Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 699156 (CVE-2019-8625, CVE-2019-8674, CVE-2019-8707, CVE-2019-8710, CVE-2019-8719, CVE-2019-8720, CVE-2019-8726, CVE-2019-8733, CVE-2019-8735, CVE-2019-8743, CVE-2019-8763, CVE-2019-8764, CVE-2019-8765, CVE-2019-8766, CVE-2019-8768, CVE-2019-8769, CVE-2019-8771, CVE-2019-8782, CVE-2019-8783, CVE-2019-8808, CVE-2019-8811, CVE-2019-8812, CVE-2019-8813, CVE-2019-8814, CVE-2019-8815, CVE-2019-8816, CVE-2019-8819, CVE-2019-8820, CVE-2019-8821, CVE-2019-8822, CVE-2019-8823, WSA-2019-0005, WSA-2019-0006)

Summary: <net-libs/webkit-gtk-2.26.2: multiple vulnerabilities (WSA-2019-{0005,0006})
Product: Gentoo Security Reporter: Haelwenn Monnier <contact>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: IN_PROGRESS ---    
Severity: normal CC: alexander, alex_y_xu, arm64, gnome, jstein, lethbridgejason, ua_gentoo_bugzilla
Priority: Normal Keywords: STABLEREQ
Version: unspecifiedFlags: stable-bot: sanity-check-
Hardware: All   
OS: Linux   
URL: https://webkitgtk.org/security/WSA-2019-0005.html
Whiteboard: A2 [stable cve]
Package list:
gui-libs/libwpe-1.4.0.1 gui-libs/wpebackend-fdo-1.4.0 sys-apps/xdg-dbus-proxy-0.1.2 net-libs/webkit-gtk-2.26.2
Runtime testing required: ---
Bug Depends on: 704182, 704438    
Bug Blocks: 705264    
Attachments:
Description Flags
webkit-gtk-2.26.2 with Evolution and Geary compatibility patch none

Description Haelwenn Monnier 2019-11-02 13:12:41 UTC
Listed in the title are the security vulnerabilities which affect webkit-gtk before 2.26.0 as the current version in the tree is 2.24.4 and they are unpatched.

Reproducible: Always
Comment 1 Haelwenn Monnier 2019-11-10 08:22:21 UTC
https://webkitgtk.org/security/WSA-2019-0006.html adds: CVE-2019-8710, CVE-2019-8743, CVE-2019-8764, CVE-2019-8766, CVE-2019-8782, CVE-2019-8783, CVE-2019-8808, CVE-2019-8811, CVE-2019-8812, CVE-2019-8813, CVE-2019-8814, CVE-2019-8815, CVE-2019-8816, CVE-2019-8819, CVE-2019-8820, CVE-2019-8820.
Comment 2 Mart Raudsepp gentoo-dev 2019-11-17 19:34:26 UTC
The problems the bump would cause as explained in https://mail.gnome.org/archives/distributor-list/2019-October/msg00000.html need to be addressed first
Comment 3 Mart Raudsepp gentoo-dev 2019-11-17 22:08:54 UTC
*** Bug 698438 has been marked as a duplicate of this bug. ***
Comment 4 Haelwenn Monnier 2019-11-18 04:50:11 UTC
Well what about at least getting it under a mask explaining the issue so that there is at least a possibility for users to have a secure version (without using an overlay, like I do)?
Comment 5 Alex Xu (Hello71) 2019-12-21 04:32:24 UTC
pretty sad that this is still sitting here. even friggin debian upgraded stable to 2.26.2 on Tue, 12 Nov 2019. it's been more than 5 weeks since then and absolutely no progress here, no patched package, no package with blockers, no masked package, no bug dependency changes. if there is need to have revdeps patched for whatever reason, then fine, get that done. it's unbefitting to sit around and wait for them to be exploited.
Comment 6 Jason Lethbridge 2019-12-23 14:33:38 UTC
Created attachment 600536 [details, diff]
webkit-gtk-2.26.2 with Evolution and Geary compatibility patch

Here's my solution to the bug. I've been using it in a local overlay from quite some time now.

Adds webkit-gtk-2.26.2 with a 'evo' useflag. When it's enabled, the patch Gnome put out to maintain compatibility with older versions of Evolution and Geary will be applied (https://mail.gnome.org/archives/distributor-list/2019-October/txtjJmNLXFcOQ.txt). The Evolution or Geary ebuilds will force this useflag on but if you have no interest in either mail client then you can disable the useflag and the patch wont be applied.

First time I've attempted a patch against the main Gentoo repository so I apologize in advance if I haven't followed proper procedure.

Tested on a amd64 machine

Signed-off-by: Jason Lethbridge <lethbridgejason@gmail.com>
Comment 7 Larry the Git Cow gentoo-dev 2019-12-29 14:45:06 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=0a846e963e87ae6a37a037c447326831d003ad9b

commit 0a846e963e87ae6a37a037c447326831d003ad9b
Author:     Mart Raudsepp <leio@gentoo.org>
AuthorDate: 2019-12-29 13:50:40 +0000
Commit:     Mart Raudsepp <leio@gentoo.org>
CommitDate: 2019-12-29 14:39:13 +0000

    mail-client/evolution: make compatible with webkit-gtk-2.26
    
    Bug: https://bugs.gentoo.org/699156
    Package-Manager: Portage-2.3.79, Repoman-2.3.12
    Signed-off-by: Mart Raudsepp <leio@gentoo.org>

 mail-client/evolution/evolution-3.32.5-r1.ebuild   | 155 +++++++++++++++++++++
 .../files/3.32.5-webkitgtk-2.26-compat.patch       |  26 ++++
 2 files changed, 181 insertions(+)

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=24be9040864532714aeeb3b5b35d73e7aa03db33

commit 24be9040864532714aeeb3b5b35d73e7aa03db33
Author:     Mart Raudsepp <leio@gentoo.org>
AuthorDate: 2019-12-29 12:24:02 +0000
Commit:     Mart Raudsepp <leio@gentoo.org>
CommitDate: 2019-12-29 14:34:44 +0000

    net-libs/webkit-gtk: security bump to 2.26.2
    
    * Add unconditional sandboxing support, if available for the arch.
    * Switch IUSE=gles2 to IUSE=gles2-only, as it is an alternative to
      USE=opengl, not a co-existing one.
    * USE=wayland now requires wpebackend-fdo and co for
      accelerated compositing under wayland, if opengl is enabled.
    * Re-enable IUSE=+jumbo-build for unified source builds - it was
      unconditionally enabled before, but with 2.26 disabling it
      finally seems to work. Disabling it seems to result in a 2MB
      larger library and over twice the compile time, but it may be
      crucial to low RAM systems to be able to even build webkit-gtk
      at all.
    * gtk2 plugin process is now dropped upstream - no more
      adobe-flash support.
    * geoclue is a runtime-only depend now (dbus interface).
    * GCC/clang checks updated to the best of my understanding.
    * Added ruby:2.7 support for the build-time depend on it.
    
    Bug: https://bugs.gentoo.org/699156
    Package-Manager: Portage-2.3.79, Repoman-2.3.12
    Signed-off-by: Mart Raudsepp <leio@gentoo.org>

 net-libs/webkit-gtk/Manifest                 |   1 +
 net-libs/webkit-gtk/metadata.xml             |   2 +
 net-libs/webkit-gtk/webkit-gtk-2.26.2.ebuild | 301 +++++++++++++++++++++++++++
 profiles/base/package.use.force              |   1 +
 4 files changed, 305 insertions(+)
Comment 8 Mart Raudsepp gentoo-dev 2019-12-29 14:58:40 UTC
The stable target is 2.26.2, it may fix various other security bugs than originally reported here for 2.26.0.
Basically WSA-2019-0006 is out by now as well: https://webkitgtk.org/security/WSA-2019-0006.html
That includes security bugs that are fixed by 2.26.1 and 2.26.2
Comment 9 Agostino Sarubbo gentoo-dev 2019-12-30 15:19:22 UTC
amd64 stable
Comment 10 Thomas Deutschmann gentoo-dev Security 2020-01-10 01:47:29 UTC
x86 stable
Comment 11 Haelwenn Monnier 2020-01-24 02:21:44 UTC
https://webkitgtk.org/security/WSA-2020-0001.html Came out ~today, I guess it should be filed in another ticket?
Comment 12 Stabilization helper bot gentoo-dev 2020-02-06 10:01:28 UTC
An automated check of this bug failed - the following atom is unknown:

net-libs/webkit-gtk-2.26.2

Please verify the atom list.