Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 627554

Summary: net-misc/icaclient: still depends on net-libs/webkit-gtk:2
Product: Gentoo Linux Reporter: Andrea De Pasquale <depasquale.andrea>
Component: Current packagesAssignee: Lars Wendler (Polynomial-C) (RETIRED) <polynomial-c>
Status: RESOLVED FIXED    
Severity: normal CC: helmut, leio, polynomial-c
Priority: Normal    
Version: unspecified   
Hardware: All   
OS: Linux   
See Also: https://bugs.gentoo.org/show_bug.cgi?id=591816
Whiteboard:
Package list:
Runtime testing required: ---
Bug Depends on:    
Bug Blocks: 577068    

Description Andrea De Pasquale 2017-08-11 16:44:35 UTC 
icaclient-13.6.0.10243651.ebuild contains RDEPEND="net-libs/webkit-gtk:2"

glsa-check reports net-libs/webkit-gtk-2.4.11-r200:2 as having multiple vulnerabilities (GLSA 201706-15 https://security.gentoo.org/glsa/201706-15)

I tried to change RDEPEND to use latest net-libs/webkit-gtk:4 and it works just fine.
Comment 1 Christopher Díaz Riveros (RETIRED) gentoo-dev Security 2017-08-11 17:06:04 UTC 

https://github.com/gentoo/gentoo/pull/5391

for the ebuild updates

Thanks,

Gentoo Security Padawan
ChrisADR
Comment 2 Mart Raudsepp gentoo-dev 2017-08-12 03:40:22 UTC 
There is no way webkit-gtk:4 can be correct, as there is a gtk+:2 dependency, not gtk+:3 dependency. Either that is wrong too, or it just happens to work due to webkit-gtk:2 being optional in the binary, as already concluded in bug 580974 and 579722. selfservice component won't work without webkit-gtk:2 or something; it also won't work with webkit-gtk:4, as you can't mix webkit-gtk:4 and gtk+:2.
Comment 3 Mart Raudsepp gentoo-dev 2017-08-13 09:02:00 UTC 
Why is this a security@ bug btw? webkit-gtk:2 cleanup is already tracked in bug 577068 by security@
Comment 4 Christopher Díaz Riveros (RETIRED) gentoo-dev Security 2017-08-13 16:46:13 UTC 
(In reply to Mart Raudsepp from comment #3)
> Why is this a security@ bug btw? webkit-gtk:2 cleanup is already tracked in
> bug 577068 by security@

Indeed the cleanup is being in bug 577068 and I'm adding this report to the list.

The main reason is that the ebuild contains a vulnerable RDEP (even if it is optional for most of the users) this means that we need to either inform the users that they are installing a package with vulnerable RDEPS or remove that additional feature from the ebuild in order to have a vulnerability free package.

Thanks,

Gentoo Security Padawan
ChrisADR
Comment 5 Pacho Ramos gentoo-dev 2017-12-03 14:46:14 UTC 
This would also indicate this can work without webkit-gtk
https://forums.fedoraforum.org/showthread.php?316157-Citrix-Receiver-(ICAClient)-in-Fedora-27
Comment 6 Mart Raudsepp gentoo-dev 2017-12-05 10:45:35 UTC 
Yes, it will work fine without webkit-gtk. But probably not the selfservice component.
That fedora thread still can't possibly be right about webkit-gtk:4 being useful for it.
Maybe just please remove the dependency, if the main functionality then still works, and deal with any fallout (from unusable selfservice component if so, or anything else) by pointing reporters to complain to the binary package upstream
Comment 7 Pacho Ramos gentoo-dev 2018-02-13 13:42:18 UTC 
this was fixed one month ago and old versions removed