Summary: | <net-libs/webkit-gtk-2.26.2: multiple vulnerabilities (WSA-2019-{0005,0006}) | ||||||
---|---|---|---|---|---|---|---|
Product: | Gentoo Security | Reporter: | Haelwenn (lanodan) Monnier <contact> | ||||
Component: | Vulnerabilities | Assignee: | Gentoo Security <security> | ||||
Status: | RESOLVED FIXED | ||||||
Severity: | major | CC: | alexander, alex_y_xu, gnome, jstein, lethbridgejason, ua_gentoo_bugzilla | ||||
Priority: | Normal | Flags: | stable-bot:
sanity-check-
|
||||
Version: | unspecified | ||||||
Hardware: | All | ||||||
OS: | Linux | ||||||
URL: | https://webkitgtk.org/security/WSA-2019-0005.html | ||||||
Whiteboard: | A2 [glsa+ cve] | ||||||
Package list: |
gui-libs/libwpe-1.4.0.1
gui-libs/wpebackend-fdo-1.4.0
sys-apps/xdg-dbus-proxy-0.1.2
net-libs/webkit-gtk-2.26.2
|
Runtime testing required: | --- | ||||
Bug Depends on: | 704182, 704438 | ||||||
Bug Blocks: | 705264 | ||||||
Attachments: |
|
Description
Haelwenn (lanodan) Monnier
2019-11-02 13:12:41 UTC
https://webkitgtk.org/security/WSA-2019-0006.html adds: CVE-2019-8710, CVE-2019-8743, CVE-2019-8764, CVE-2019-8766, CVE-2019-8782, CVE-2019-8783, CVE-2019-8808, CVE-2019-8811, CVE-2019-8812, CVE-2019-8813, CVE-2019-8814, CVE-2019-8815, CVE-2019-8816, CVE-2019-8819, CVE-2019-8820, CVE-2019-8820. The problems the bump would cause as explained in https://mail.gnome.org/archives/distributor-list/2019-October/msg00000.html need to be addressed first *** Bug 698438 has been marked as a duplicate of this bug. *** Well what about at least getting it under a mask explaining the issue so that there is at least a possibility for users to have a secure version (without using an overlay, like I do)? pretty sad that this is still sitting here. even friggin debian upgraded stable to 2.26.2 on Tue, 12 Nov 2019. it's been more than 5 weeks since then and absolutely no progress here, no patched package, no package with blockers, no masked package, no bug dependency changes. if there is need to have revdeps patched for whatever reason, then fine, get that done. it's unbefitting to sit around and wait for them to be exploited. Created attachment 600536 [details, diff] webkit-gtk-2.26.2 with Evolution and Geary compatibility patch Here's my solution to the bug. I've been using it in a local overlay from quite some time now. Adds webkit-gtk-2.26.2 with a 'evo' useflag. When it's enabled, the patch Gnome put out to maintain compatibility with older versions of Evolution and Geary will be applied (https://mail.gnome.org/archives/distributor-list/2019-October/txtjJmNLXFcOQ.txt). The Evolution or Geary ebuilds will force this useflag on but if you have no interest in either mail client then you can disable the useflag and the patch wont be applied. First time I've attempted a patch against the main Gentoo repository so I apologize in advance if I haven't followed proper procedure. Tested on a amd64 machine Signed-off-by: Jason Lethbridge <lethbridgejason@gmail.com> The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=0a846e963e87ae6a37a037c447326831d003ad9b commit 0a846e963e87ae6a37a037c447326831d003ad9b Author: Mart Raudsepp <leio@gentoo.org> AuthorDate: 2019-12-29 13:50:40 +0000 Commit: Mart Raudsepp <leio@gentoo.org> CommitDate: 2019-12-29 14:39:13 +0000 mail-client/evolution: make compatible with webkit-gtk-2.26 Bug: https://bugs.gentoo.org/699156 Package-Manager: Portage-2.3.79, Repoman-2.3.12 Signed-off-by: Mart Raudsepp <leio@gentoo.org> mail-client/evolution/evolution-3.32.5-r1.ebuild | 155 +++++++++++++++++++++ .../files/3.32.5-webkitgtk-2.26-compat.patch | 26 ++++ 2 files changed, 181 insertions(+) https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=24be9040864532714aeeb3b5b35d73e7aa03db33 commit 24be9040864532714aeeb3b5b35d73e7aa03db33 Author: Mart Raudsepp <leio@gentoo.org> AuthorDate: 2019-12-29 12:24:02 +0000 Commit: Mart Raudsepp <leio@gentoo.org> CommitDate: 2019-12-29 14:34:44 +0000 net-libs/webkit-gtk: security bump to 2.26.2 * Add unconditional sandboxing support, if available for the arch. * Switch IUSE=gles2 to IUSE=gles2-only, as it is an alternative to USE=opengl, not a co-existing one. * USE=wayland now requires wpebackend-fdo and co for accelerated compositing under wayland, if opengl is enabled. * Re-enable IUSE=+jumbo-build for unified source builds - it was unconditionally enabled before, but with 2.26 disabling it finally seems to work. Disabling it seems to result in a 2MB larger library and over twice the compile time, but it may be crucial to low RAM systems to be able to even build webkit-gtk at all. * gtk2 plugin process is now dropped upstream - no more adobe-flash support. * geoclue is a runtime-only depend now (dbus interface). * GCC/clang checks updated to the best of my understanding. * Added ruby:2.7 support for the build-time depend on it. Bug: https://bugs.gentoo.org/699156 Package-Manager: Portage-2.3.79, Repoman-2.3.12 Signed-off-by: Mart Raudsepp <leio@gentoo.org> net-libs/webkit-gtk/Manifest | 1 + net-libs/webkit-gtk/metadata.xml | 2 + net-libs/webkit-gtk/webkit-gtk-2.26.2.ebuild | 301 +++++++++++++++++++++++++++ profiles/base/package.use.force | 1 + 4 files changed, 305 insertions(+) The stable target is 2.26.2, it may fix various other security bugs than originally reported here for 2.26.0. Basically WSA-2019-0006 is out by now as well: https://webkitgtk.org/security/WSA-2019-0006.html That includes security bugs that are fixed by 2.26.1 and 2.26.2 amd64 stable x86 stable https://webkitgtk.org/security/WSA-2020-0001.html Came out ~today, I guess it should be filed in another ticket? An automated check of this bug failed - the following atom is unknown: net-libs/webkit-gtk-2.26.2 Please verify the atom list. 2.26.4 stable on arm64 cleanup can't be done due to pending keywording bug 704182 Added to an existing GLSA. This issue was resolved and addressed in GLSA 202003-22 at https://security.gentoo.org/glsa/202003-22 by GLSA coordinator Thomas Deutschmann (whissi). Reopening because cleanup was not completed. Unable to check for sanity:
> no match for package: net-libs/webkit-gtk-2.26.2
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=5006f73937044695f6a1317de58ef80d12b19b7a commit 5006f73937044695f6a1317de58ef80d12b19b7a Author: Mart Raudsepp <leio@gentoo.org> AuthorDate: 2020-07-19 05:58:49 +0000 Commit: Mart Raudsepp <leio@gentoo.org> CommitDate: 2020-07-19 05:59:37 +0000 net-libs/webkit-gtk: remove old Bug: https://bugs.gentoo.org/699156 Bug: https://bugs.gentoo.org/712260 Bug: https://bugs.gentoo.org/732104 Package-Manager: Portage-2.3.84, Repoman-2.3.20 Signed-off-by: Mart Raudsepp <leio@gentoo.org> net-libs/webkit-gtk/Manifest | 3 - .../files/2.26.2-fix-arm-non-unified-build.patch | 27 -- net-libs/webkit-gtk/files/2.26.3-fix-gtk-doc.patch | 27 -- .../webkit-gtk/files/2.28.2-fix-ppc64-JSC.patch | 59 ----- .../files/2.28.2-fix-yelp-desktopless-build.patch | 53 ---- .../files/2.28.2-use-gst-audiointerleave.patch | 55 ---- .../files/webkit-gtk-2.24.4-icu-65.patch | 53 ---- net-libs/webkit-gtk/metadata.xml | 4 - net-libs/webkit-gtk/webkit-gtk-2.24.4.ebuild | 283 -------------------- net-libs/webkit-gtk/webkit-gtk-2.26.4-r1.ebuild | 286 -------------------- net-libs/webkit-gtk/webkit-gtk-2.28.2.ebuild | 293 --------------------- 11 files changed, 1143 deletions(-) All done, thanks. Closing. |