiting for webkit-gtk:4 slot to build first)
Created attachment 509770 [details, diff] updated webkit API support via git from upstream changes (fixed) (In reply to kuzetsa from comment #4) > Created attachment 509602 [details, diff] [details, diff] > patch generated via git from upstream changes > > Including new webkit API in for 3.0.3.1 version bump is high priority. > > Testing currently in progress (waiting for webkit-gtk:4 slot to build first) ^ previously pulled in unrelated upstream commits by mistake Updated patch to apply & build against updated webkit API
Created attachment 509772 [details, diff] same as previous, but using -U0 Backported fix is larger than 20kb (repoman objects to having this under the /files/ directory)
Do not use -U0, but I guess we can grab the non-U0. How did you make the patches? I don't see any git commit headers and such as I'd expect from a cherry-pick/backport from git master or so. I'd be interested to know the commit hashes that need to be backported
(In reply to Mart Raudsepp from comment #7) > Do not use -U0, but I guess we can grab the non-U0. > > How did you make the patches? I don't see any git commit headers and such as > I'd expect from a cherry-pick/backport from git master or so. I'd be > interested to know the commit hashes that need to be backported [git ref marked as local branch post_webkit2] 1c7b80a1e0958159c111afe8f19d42f2475834ef (first commit prior to webkit2 support) [git ref marked as local branch pre_webkit2] 6cbad3c37d1919eefa6229a9aec48d140fcbf368 (most recent commit mentioning webkit2 in git log) I noticed the initial version of the patch was failing [step "1" was not performed initially] conflicting changes were unrelated to webkit2, so: resolved conflicts found in post_webkit2 branch: 1) git checkout pre_webkit2 <files> where <files> are: * include/wx/generic/propdlg.h (conditional define for older ABI) * various setup0.h files (unrelated to webkit2) * files in the path: build/msw/* (unrelated to webkit2, MSW-specific) * src\msw\version.rc (non-webkit2 changes / OS-specific: MSW) 2) commit conflict resolution to post_webkit2 branch 3) git checkout post_webkit2 && git diff pre_webkit2
> [git ref marked as local branch post_webkit2] > 1c7b80a1e0958159c111afe8f19d42f2475834ef (first commit prior to webkit2 > support) > [git ref marked as local branch pre_webkit2] > 6cbad3c37d1919eefa6229a9aec48d140fcbf368 (most recent commit mentioning > webkit2 in git log) ^ branch names were correct (not reversed) locally. mistake when hand-labeling the ref hashes for comment #8
(In reply to Mart Raudsepp from comment #7) > Do not use -U0, but I guess we can grab the non-U0. > > How did you make the patches? I don't see any git commit headers and such as > I'd expect from a cherry-pick/backport from git master or so. I'd be > interested to know the commit hashes that need to be backported In case you want to comb through the commit history for review / verification: The specific upstream branch I pulled the fix from was named: WX_3_0_BRANCH
Created attachment 510792 [details, diff] cherry-pick version of earlier fix change history (for transparency) https://github.com/kuzetsa/wxWidgets/branches fix for non-webkit2 regressions: https://github.com/kuzetsa/wxWidgets/commit/27a66271817703f529f1c7bf07ac14f04d1d9a13 cherry-picked (upstream) commits: https://github.com/kuzetsa/wxWidgets/commits/v3.0.3.1_webkit2
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=e16e67f0678b264a04e96954a4593ddac3a9a32d commit e16e67f0678b264a04e96954a4593ddac3a9a32d Author: Mart Raudsepp <leio@gentoo.org> AuthorDate: 2018-01-04 03:44:12 +0000 Commit: Mart Raudsepp <leio@gentoo.org> CommitDate: 2018-01-04 17:18:28 +0000 x11-libs/wxGTK: Apply patchset for lots of 3.0 branch fixes and webkit-gtk:4 port Includes 105 patches taken from WX_3_0_BRANCH, plus one from master only that we need to not litter DT_NEEDED with wxWebView library without --as-needed (it was part of squashed wxGTK-3.0.2.0-webview-fixes.patch before). Also includes my patch to install wx/evtloopsrc.h in core-only builds. Most notably the patchset adds support for webkit2gtk API (as provided by security safe net-libs/webkit-gtk:4), and lots of gtk3 port fixes, hopefully making 3.0-gtk3 SLOT good enough for mass transition without problematic runtime regressions. The patchset touches lines right above the first Makefile.in changes in the collision patch, so that patch needed to be adjusted to not fail on top of the patchset. Ideally the collision patch would be revised and moved to the same approach as 3.0-gtk3 has with seds - or vice-versa, but at least same approach.. Compiling amule[-X] and veracrypt[-X] against wxGTK[-X] is untested; please test and close the relevant bugs (617440 and 605018) if this is fixed now. Bug: https://bugs.gentoo.org/629122 Bug: https://bugs.gentoo.org/617440 Bug: https://bugs.gentoo.org/605018 Package-Manager: Portage-2.3.19, Repoman-2.3.6 x11-libs/wxGTK/Manifest | 1 + x11-libs/wxGTK/files/wxGTK-3.0.3-collision.patch | 75 ++++++++++++++++++++++++ x11-libs/wxGTK/wxGTK-3.0.3-r300.ebuild | 4 +- x11-libs/wxGTK/wxGTK-3.0.3.ebuild | 4 +- 4 files changed, 82 insertions(+), 2 deletions(-) https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=41787a15cf62692c494063f656c82bbf849df8ea commit 41787a15cf62692c494063f656c82bbf849df8ea Author: Mart Raudsepp <leio@gentoo.org> AuthorDate: 2018-01-04 03:31:03 +0000 Commit: Mart Raudsepp <leio@gentoo.org> CommitDate: 2018-01-04 17:18:19 +0000 x11-libs/wxGTK: remove USE=webkit (wxWebView) support from gtk2 based SLOT=3.0 gtk2 supporting webkit-gtk versions have not received security fixes for years, so don't allow subjecting oneself to such an unsafe possibility. The only in-tree wxGTK:3.0[webkit] consumer was ported to wxGTK:3.0-gtk3[webkit], which will have a security safe version in a subsequent commit. Bug: https://bugs.gentoo.org/629122 Package-Manager: Portage-2.3.19, Repoman-2.3.6 x11-libs/wxGTK/wxGTK-3.0.3.ebuild | 5 ++--- 1 file changed, 2 insertions(+), 3 deletions(-)}
webkit-gtk:3 is clean. webkit-gtk:2 is pending stabilization by arm. If they don't wake up before gnucash is done (the other thing blocking webkit-gtk:2 removal), I will make them have a new revbump just for arm that just removes the USE flag and clean the one with USE=webkit-gtk.
The bug has been closed via the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=ab6047e626654bf52fa75614216dd10108845eea commit ab6047e626654bf52fa75614216dd10108845eea Author: Mart Raudsepp <leio@gentoo.org> AuthorDate: 2018-02-23 05:27:07 +0000 Commit: Mart Raudsepp <leio@gentoo.org> CommitDate: 2018-02-23 05:27:07 +0000 x11-libs/wxGTK: remove old This removes the last vulnerable webkit-gtk:2 using revision of wxGTK, and last revision using gstreamer:0.10 in wxGTK-3* (gst 0.10 usage remains in wxGTK:2.8 for now - pending ability to cleanup 2.8 as a whole). Closes: https://bugs.gentoo.org/629122 Bug: https://bugs.gentoo.org/629208 Package-Manager: Portage-2.3.19, Repoman-2.3.6 x11-libs/wxGTK/wxGTK-3.0.2.0-r3.ebuild | 165 --------------------------------- 1 file changed, 165 deletions(-)
