Summary: | <app-editors/emacs-{26.3-r7,27.1.90,28.0.90}: Possible WebKit sandboxing patch upstream | ||
---|---|---|---|
Product: | Gentoo Security | Reporter: | Sam James <sam> |
Component: | Auditing | Assignee: | Gentoo Security <security> |
Status: | RESOLVED FIXED | ||
Severity: | minor | CC: | gnu-emacs |
Priority: | Normal | ||
Version: | unspecified | ||
Hardware: | All | ||
OS: | Linux | ||
URL: | https://debbugs.gnu.org/cgi/bugreport.cgi?bug=43071 | ||
Whiteboard: | B4 [noglsa] | ||
Package list: | Runtime testing required: | --- | |
Bug Depends on: | 841821 | ||
Bug Blocks: |
Description
Sam James
2020-08-28 03:52:18 UTC
Thanks, I had already noticed the upstream discussion. This would affect version 26 and later. The patch looks simple enough, so I believe that backporting to existing versions shouldn't be a problem. ~/git/emacs $ git tag --contains 71661b287297f328c2c5ad67e180a760f80850cb emacs-27.1.90 emacs-27.1.91 emacs-27.2 emacs-27.2-rc1 emacs-27.2-rc2 emacs-28.0.90 emacs-28.0.91 emacs-28.0.92 This is really just a hardening option rather than a specific vulnerability, so I don't see any reason to cleanup here, but I'll leave open for some time for other opinions. The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/proj/emacs-patches.git/commit/?id=3341de0f2c88e9e9696c7aa4c1529c13066089d0 commit 3341de0f2c88e9e9696c7aa4c1529c13066089d0 Author: Ulrich Müller <ulm@gentoo.org> AuthorDate: 2022-03-26 21:24:45 +0000 Commit: Ulrich Müller <ulm@gentoo.org> CommitDate: 2022-03-26 21:24:45 +0000 26.3: Enable WebKit sandboxing Bug: https://bugs.gentoo.org/739354 Signed-off-by: Ulrich Müller <ulm@gentoo.org> emacs/26.3/02_all_webkit-sandbox.patch | 41 ++++++++++++++++++++++++++++++++++ 1 file changed, 41 insertions(+) The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=66d765c893fdb716fb2166a1a67e1a451ef1ae1e commit 66d765c893fdb716fb2166a1a67e1a451ef1ae1e Author: Ulrich Müller <ulm@gentoo.org> AuthorDate: 2022-03-26 21:29:41 +0000 Commit: Ulrich Müller <ulm@gentoo.org> CommitDate: 2022-03-26 21:34:53 +0000 app-editors/emacs: Backport WebKit sandboxing patch to slot 26 Bug: https://bugs.gentoo.org/739354 Signed-off-by: Ulrich Müller <ulm@gentoo.org> app-editors/emacs/Manifest | 1 + app-editors/emacs/emacs-26.3-r7.ebuild | 376 +++++++++++++++++++++++++++++++++ 2 files changed, 377 insertions(+) - I have backported the patch to slot 26 (emacs-26.3-r7). - For slot 25, xwidgets/webkit is unconditionally disabled. - For slot 24 and before, the functionality in question didn't exist yet. We could either go for rapid security stabilisation of 26.3-r7 here, or I could file a normal stable request in one month from now. What do you prefer? Normal stabilization timeline is fine by me! The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=ea95f0712988dd1c4747a7c2e9b43b6ea448eda3 commit ea95f0712988dd1c4747a7c2e9b43b6ea448eda3 Author: Ulrich Müller <ulm@gentoo.org> AuthorDate: 2022-05-07 05:58:32 +0000 Commit: Ulrich Müller <ulm@gentoo.org> CommitDate: 2022-05-07 05:58:38 +0000 app-editors/emacs: Remove 26.3-r6 Bug: https://bugs.gentoo.org/739354 Signed-off-by: Ulrich Müller <ulm@gentoo.org> app-editors/emacs/Manifest | 1 - app-editors/emacs/emacs-26.3-r6.ebuild | 376 --------------------------------- 2 files changed, 377 deletions(-) Affected version removed. No GLSA, I suppose? (In reply to Ulrich Müller from comment #8) > Affected version removed. > No GLSA, I suppose? Indeed, this is more a hardening/defense-in-depth feature so no GLSA, we're all done. Thanks! |