Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 584156 - app-editors/emacs-vcs:25[xwidgets] depends on old and vulnerable net-libs/webkit-gtk:3
Summary: app-editors/emacs-vcs:25[xwidgets] depends on old and vulnerable net-libs/web...
Status: RESOLVED FIXED
Alias: None
Product: Gentoo Linux
Classification: Unclassified
Component: Current packages (show other bugs)
Hardware: All Linux
: Normal normal (vote)
Assignee: GNU Emacs project
URL:
Whiteboard:
Keywords: UPSTREAM
Depends on:
Blocks: CVE-2016-1723, CVE-2016-1724, CVE-2016-1725, CVE-2016-1726, CVE-2016-1727, CVE-2016-1728
  Show dependency tree
 
Reported: 2016-05-26 08:52 UTC by Pacho Ramos
Modified: 2017-02-04 16:37 UTC (History)
0 users

See Also:
Package list:
Runtime testing required: ---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Pacho Ramos gentoo-dev 2016-05-26 08:52:56 UTC 
Some old versions still rely on obsolete and vulnerable webkit-gtk slots. It would be nice to treeclean them then

Thanks!
Comment 1 Ulrich Müller gentoo-dev 2016-05-26 10:20:48 UTC 
What versions exactly should be dropped? Note that the latest Emacs 25 release candidate still has the following in its configure.ac:

  WEBKIT_REQUIRED=1.4.0
  WEBKIT_MODULES="webkitgtk-3.0 >= $WEBKIT_REQUIRED"
  EMACS_CHECK_MODULES([WEBKIT], [$WEBKIT_MODULES])

Also, it won't compile with 4.0.

If this should be updated then please report it upstream.
Comment 2 Ulrich Müller gentoo-dev 2016-05-26 11:49:55 UTC 
(In reply to Ulrich Müller from comment #1)
> Also, it won't compile with 4.0.

To clarify, after manually updating the configure test, compilation with net-libs/webkit-gtk-2.10.9:4 fails because of missing include files.

> If this should be updated then please report it upstream.
Comment 3 Ulrich Müller gentoo-dev 2016-05-28 09:10:17 UTC 
I have brought this up in the emacs-devel mailing list:
https://lists.gnu.org/archive/html/emacs-devel/2016-05/msg00630.html
Comment 4 Pacho Ramos gentoo-dev 2016-05-28 10:02:51 UTC 
Well, the offending versions are:
emacs-vcs-25.0.92.ebuild:				net-libs/webkit-gtk:3=
emacs-vcs-25.0.93.ebuild:				net-libs/webkit-gtk:3=
emacs-vcs-25.0.94.ebuild:				net-libs/webkit-gtk:3=
emacs-vcs-25.0.9999-r2.ebuild:				net-libs/webkit-gtk:3=
emacs-vcs-25.1.9999-r1.ebuild:				net-libs/webkit-gtk:3=

As I thought that latest version wasn't ever requiring webkit-gtk, I thought that maybe dropping the old versions would be enough... but it seems that it cannot be done as the older versions are needed :S

In that case reporting to upstream will be enough as they will hit this problem more strongly in two months when major distributions like Fedora and Debian plan to kill the old webkit-gtk slots :/

Thanks :)
Comment 5 Ulrich Müller gentoo-dev 2017-02-04 16:20:49 UTC 
I have package.use.masked the dependency in the base profile:
 
+# Ulrich Müller <ulm@gentoo.org> (4 Feb 2017)
+# Uses old and vulnerable net-libs/webkit-gtk:3, bug #584156.
+app-editors/emacs:25 xwidgets
+app-editors/emacs-vcs:25 xwidgets
+

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=4241b24104cc5a40814676d7ddf1c102223f6624
Comment 6 Ulrich Müller gentoo-dev 2017-02-04 16:37:05 UTC 
Also this is fixed upstream, so Emacs 26 will use the WebKit2 API:
http://git.savannah.gnu.org/cgit/emacs.git/commit/?id=d781662873f228b110a128f7a2b6583a4d5e0a3a