|Summary:||<net-libs/webkit-gtk-2.16.0: multiple vulnerabilities|
|Product:||Gentoo Security||Reporter:||Mart Raudsepp <leio>|
|Component:||Vulnerabilities||Assignee:||Gentoo Security <security>|
|Whiteboard:||B2 [glsa cve cleanup]|
|Runtime testing required:||---|
Description Mart Raudsepp 2017-04-06 20:25:17 UTC
Comment 1 Mart Raudsepp 2017-04-08 22:03:31 UTC
Arches, please proceed. Upstream claims this feature upgrade should work with GNOME 3.22 and other webkit-gtk consumers just fine, and is used as such by some other downstreams. 2.14.6 was released as well that fixes a majority of these security issues, but that was made only for the benefit of Debian (who refuses to upgrade to 2.16) and some of the security fixes were not possible to be backported by upstream in a reasonable effort, while 2.16 is fully backwards compatible. Slight testing of epiphany-3.22 and evolution-3.22 didn't blow up for me. commit bc9d93e02a1123ebba9af1880ba1fd34f9f2b7a9 Author: Mart Raudsepp <firstname.lastname@example.org> Date: Sun Apr 9 00:26:36 2017 +0300 net-libs/webkit-gtk: bump to 2.16.1 for 33+ security fixes Fixes CVE-2016-9642, CVE-2016-9643, CVE-2017-2367, CVE-2017-2376, CVE-2017-2377, CVE-2017-2386, CVE-2017-2392, CVE-2017-2394, CVE-2017-2395, CVE-2017-2396, CVE-2017-2405, CVE-2017-2415, CVE-2017-2419, CVE-2017-2433, CVE-2017-2442, CVE-2017-2445, CVE-2017-2446, CVE-2017-2447, CVE-2017-2454, CVE-2017-2455, CVE-2017-2457, CVE-2017-2459, CVE-2017-2460, CVE-2017-2464, CVE-2017-2465, CVE-2017-2466, CVE-2017-2468, CVE-2017-2469, CVE-2017-2470, CVE-2017-2471, CVE-2017-2475, CVE-2017-2476, CVE-2017-2481 and further fixes for CVE-2017-2364. Upstream says 2.16.1 fixes more security bugs than these, over 2.16.0 release, but that they didn't have CVE numbers as of yet. Add some seemingly necessary perl build dependencies (which everyone probably had installed anyways). This perl build dep list is by no means complete. Includes preliminary patch from Kent to not start requiring perl[ithreads] for building (over perl with whatever ithreads choice), which would be disastrous for us. Upstream has replaced gnutls with libgcrypt. The experimental API unstable DOM stuff was dropped completely (but isn't used since epiphany-3.22), while the webkit2gtkinjectedbundle-j1.patch patch in earlier version modified lines that were there for it - so hopefully -j1 MAKEOPTS building still works with that patch dropped. CREDENTIAL_STORAGE option was renamed to LIBSECRET. flex build dep seems to have been dropped and gstreamer requirement upped to 1.2.3. harfbuzz 1.3.3 is useful for it for some optional fixes, so guarantee it. Gentoo-bug: 614876 Thanks-to: Kent Fredric <email@example.com>
Comment 2 Andreas K. Hüttel 2017-04-08 22:13:49 UTC
Adding needed newer harfbuzz to package list
Comment 3 Agostino Sarubbo 2017-04-11 15:04:21 UTC
Comment 4 Agostino Sarubbo 2017-04-17 08:04:15 UTC
x86 stable. Maintainer(s), please cleanup.
Comment 5 Mart Raudsepp 2017-04-17 08:11:38 UTC
Older webkit-gtk:4 cleaned up; As usual vulnerable SLOT=2 and SLOT=3 can not be cleaned up without breaking the tree due to consumers.
Comment 6 Yury German 2017-04-19 06:43:03 UTC
Arches and Maintainer(s), Thank you for your work. New GLSA Request filed. Maintainer(s), please drop the vulnerable version(s).
Comment 7 GLSAMaker/CVETool Bot 2017-06-07 12:11:43 UTC
This issue was resolved and addressed in GLSA 201706-15 at https://security.gentoo.org/glsa/201706-15 by GLSA coordinator Thomas Deutschmann (whissi).