A patch (see URL) has been submitted upstream for WebKit sandboxing. This is just a bug to keep an eye on it and not forget, for possible backporting/addition to our ebuilds if appropriate.
Thanks, I had already noticed the upstream discussion. This would affect version 26 and later. The patch looks simple enough, so I believe that backporting to existing versions shouldn't be a problem.
~/git/emacs $ git tag --contains 71661b287297f328c2c5ad67e180a760f80850cb emacs-27.1.90 emacs-27.1.91 emacs-27.2 emacs-27.2-rc1 emacs-27.2-rc2 emacs-28.0.90 emacs-28.0.91 emacs-28.0.92 This is really just a hardening option rather than a specific vulnerability, so I don't see any reason to cleanup here, but I'll leave open for some time for other opinions.
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/proj/emacs-patches.git/commit/?id=3341de0f2c88e9e9696c7aa4c1529c13066089d0 commit 3341de0f2c88e9e9696c7aa4c1529c13066089d0 Author: Ulrich Müller <ulm@gentoo.org> AuthorDate: 2022-03-26 21:24:45 +0000 Commit: Ulrich Müller <ulm@gentoo.org> CommitDate: 2022-03-26 21:24:45 +0000 26.3: Enable WebKit sandboxing Bug: https://bugs.gentoo.org/739354 Signed-off-by: Ulrich Müller <ulm@gentoo.org> emacs/26.3/02_all_webkit-sandbox.patch | 41 ++++++++++++++++++++++++++++++++++ 1 file changed, 41 insertions(+)
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=66d765c893fdb716fb2166a1a67e1a451ef1ae1e commit 66d765c893fdb716fb2166a1a67e1a451ef1ae1e Author: Ulrich Müller <ulm@gentoo.org> AuthorDate: 2022-03-26 21:29:41 +0000 Commit: Ulrich Müller <ulm@gentoo.org> CommitDate: 2022-03-26 21:34:53 +0000 app-editors/emacs: Backport WebKit sandboxing patch to slot 26 Bug: https://bugs.gentoo.org/739354 Signed-off-by: Ulrich Müller <ulm@gentoo.org> app-editors/emacs/Manifest | 1 + app-editors/emacs/emacs-26.3-r7.ebuild | 376 +++++++++++++++++++++++++++++++++ 2 files changed, 377 insertions(+)
- I have backported the patch to slot 26 (emacs-26.3-r7). - For slot 25, xwidgets/webkit is unconditionally disabled. - For slot 24 and before, the functionality in question didn't exist yet. We could either go for rapid security stabilisation of 26.3-r7 here, or I could file a normal stable request in one month from now. What do you prefer?
Normal stabilization timeline is fine by me!
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=ea95f0712988dd1c4747a7c2e9b43b6ea448eda3 commit ea95f0712988dd1c4747a7c2e9b43b6ea448eda3 Author: Ulrich Müller <ulm@gentoo.org> AuthorDate: 2022-05-07 05:58:32 +0000 Commit: Ulrich Müller <ulm@gentoo.org> CommitDate: 2022-05-07 05:58:38 +0000 app-editors/emacs: Remove 26.3-r6 Bug: https://bugs.gentoo.org/739354 Signed-off-by: Ulrich Müller <ulm@gentoo.org> app-editors/emacs/Manifest | 1 - app-editors/emacs/emacs-26.3-r6.ebuild | 376 --------------------------------- 2 files changed, 377 deletions(-)
Affected version removed. No GLSA, I suppose?
(In reply to Ulrich Müller from comment #8) > Affected version removed. > No GLSA, I suppose? Indeed, this is more a hardening/defense-in-depth feature so no GLSA, we're all done. Thanks!
